[turbofan] Fix return value of Array.prototype.push.

The inlined version of Array.prototype.push returned the value that was pushed instead of the new "length" property value. R=jarin@chromium.org BUG=chromium:656037 Review-Url: https://codereview.chromium.org/2425903002 Cr-Commit-Position: refs/heads/master@{#40384}
crosswalk-project · Oct 18, 2016 · 8584442 · 8584442
1 parent c4e7992
commit 8584442
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/src/compiler/js-builtin-reducer.cc b/src/compiler/js-builtin-reducer.cc
@@ -313,6 +313,10 @@ Reduction JSBuiltinReducer::ReduceArrayPush(Node* node) {
             AccessBuilder::ForFixedArrayElement(receiver_map->elements_kind())),
         elements, length, value, effect, control);
 
+    // Return the new length of the {receiver}.
+    value = graph()->NewNode(simplified()->NumberAdd(), length,
+                             jsgraph()->OneConstant());
+
     ReplaceWithValue(node, value, effect, control);
     return Replace(value);
   }

diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
@@ -1357,6 +1357,8 @@ Type* Typer::Visitor::JSCallFunctionTyper(Type* fun, Typer* t) {
         case kArrayIndexOf:
         case kArrayLastIndexOf:
           return Type::Range(-1, kMaxSafeInteger, t->zone());
+        case kArrayPush:
+          return t->cache_.kPositiveSafeInteger;
         // Object functions.
         case kObjectHasOwnProperty:
           return Type::Boolean();

diff --git a/test/mjsunit/regress/regress-crbug-656037.js b/test/mjsunit/regress/regress-crbug-656037.js
@@ -0,0 +1,15 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a) {
+  return a.push(true);
+}
+
+var a = [];
+assertEquals(1, foo(a));
+assertEquals(2, foo(a));
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(3, foo(a));