[runtime] Decrease the maximum number of descriptors.

This ensures that MigrateFastToFast does not overflow the length of the property array. Bug: chromium:789393 Change-Id: I77adc319c1c8c469ea482bad35ead8661d535192 Reviewed-on: https://chromium-review.googlesource.com/824167 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#50086}

[runtime] Decrease the maximum number of descriptors.
This ensures that MigrateFastToFast does not overflow the length of the property array. Bug: chromium:789393 Change-Id: I77adc319c1c8c469ea482bad35ead8661d535192 Reviewed-on: https://chromium-review.googlesource.com/824167 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#50086}
3ecb047a · Ulan Degenbaev · Commit Bot · db46a309 · 3ecb047a · 3ecb047a
Commit 3ecb047a authored Dec 13, 2017 by Ulan Degenbaev Committed by Commit Bot Dec 13, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 5 deletions

objects.h src/objects.h +3 -0

property-details.h src/property-details.h +4 -4

dictionary-prototypes.js test/mjsunit/dictionary-prototypes.js +1 -1

No files found.
--- a/src/objects.h
+++ b/src/objects.h
@@ -1939,6 +1939,7 @@ class PropertyArray : public HeapObject {
  static const int kLengthFieldSize = 10;
  class LengthField : public BitField<int, 0, kLengthFieldSize> {};
+  static const int kMaxLength = LengthField::kMax;
  class HashField : public BitField<int, kLengthFieldSize,
                                    kSmiValueSize - kLengthFieldSize - 1> {};
@@ -2643,6 +2644,8 @@ class JSObject: public JSReceiver {
  // its size by more than the 1 entry necessary, so sequentially adding fields
  // to the same object requires fewer allocations and copies.
  static const int kFieldsAdded = 3;
+  STATIC_ASSERT(kMaxNumberOfDescriptors + kFieldsAdded <=
+                PropertyArray::kMaxLength);
  // Layout description.
  static const int kElementsOffset = JSReceiver::kHeaderSize;

--- a/src/property-details.h
+++ b/src/property-details.h
@@ -197,10 +197,10 @@ class Representation {
 static const int kDescriptorIndexBitCount = 10;
-// The maximum number of descriptors we want in a descriptor array (should
+// The maximum number of descriptors we want in a descriptor array.  It should
-// fit in a page).
+// fit in a page and also the following should hold:
-static const int kMaxNumberOfDescriptors =
+// kMaxNumberOfDescriptors + kFieldsAdded <= PropertyArray::kMaxLength.
-    (1 << kDescriptorIndexBitCount) - 2;
+static const int kMaxNumberOfDescriptors = (1 << kDescriptorIndexBitCount) - 4;
 static const int kInvalidEnumCacheSentinel =
    (1 << kDescriptorIndexBitCount) - 1;

--- a/test/mjsunit/dictionary-prototypes.js
+++ b/test/mjsunit/dictionary-prototypes.js
@@ -12,7 +12,7 @@ function EnsureDictionaryMode(obj, properties=1500) {
 }
 function EnsureAlmostDictionaryMode(obj) {
-  for (let i = 0; i < 1022; i++) {
+  for (let i = 0; i < 1020; i++) {
    obj["x" + i] = 0;
  }
 }