Ensure double arrays are filled with holes when extended from variations of empty arrays.

src/x64/stub-cache-x64.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 4008 matching lines @@
     MacroAssembler* masm,
     bool is_js_array,
     KeyedAccessGrowMode grow_mode) {
   // ----------- S t a t e -------------
   //  -- rax    : value
   //  -- rcx    : key
   //  -- rdx    : receiver
   //  -- rsp[0] : return address
   // -----------------------------------
   Label miss_force_generic, transition_elements_kind, finish_store;
-  Label grow, slow, check_capacity;
+  Label grow, slow, check_capacity, restore_key_transition_elements_kind;
 
   // This stub is meant to be tail-jumped to, the receiver must already
   // have been verified by the caller to not be a smi.
 
   // Check that the key is a smi or a heap number convertible to a smi.
   GenerateSmiKeyCheck(masm, rcx, rbx, xmm0, xmm1, &miss_force_generic);
 
   // Get the elements array.
   __ movq(rdi, FieldOperand(rdx, JSObject::kElementsOffset));
   __ AssertFastElements(rdi);
 
   // Check that the key is within bounds.
   if (is_js_array) {
       __ SmiCompare(rcx, FieldOperand(rdx, JSArray::kLengthOffset));
       if (grow_mode == ALLOW_JSARRAY_GROWTH) {
         __ j(above_equal, &grow);
       } else {
         __ j(above_equal, &miss_force_generic);
       }
   } else {
     __ SmiCompare(rcx, FieldOperand(rdi, FixedDoubleArray::kLengthOffset));
     __ j(above_equal, &miss_force_generic);
   }
 
   // Handle smi values specially
   __ bind(&finish_store);
   __ SmiToInteger32(rcx, rcx);
   __ StoreNumberToDoubleElements(rax, rdi, rcx, xmm0,
-                                 &transition_elements_kind);
+                                 &restore_key_transition_elements_kind);
   __ ret(0);
 
   // Handle store cache miss, replacing the ic with the generic stub.
   __ bind(&miss_force_generic);
   Handle<Code> ic_force_generic =
       masm->isolate()->builtins()->KeyedStoreIC_MissForceGeneric();
   __ jmp(ic_force_generic, RelocInfo::CODE_TARGET);
 
-  __ bind(&transition_elements_kind);
+  __ bind(&restore_key_transition_elements_kind);
   // Restore smi-tagging of rcx.
   __ Integer32ToSmi(rcx, rcx);
+  __ bind(&transition_elements_kind);
   Handle<Code> ic_miss = masm->isolate()->builtins()->KeyedStoreIC_Miss();
   __ jmp(ic_miss, RelocInfo::CODE_TARGET);
 
   if (is_js_array && grow_mode == ALLOW_JSARRAY_GROWTH) {
     // Grow the array by a single element if possible.
     __ bind(&grow);
 
     // Make sure the array is only growing by a single element, anything else
     // must be handled by the runtime. Flags are already set by previous
     // compare.
@@ skipping 20 matching lines @@
     // rcx: key
     // rdx: receiver
     // rdi: elements
     // Initialize the new FixedDoubleArray. Leave elements unitialized for
     // efficiency, they are guaranteed to be initialized before use.
     __ Move(FieldOperand(rdi, JSObject::kMapOffset),
             masm->isolate()->factory()->fixed_double_array_map());
     __ Move(FieldOperand(rdi, FixedDoubleArray::kLengthOffset),
             Smi::FromInt(JSArray::kPreallocatedArrayElements));
 
+    __ movq(r8, BitCast<int64_t, uint64_t>(kHoleNanInt64), RelocInfo::NONE);
+    for (int i = 1; i < JSArray::kPreallocatedArrayElements; i++) {
+      __ movq(FieldOperand(rdi, FixedDoubleArray::OffsetOfElementAt(i)), r8);
+    }
+
+    // Increment the length of the array.
+    __ SmiToInteger32(rcx, rcx);
+    __ StoreNumberToDoubleElements(rax, rdi, rcx, xmm0,
+                                   &restore_key_transition_elements_kind);
+
     // Install the new backing store in the JSArray.
     __ movq(FieldOperand(rdx, JSObject::kElementsOffset), rdi);
     __ RecordWriteField(rdx, JSObject::kElementsOffset, rdi, rbx,
                         kDontSaveFPRegs, EMIT_REMEMBERED_SET, OMIT_SMI_CHECK);
 
     // Increment the length of the array.
     __ Move(FieldOperand(rdx, JSArray::kLengthOffset), Smi::FromInt(1));
     __ movq(rdi, FieldOperand(rdx, JSObject::kElementsOffset));
-    __ jmp(&finish_store);
+    __ ret(0);
 
     __ bind(&check_capacity);
     // rax: value
     // rcx: key
     // rdx: receiver
     // rdi: elements
     // Make sure that the backing store can hold additional elements.
     __ cmpq(rcx, FieldOperand(rdi, FixedDoubleArray::kLengthOffset));
     __ j(above_equal, &slow);
 
     // Grow the array and finish the store.
     __ SmiAddConstant(FieldOperand(rdx, JSArray::kLengthOffset),
                       Smi::FromInt(1));
     __ jmp(&finish_store);
 
     __ bind(&slow);
     Handle<Code> ic_slow = masm->isolate()->builtins()->KeyedStoreIC_Slow();
     __ jmp(ic_slow, RelocInfo::CODE_TARGET);
   }
 }
 
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_X64