[maglev] Set elements kind to holey if constructing array of possibly…

… non-zero length Fixed: 337069178 Change-Id: Ia065a0cd5f12c09dc0b48c2046f7f4bf784f4b15 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5490696 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#93636}
v8 · Apr 29, 2024 · c59baec · c59baec
1 parent dcfe0ea
commit c59baec
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -8520,6 +8520,15 @@ ReduceResult MaglevGraphBuilder::ReduceArrayConstructor(
         break;
     }
 
+    if (!length.has_value() || *length > 0) {
+      // Constructing an Array via new Array(N) where N is an unsigned
+      // integer, always creates a holey backing store.
+      compiler::OptionalMapRef maybe_initial_map = initial_map.AsElementsKind(
+          broker(), GetHoleyElementsKind(elements_kind));
+      if (!maybe_initial_map.has_value()) return ReduceResult::Fail();
+      initial_map = maybe_initial_map.value();
+    }
+
     if (length.has_value() && *length >= 0 &&
         *length < JSArray::kInitialMaxFastElementArray) {
       return BuildAndAllocateJSArray(
@@ -8534,19 +8543,14 @@ ReduceResult MaglevGraphBuilder::ReduceArrayConstructor(
     // We don't know anything about the length, so we rely on the allocation
     // site to avoid deopt loops.
     if (allocation_site.CanInlineCall()) {
-      // Constructing an Array via new Array(N) where N is an unsigned
-      // integer, always creates a holey backing store.
-      compiler::OptionalMapRef maybe_initial_map = initial_map.AsElementsKind(
-          broker(), GetHoleyElementsKind(elements_kind));
-      if (!maybe_initial_map.has_value()) return ReduceResult::Fail();
       ValueNode* int32_length = GetInt32(length_node);
       return Select<BranchIfInt32Compare>(
           [&] {
             CapturedValue elements =
                 CapturedValue(AddNewNode<AllocateElementsArray>(
                     {int32_length}, allocation_type));
             return BuildAndAllocateJSArray(
-                *maybe_initial_map, GetTaggedValue(length_node), elements,
+                initial_map, GetTaggedValue(length_node), elements,
                 slack_tracking_prediction, allocation_type);
           },
           [&] {