[turbofan] Skip optimizations for large unmapped 'arguments'

We cannot allocate large arrays exceeding the size of kMaxRegularHeapObjectSize in young space. Bailout of optimization in such cases. Bug: chromium:1105746 Change-Id: I4f7357c2dd7b3e70d747f9067660725ecf6ae768 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2300481Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#68889}

[turbofan] Skip optimizations for large unmapped 'arguments'
We cannot allocate large arrays exceeding the size of kMaxRegularHeapObjectSize in young space. Bailout of optimization in such cases. Bug: chromium:1105746 Change-Id: I4f7357c2dd7b3e70d747f9067660725ecf6ae768 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2300481Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#68889}
2ba80497 · Mythri A · Commit Bot · 91491b1a · 2ba80497 · 2ba80497
Commit 2ba80497 authored Jul 15, 2020 by Mythri A Committed by Commit Bot Jul 16, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 1 deletion

js-create-lowering.cc src/compiler/js-create-lowering.cc +6 -1

regress-1105746.js test/mjsunit/regress/regress-1105746.js +24 -0

No files found.
--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
@@ -331,6 +331,12 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
        return NoChange();
      }
      FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
+      int length = args_state_info.parameter_count() - 1;  // Minus receiver.
+      // Check that the array allocated for arguments is not "large".
+      {
+        const int alloc_size = FixedArray::SizeFor(length);
+        if (alloc_size > kMaxRegularHeapObjectSize) return NoChange();
+      }
      // Prepare element backing store to be used by arguments object.
      Node* const elements = AllocateArguments(effect, control, args_state);
      effect = elements->op()->EffectOutputCount() > 0 ? elements : effect;
@@ -339,7 +345,6 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
          jsgraph()->Constant(native_context().strict_arguments_map());
      // Actually allocate and initialize the arguments object.
      AllocationBuilder a(jsgraph(), effect, control);
-      int length = args_state_info.parameter_count() - 1;  // Minus receiver.
      STATIC_ASSERT(JSStrictArgumentsObject::kSize == 4 * kTaggedSize);
      a.Allocate(JSStrictArgumentsObject::kSize);
      a.Store(AccessBuilder::ForMap(), arguments_map);

--- a/test/mjsunit/regress/regress-1105746.js
+++ b/test/mjsunit/regress/regress-1105746.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+'use strict'
+
+function f() {
+    return arguments;
+}
+
+var arr = [];
+arr.length=0x8000;
+var g = f.bind(null,...arr);
+
+function test() {
+    return g();
+}
+
+%PrepareFunctionForOptimization(f);
+%PrepareFunctionForOptimization(test);
+test();
+%OptimizeFunctionOnNextCall(test);
+assertEquals(test().length, arr.length);