Commit 08b0ff26 authored by Dan Elphick's avatar Dan Elphick Committed by Commit Bot

Fix Array.of crashing when called with lots of parameters

When the array created would exceed the maximum size for a regular heap
object, instead create it using Runtime::kNewArray directly rather than
via AllocateJSArray.

Bug: chromium:803750
Change-Id: I78cd82edf5a813a2ed69272361e0ca07f864c5ba
Reviewed-on: https://chromium-review.googlesource.com/876011
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50726}
parent c509d025
......@@ -1866,18 +1866,38 @@ TF_BUILTIN(ArrayOf, ArrayBuiltinCodeStubAssembler) {
}
BIND(&is_not_constructor);
{
Label allocate_js_array(this), runtime(this);
Branch(
SmiAbove(length, SmiConstant(JSArray::kInitialMaxFastElementArray)),
&runtime, &allocate_js_array);
BIND(&allocate_js_array);
{
TNode<Map> array_map = CAST(LoadContextElement(
context, Context::JS_ARRAY_PACKED_SMI_ELEMENTS_MAP_INDEX));
// TODO(delphick): Consider using AllocateUninitializedJSArrayWithElements
// to avoid initializing an array and then writing over it.
// TODO(delphick): Consider using
// AllocateUninitializedJSArrayWithElements to avoid initializing an
// array and then writing over it.
array = CAST(AllocateJSArray(PACKED_SMI_ELEMENTS, array_map, length,
SmiConstant(0), nullptr,
ParameterMode::SMI_PARAMETERS));
Goto(&next);
}
BIND(&runtime);
{
TNode<Context> native_context = LoadNativeContext(context);
TNode<JSFunction> array_function = CAST(
LoadContextElement(native_context, Context::ARRAY_FUNCTION_INDEX));
array = CallRuntime(Runtime::kNewArray, context, array_function, length,
array_function, UndefinedConstant());
Goto(&next);
}
}
BIND(&next);
}
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Verify that very large arrays can be constructed.
assertEquals(Array.isArray(Array.of.apply(Array, Array(65536))), true);
assertEquals(Array.isArray(Array.of.apply(null, Array(65536))), true);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment