v8
diff --git a/‎src/arm/code-stubs-arm.cc‎
Lines changed: 8 additions & 10 deletions b/‎src/arm/code-stubs-arm.cc‎
Lines changed: 8 additions & 10 deletions
diff --git a/‎src/arm64/code-stubs-arm64.cc‎
Lines changed: 8 additions & 7 deletions b/‎src/arm64/code-stubs-arm64.cc‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎src/ia32/code-stubs-ia32.cc‎
Lines changed: 11 additions & 12 deletions b/‎src/ia32/code-stubs-ia32.cc‎
Lines changed: 11 additions & 12 deletions
diff --git a/‎src/mips/code-stubs-mips.cc‎
Lines changed: 10 additions & 10 deletions b/‎src/mips/code-stubs-mips.cc‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎src/mips64/code-stubs-mips64.cc‎
Lines changed: 11 additions & 11 deletions b/‎src/mips64/code-stubs-mips64.cc‎
Lines changed: 11 additions & 11 deletions
diff --git a/‎src/runtime/runtime-array.cc‎
Lines changed: 64 additions & 68 deletions b/‎src/runtime/runtime-array.cc‎
Lines changed: 64 additions & 68 deletions
diff --git a/‎src/runtime/runtime.h‎
Lines changed: 20 additions & 20 deletions b/‎src/runtime/runtime.h‎
Lines changed: 20 additions & 20 deletions
@@ -4821,25 +4821,23 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
  GenerateDispatchToArrayStub(masm, DISABLE_ALLOCATION_SITES);
 
  __ bind(&subclassing);
- __ push(r1);
- __ push(r3);
-
- // Adjust argc.
  switch (argument_count()) {
  case ANY:
  case MORE_THAN_ONE:
- __ add(r0, r0, Operand(2));
+ __ str(r1, MemOperand(sp, r0, LSL, kPointerSizeLog2));
+ __ add(r0, r0, Operand(3));
  break;
  case NONE:
- __ mov(r0, Operand(2));
+ __ str(r1, MemOperand(sp, 0 * kPointerSize));
+ __ mov(r0, Operand(3));
  break;
  case ONE:
- __ mov(r0, Operand(3));
+ __ str(r1, MemOperand(sp, 1 * kPointerSize));
+ __ mov(r0, Operand(4));
  break;
  }
-
- __ JumpToExternalReference(
- ExternalReference(Runtime::kArrayConstructorWithSubclassing, isolate()));
+ __ Push(r3, r2);
+ __ JumpToExternalReference(ExternalReference(Runtime::kNewArray, isolate()));
 }
 
 
 
@@ -5215,22 +5215,23 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
 
  // Subclassing support.
  __ Bind(&subclassing);
- __ Push(constructor, new_target);
- // Adjust argc.
  switch (argument_count()) {
  case ANY:
  case MORE_THAN_ONE:
- __ add(x0, x0, Operand(2));
+ __ Poke(constructor, Operand(x0, LSL, kPointerSizeLog2));
+ __ Add(x0, x0, Operand(3));
  break;
  case NONE:
- __ Mov(x0, Operand(2));
+ __ Poke(constructor, 0 * kPointerSize);
+ __ Mov(x0, Operand(3));
  break;
  case ONE:
- __ Mov(x0, Operand(3));
+ __ Poke(constructor, 1 * kPointerSize);
+ __ Mov(x0, Operand(4));
  break;
  }
- __ JumpToExternalReference(
-  ExternalReference(Runtime::kArrayConstructorWithSubclassing, isolate()));
+ __ Push(new_target, allocation_site);
+ __ JumpToExternalReference(ExternalReference(Runtime::kNewArray, isolate()));
 }
 
 
 
@@ -5019,27 +5019,26 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
 
  // Subclassing.
  __ bind(&subclassing);
- __ pop(ecx); // return address.
- __ push(edi);
- __ push(edx);
-
- // Adjust argc.
  switch (argument_count()) {
  case ANY:
  case MORE_THAN_ONE:
- __ add(eax, Immediate(2));
+ __ mov(Operand(esp, eax, times_pointer_size, kPointerSize), edi);
+ __ add(eax, Immediate(3));
  break;
  case NONE:
- __ mov(eax, Immediate(2));
+ __ mov(Operand(esp, 1 * kPointerSize), edi);
+ __ mov(eax, Immediate(3));
  break;
  case ONE:
- __ mov(eax, Immediate(3));
+ __ mov(Operand(esp, 2 * kPointerSize), edi);
+ __ mov(eax, Immediate(4));
  break;
  }
-
- __ push(ecx);
- __ JumpToExternalReference(
- ExternalReference(Runtime::kArrayConstructorWithSubclassing, isolate()));
+ __ PopReturnAddressTo(ecx);
+ __ Push(edx);
+ __ Push(ebx);
+ __ PushReturnAddressFrom(ecx);
+ __ JumpToExternalReference(ExternalReference(Runtime::kNewArray, isolate()));
 }
 
 
 
@@ -5030,26 +5030,26 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
 
  // Subclassing.
  __ bind(&subclassing);
- __ Push(a1);
- __ Push(a3);
-
- // Adjust argc.
  switch (argument_count()) {
  case ANY:
  case MORE_THAN_ONE:
- __ li(at, Operand(2));
+ __ sll(at, a0, kPointerSizeLog2);
+ __ addu(at, sp, at);
+ __ sw(a1, MemOperand(at));
+ __ li(at, Operand(3));
  __ addu(a0, a0, at);
  break;
  case NONE:
- __ li(a0, Operand(2));
+ __ sw(a1, MemOperand(sp, 0 * kPointerSize));
+ __ li(a0, Operand(3));
  break;
  case ONE:
- __ li(a0, Operand(3));
+ __ sw(a1, MemOperand(sp, 1 * kPointerSize));
+ __ li(a0, Operand(4));
  break;
  }
-
- __ JumpToExternalReference(
- ExternalReference(Runtime::kArrayConstructorWithSubclassing, isolate()));
+ __ Push(a3, a2);
+ __ JumpToExternalReference(ExternalReference(Runtime::kNewArray, isolate()));
 }
 
 
 
@@ -5055,26 +5055,26 @@ void ArrayConstructorStub::Generate(MacroAssembler* masm) {
 
  // Subclassing.
  __ bind(&subclassing);
- __ Push(a1);
- __ Push(a3);
-
- // Adjust argc.
  switch (argument_count()) {
  case ANY:
  case MORE_THAN_ONE:
- __ li(at, Operand(2));
- __ addu(a0, a0, at);
+ __ dsll(at, a0, kPointerSizeLog2);
+ __ Daddu(at, sp, at);
+ __ sd(a1, MemOperand(at));
+ __ li(at, Operand(3));
+ __ Daddu(a0, a0, at);
  break;
  case NONE:
- __ li(a0, Operand(2));
+ __ sd(a1, MemOperand(sp, 0 * kPointerSize));
+ __ li(a0, Operand(3));
  break;
  case ONE:
- __ li(a0, Operand(3));
+ __ sd(a1, MemOperand(sp, 1 * kPointerSize));
+ __ li(a0, Operand(4));
  break;
  }
-
- __ JumpToExternalReference(
- ExternalReference(Runtime::kArrayConstructorWithSubclassing, isolate()));
+ __ Push(a3, a2);
+ __ JumpToExternalReference(ExternalReference(Runtime::kNewArray, isolate()));
 }
 
 
 
@@ -233,15 +233,24 @@ RUNTIME_FUNCTION(Runtime_GetArrayKeys) {
 }
 
 
-static Object* ArrayConstructorCommon(Isolate* isolate,
- Handle<JSFunction> constructor,
- Handle<JSFunction> new_target,
- Handle<AllocationSite> site,
- Arguments* caller_args) {
+namespace {
+
+Object* ArrayConstructorCommon(Isolate* isolate, Handle<JSFunction> constructor,
+ Handle<JSReceiver> new_target,
+ Handle<AllocationSite> site,
+ Arguments* caller_args) {
  Factory* factory = isolate->factory();
 
+ // If called through new, new.target can be:
+ // - a subclass of constructor,
+ // - a proxy wrapper around constructor, or
+ // - the constructor itself.
+ // If called through Reflect.construct, it's guaranteed to be a constructor by
+ // REFLECT_CONSTRUCT_PREPARE.
+ DCHECK(new_target->IsConstructor());
+
  bool holey = false;
- bool can_use_type_feedback = true;
+ bool can_use_type_feedback = !site.is_null();
  bool can_inline_array_constructor = true;
  if (caller_args->length() == 1) {
  Handle<Object> argument_one = caller_args->at<Object>(0);
@@ -263,43 +272,42 @@ static Object* ArrayConstructorCommon(Isolate* isolate,
  }
  }
 
- Handle<JSArray> array;
- if (!site.is_null() && can_use_type_feedback) {
- ElementsKind to_kind = site->GetElementsKind();
- if (holey && !IsFastHoleyElementsKind(to_kind)) {
- to_kind = GetHoleyElementsKind(to_kind);
- // Update the allocation site info to reflect the advice alteration.
- site->SetElementsKind(to_kind);
- }
+ // TODO(verwaest): new_target could be a proxy. Read new.target.prototype in
+ // that case.
+ Handle<JSFunction> original_function = Handle<JSFunction>::cast(new_target);
 
- // We should allocate with an initial map that reflects the allocation site
- // advice. Therefore we use AllocateJSObjectFromMap instead of passing
- // the constructor.
- Handle<Map> initial_map(constructor->initial_map(), isolate);
- if (to_kind != initial_map->elements_kind()) {
- initial_map = Map::AsElementsKind(initial_map, to_kind);
- }
+ JSFunction::EnsureHasInitialMap(constructor);
 
- // If we don't care to track arrays of to_kind ElementsKind, then
- // don't emit a memento for them.
- Handle<AllocationSite> allocation_site;
- if (AllocationSite::GetMode(to_kind) == TRACK_ALLOCATION_SITE) {
- allocation_site = site;
- }
+ // TODO(verwaest): original_function could have non-instance-prototype
+ // (non-JSReceiver), requiring fallback to the intrinsicDefaultProto.
+ Handle<Map> initial_map =
+ JSFunction::EnsureDerivedHasInitialMap(original_function, constructor);
 
- array = Handle<JSArray>::cast(
- factory->NewJSObjectFromMap(initial_map, NOT_TENURED, allocation_site));
- } else {
- array = Handle<JSArray>::cast(factory->NewJSObject(constructor));
+ ElementsKind to_kind = can_use_type_feedback ? site->GetElementsKind()
+ : initial_map->elements_kind();
+ if (holey && !IsFastHoleyElementsKind(to_kind)) {
+ to_kind = GetHoleyElementsKind(to_kind);
+ // Update the allocation site info to reflect the advice alteration.
+ if (!site.is_null()) site->SetElementsKind(to_kind);
+ }
 
- // We might need to transition to holey
- ElementsKind kind = constructor->initial_map()->elements_kind();
- if (holey && !IsFastHoleyElementsKind(kind)) {
- kind = GetHoleyElementsKind(kind);
- JSObject::TransitionElementsKind(array, kind);
- }
+ // We should allocate with an initial map that reflects the allocation site
+ // advice. Therefore we use AllocateJSObjectFromMap instead of passing
+ // the constructor.
+ if (to_kind != initial_map->elements_kind()) {
+ initial_map = Map::AsElementsKind(initial_map, to_kind);
+ }
+
+ // If we don't care to track arrays of to_kind ElementsKind, then
+ // don't emit a memento for them.
+ Handle<AllocationSite> allocation_site;
+ if (AllocationSite::GetMode(to_kind) == TRACK_ALLOCATION_SITE) {
+ allocation_site = site;
  }
 
+ Handle<JSArray> array = Handle<JSArray>::cast(
+ factory->NewJSObjectFromMap(initial_map, NOT_TENURED, allocation_site));
+
  factory->NewJSArrayStorage(array, 0, 0, DONT_INITIALIZE_ARRAY_ELEMENTS);
 
  ElementsKind old_kind = array->GetElementsKind();
@@ -314,21 +322,28 @@ static Object* ArrayConstructorCommon(Isolate* isolate,
  site->SetDoNotInlineCall();
  }
 
- // Set up the prototoype using original function.
- // TODO(dslomov): instead of setting the __proto__,
- // use and cache the correct map.
- if (*new_target != *constructor) {
- if (new_target->has_instance_prototype()) {
- Handle<Object> prototype(new_target->instance_prototype(), isolate);
- MAYBE_RETURN(JSObject::SetPrototype(array, prototype, false,
- Object::THROW_ON_ERROR),
- isolate->heap()->exception());
- }
- }
-
  return *array;
 }
 
+} // namespace
+
+
+RUNTIME_FUNCTION(Runtime_NewArray) {
+ HandleScope scope(isolate);
+ DCHECK_LE(3, args.length());
+ int const argc = args.length() - 3;
+ // TODO(bmeurer): Remove this Arguments nonsense.
+ Arguments argv(argc, args.arguments() - 1);
+ CONVERT_ARG_HANDLE_CHECKED(JSFunction, constructor, 0);
+ CONVERT_ARG_HANDLE_CHECKED(JSReceiver, new_target, argc + 1);
+ CONVERT_ARG_HANDLE_CHECKED(HeapObject, type_info, argc + 2);
+ // TODO(bmeurer): Use MaybeHandle to pass around the AllocationSite.
+ Handle<AllocationSite> site = type_info->IsAllocationSite()
+ ? Handle<AllocationSite>::cast(type_info)
+ : Handle<AllocationSite>::null();
+ return ArrayConstructorCommon(isolate, constructor, new_target, site, &argv);
+}
+
 
 RUNTIME_FUNCTION(Runtime_ArrayConstructor) {
  HandleScope scope(isolate);
@@ -364,25 +379,6 @@ RUNTIME_FUNCTION(Runtime_ArrayConstructor) {
 }
 
 
-RUNTIME_FUNCTION(Runtime_ArrayConstructorWithSubclassing) {
- HandleScope scope(isolate);
- int args_length = args.length();
- CHECK(args_length >= 2);
-
- // This variables and checks work around -Werror=strict-overflow.
- int pre_last_arg_index = args_length - 2;
- int last_arg_index = args_length - 1;
- CHECK(pre_last_arg_index >= 0);
- CHECK(last_arg_index >= 0);
-
- CONVERT_ARG_HANDLE_CHECKED(JSFunction, constructor, pre_last_arg_index);
- CONVERT_ARG_HANDLE_CHECKED(JSFunction, new_target, last_arg_index);
- Arguments caller_args(args_length - 2, args.arguments());
- return ArrayConstructorCommon(isolate, constructor, new_target,
- Handle<AllocationSite>::null(), &caller_args);
-}
-
-
 RUNTIME_FUNCTION(Runtime_InternalArrayConstructor) {
  HandleScope scope(isolate);
  Arguments empty_args(0, NULL);
 
@@ -30,26 +30,26 @@ namespace internal {
 
 // Entries have the form F(name, number of arguments, number of values):
 
-#define FOR_EACH_INTRINSIC_ARRAY(F)  \
- F(FinishArrayPrototypeSetup, 1, 1)  \
- F(SpecialArrayFunctions, 0, 1)  \
- F(TransitionElementsKind, 2, 1)  \
- F(PushIfAbsent, 2, 1)  \
- F(RemoveArrayHoles, 2, 1)  \
- F(MoveArrayContents, 2, 1)  \
- F(EstimateNumberOfElements, 1, 1)  \
- F(GetArrayKeys, 2, 1)  \
- F(ArrayConstructor, -1, 1)  \
- F(ArrayConstructorWithSubclassing, -1, 1) \
- F(InternalArrayConstructor, -1, 1)  \
- F(NormalizeElements, 1, 1)  \
- F(GrowArrayElements, 2, 1)  \
- F(HasComplexElements, 1, 1)  \
- F(IsArray, 1, 1)  \
- F(HasCachedArrayIndex, 1, 1)  \
- F(GetCachedArrayIndex, 1, 1)  \
- F(FixedArrayGet, 2, 1)  \
- F(FixedArraySet, 3, 1)  \
+#define FOR_EACH_INTRINSIC_ARRAY(F) \
+ F(FinishArrayPrototypeSetup, 1, 1) \
+ F(SpecialArrayFunctions, 0, 1) \
+ F(TransitionElementsKind, 2, 1) \
+ F(PushIfAbsent, 2, 1) \
+ F(RemoveArrayHoles, 2, 1) \
+ F(MoveArrayContents, 2, 1) \
+ F(EstimateNumberOfElements, 1, 1) \
+ F(GetArrayKeys, 2, 1) \
+ F(ArrayConstructor, -1, 1) \
+ F(NewArray, -1 /* >= 3 */, 1)  \
+ F(InternalArrayConstructor, -1, 1) \
+ F(NormalizeElements, 1, 1) \
+ F(GrowArrayElements, 2, 1) \
+ F(HasComplexElements, 1, 1) \
+ F(IsArray, 1, 1) \
+ F(HasCachedArrayIndex, 1, 1) \
+ F(GetCachedArrayIndex, 1, 1) \
+ F(FixedArrayGet, 2, 1) \
+ F(FixedArraySet, 3, 1) \
  F(FastOneByteArrayJoin, 2, 1)