• Peter Marshall's avatar
    [builtins] Copy array contents using JS in ConstructByArrayLike. · a450c185
    Peter Marshall authored
    The last CL https://chromium-review.googlesource.com/c/456707/ caused
    some pretty heavy performance regressions. After experimenting, it
    seems the easiest and most straight-forward way to copy the elements
    into the new typed array is to do it in JS.
    
    Adds a fast path for typed arrays, where the source typed array has
    the same elements kind, in which case we can just copy the backing
    store using memcpy.
    
    This CL also removes regression test 319120 which is from a pwn2own
    vulnerability. The old code path enforced a maximum byte_length
    that was too low, which this change removes. The length property of
    the typed array must be a Smi, but the byte_length, which can be up
    to 8x larger than length for a Float64Array, can be a heap number.
    
    We can also re-use some of the logic from ConstructByLength when
    deciding whether to allocate the buffer on- or off-heap, so that
    is factored out into InitializeBasedOnLength. We can also re-use
    the DoInitialize helper instead of calling into the runtime,
    meaning we can remove InitializeFromArrayLike.
    
    BUG=v8:5977,chromium:705503,chromium:705394
    
    Change-Id: I63372652091d4bdf3a9491acef9b4e3ac793a755
    Reviewed-on: https://chromium-review.googlesource.com/459621Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
    Commit-Queue: Peter Marshall <petermarshall@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#44301}
    a450c185
assembler.h 45.2 KB