[csa] Fix two cases where allocations could go into LO space

If the elements fixed array is large enough, it must be allocated in large-object space. This fixes two cases in which we'd incorrectly assume elements fits into new space. There are potentially quite a few other spots affected by a similar issue, and we should find a more robust solution. See also: crbug.com/636391. Bug: v8:6716 Change-Id: I91f09355ac6b7cf399e13cc21d34113a506e58fb Reviewed-on: https://chromium-review.googlesource.com/623808Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47495}

[csa] Fix two cases where allocations could go into LO space
If the elements fixed array is large enough, it must be allocated in large-object space. This fixes two cases in which we'd incorrectly assume elements fits into new space. There are potentially quite a few other spots affected by a similar issue, and we should find a more robust solution. See also: crbug.com/636391. Bug: v8:6716 Change-Id: I91f09355ac6b7cf399e13cc21d34113a506e58fb Reviewed-on: https://chromium-review.googlesource.com/623808Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47495}
1b5df683 · jgruber · Commit Bot · 9a6f2eec · 1b5df683 · 1b5df683
Commit 1b5df683 authored Aug 21, 2017 by jgruber Committed by Commit Bot Aug 22, 2017
Showing with 15 additions and 5 deletions

builtins-function-gen.cc src/builtins/builtins-function-gen.cc +3 -1

builtins-internal-gen.cc src/builtins/builtins-internal-gen.cc +5 -4

regress-v8-6716.js test/mjsunit/regress/regress-v8-6716.js +7 -0

No files found.
--- a/src/builtins/builtins-function-gen.cc
+++ b/src/builtins/builtins-function-gen.cc
@@ -106,7 +106,9 @@ TF_BUILTIN(FastFunctionPrototypeBind, CodeStubAssembler) {
  GotoIf(Uint32LessThanOrEqual(argc, Int32Constant(1)), &empty_arguments);
  Node* elements_length =
      ChangeUint32ToWord(Unsigned(Int32Sub(argc, Int32Constant(1))));
-  Node* elements = AllocateFixedArray(PACKED_ELEMENTS, elements_length);
+  Node* elements =
+      AllocateFixedArray(PACKED_ELEMENTS, elements_length, INTPTR_PARAMETERS,
+                         kAllowLargeObjectAllocation);
  VARIABLE(index, MachineType::PointerRepresentation());
  index.Bind(IntPtrConstant(0));
  VariableList foreach_vars({&index}, zone());

--- a/src/builtins/builtins-internal-gen.cc
+++ b/src/builtins/builtins-internal-gen.cc
@@ -37,10 +37,10 @@ TF_BUILTIN(CopyFastSmiOrObjectElements, CodeStubAssembler) {
  // Check if we can allocate in new space.
  ElementsKind kind = PACKED_ELEMENTS;
  int max_elements = FixedArrayBase::GetMaxLengthForNewSpaceAllocation(kind);
-  Label if_newspace(this), if_oldspace(this);
+  Label if_newspace(this), if_lospace(this, Label::kDeferred);
  Branch(UintPtrOrSmiLessThan(length, IntPtrOrSmiConstant(max_elements, mode),
                              mode),
-         &if_newspace, &if_oldspace);
+         &if_newspace, &if_lospace);

  BIND(&if_newspace);
  {
@@ -51,9 +51,10 @@ TF_BUILTIN(CopyFastSmiOrObjectElements, CodeStubAssembler) {
    Return(target);
  }

-  BIND(&if_oldspace);
+  BIND(&if_lospace);
  {
-    Node* target = AllocateFixedArray(kind, length, mode, kPretenured);
+    Node* target =
+        AllocateFixedArray(kind, length, mode, kAllowLargeObjectAllocation);
    CopyFixedArrayElements(kind, source, target, length, UPDATE_WRITE_BARRIER,
                           mode);
    StoreObjectField(object, JSObject::kElementsOffset, target);

--- a/test/mjsunit/regress/regress-v8-6716.js
+++ b/test/mjsunit/regress/regress-v8-6716.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f() {}
+var a = Array(2 ** 16);  // Elements in large-object-space.
+f.bind(...a);