[regexp] Handle large named capture groups object

The name dictionary allocated to store named captures on the regexp
result object could be too large for regular heap spaces and
ConstructNewResultFromMatchInfo must thus also handle the large object
case.

Bug: chromium:980891
Change-Id: Ia1dbecd0a9d9d6b39f80e77680386c385d95c97c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1691907Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Auto-Submit: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62591}

src/builtins/builtins-regexp-gen.cc

@@ -252,7 +252,8 @@ TNode<JSRegExpResult> RegExpBuiltinsAssembler::ConstructNewResultFromMatchInfo(
     TNode<Context> native_context = LoadNativeContext(context);
     TNode<Map> map = CAST(LoadContextElement(
         native_context, Context::SLOW_OBJECT_WITH_NULL_PROTOTYPE_MAP));
-    TNode<NameDictionary> properties = AllocateNameDictionary(num_properties);
+    TNode<NameDictionary> properties =
+        AllocateNameDictionary(num_properties, kAllowLargeObjectAllocation);
 
     TNode<JSObject> group_object = AllocateJSObjectFromMap(map, properties);
     StoreObjectField(result, JSRegExpResult::kGroupsOffset, group_object);

src/codegen/code-stub-assembler.cc

@@ -3484,16 +3484,16 @@ TNode<NameDictionary> CodeStubAssembler::AllocateNameDictionary(
 }
 
 TNode<NameDictionary> CodeStubAssembler::AllocateNameDictionary(
-    TNode<IntPtrT> at_least_space_for) {
+    TNode<IntPtrT> at_least_space_for, AllocationFlags flags) {
   CSA_ASSERT(this, UintPtrLessThanOrEqual(
                        at_least_space_for,
                        IntPtrConstant(NameDictionary::kMaxCapacity)));
   TNode<IntPtrT> capacity = HashTableComputeCapacity(at_least_space_for);
-  return AllocateNameDictionaryWithCapacity(capacity);
+  return AllocateNameDictionaryWithCapacity(capacity, flags);
 }
 
 TNode<NameDictionary> CodeStubAssembler::AllocateNameDictionaryWithCapacity(
-    TNode<IntPtrT> capacity) {
+    TNode<IntPtrT> capacity, AllocationFlags flags) {
   CSA_ASSERT(this, WordIsPowerOfTwo(capacity));
   CSA_ASSERT(this, IntPtrGreaterThan(capacity, IntPtrConstant(0)));
   TNode<IntPtrT> length = EntryToIndex<NameDictionary>(capacity);
@@ -3501,39 +3501,51 @@ TNode<NameDictionary> CodeStubAssembler::AllocateNameDictionaryWithCapacity(
       TimesTaggedSize(length), IntPtrConstant(NameDictionary::kHeaderSize));
 
   TNode<NameDictionary> result =
-      UncheckedCast<NameDictionary>(AllocateInNewSpace(store_size));
-  Comment("Initialize NameDictionary");
+      UncheckedCast<NameDictionary>(Allocate(store_size, flags));
+
   // Initialize FixedArray fields.
-  DCHECK(RootsTable::IsImmortalImmovable(RootIndex::kNameDictionaryMap));
-  StoreMapNoWriteBarrier(result, RootIndex::kNameDictionaryMap);
-  StoreObjectFieldNoWriteBarrier(result, FixedArray::kLengthOffset,
-                                 SmiFromIntPtr(length));
+  {
+    DCHECK(RootsTable::IsImmortalImmovable(RootIndex::kNameDictionaryMap));
+    StoreMapNoWriteBarrier(result, RootIndex::kNameDictionaryMap);
+    StoreObjectFieldNoWriteBarrier(result, FixedArray::kLengthOffset,
+                                   SmiFromIntPtr(length));
+  }
+
   // Initialized HashTable fields.
-  TNode<Smi> zero = SmiConstant(0);
-  StoreFixedArrayElement(result, NameDictionary::kNumberOfElementsIndex, zero,
-                         SKIP_WRITE_BARRIER);
-  StoreFixedArrayElement(result, NameDictionary::kNumberOfDeletedElementsIndex,
-                         zero, SKIP_WRITE_BARRIER);
-  StoreFixedArrayElement(result, NameDictionary::kCapacityIndex,
-                         SmiTag(capacity), SKIP_WRITE_BARRIER);
-  // Initialize Dictionary fields.
-  TNode<HeapObject> filler = UndefinedConstant();
-  StoreFixedArrayElement(result, NameDictionary::kNextEnumerationIndexIndex,
-                         SmiConstant(PropertyDetails::kInitialIndex),
-                         SKIP_WRITE_BARRIER);
-  StoreFixedArrayElement(result, NameDictionary::kObjectHashIndex,
-                         SmiConstant(PropertyArray::kNoHashSentinel),
-                         SKIP_WRITE_BARRIER);
+  {
+    TNode<Smi> zero = SmiConstant(0);
+    StoreFixedArrayElement(result, NameDictionary::kNumberOfElementsIndex, zero,
+                           SKIP_WRITE_BARRIER);
+    StoreFixedArrayElement(result,
+                           NameDictionary::kNumberOfDeletedElementsIndex, zero,
+                           SKIP_WRITE_BARRIER);
+    StoreFixedArrayElement(result, NameDictionary::kCapacityIndex,
+                           SmiTag(capacity), SKIP_WRITE_BARRIER);
+    // Initialize Dictionary fields.
+    StoreFixedArrayElement(result, NameDictionary::kNextEnumerationIndexIndex,
+                           SmiConstant(PropertyDetails::kInitialIndex),
+                           SKIP_WRITE_BARRIER);
+    StoreFixedArrayElement(result, NameDictionary::kObjectHashIndex,
+                           SmiConstant(PropertyArray::kNoHashSentinel),
+                           SKIP_WRITE_BARRIER);
+  }
 
   // Initialize NameDictionary elements.
-  TNode<WordT> result_word = BitcastTaggedToWord(result);
-  TNode<WordT> start_address = IntPtrAdd(
-      result_word, IntPtrConstant(NameDictionary::OffsetOfElementAt(
-                                      NameDictionary::kElementsStartIndex) -
-                                  kHeapObjectTag));
-  TNode<WordT> end_address = IntPtrAdd(
-      result_word, IntPtrSub(store_size, IntPtrConstant(kHeapObjectTag)));
-  StoreFieldsNoWriteBarrier(start_address, end_address, filler);
+  {
+    TNode<WordT> result_word = BitcastTaggedToWord(result);
+    TNode<WordT> start_address = IntPtrAdd(
+        result_word, IntPtrConstant(NameDictionary::OffsetOfElementAt(
+                                        NameDictionary::kElementsStartIndex) -
+                                    kHeapObjectTag));
+    TNode<WordT> end_address = IntPtrAdd(
+        result_word, IntPtrSub(store_size, IntPtrConstant(kHeapObjectTag)));
+
+    TNode<HeapObject> filler = UndefinedConstant();
+    DCHECK(RootsTable::IsImmortalImmovable(RootIndex::kUndefinedValue));
+
+    StoreFieldsNoWriteBarrier(start_address, end_address, filler);
+  }
+
   return result;
 }
 

src/codegen/code-stub-assembler.h

@@ -1602,9 +1602,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler
 
   TNode<NameDictionary> AllocateNameDictionary(int at_least_space_for);
   TNode<NameDictionary> AllocateNameDictionary(
-      TNode<IntPtrT> at_least_space_for);
+      TNode<IntPtrT> at_least_space_for, AllocationFlags = kNone);
   TNode<NameDictionary> AllocateNameDictionaryWithCapacity(
-      TNode<IntPtrT> capacity);
+      TNode<IntPtrT> capacity, AllocationFlags = kNone);
   TNode<NameDictionary> CopyNameDictionary(TNode<NameDictionary> dictionary,
                                            Label* large_object_fallback);
 

test/mjsunit/regress/regress-980891.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+let str = "";
+
+// Many named captures force the resulting named capture backing store into
+// large object space.
+for (var i = 0; i < 0x2000; i++) str += "(?<a"+i+">)|";
+str += "(?<b>)";
+
+const regexp = new RegExp(str);
+const result = "xxx".match(regexp);
+
+assertNotNull(result);