Fix array spread on large sets and maps.

The fast paths for sets and maps did not support allocation in large object space, yet they were taken in these cases. This CL adds support, simply by passing the kAllowLargeObjectAllocation argument to AllocateJSArray. It also changes the fast path for strings to use this argument rather than take the slow path. Bug: v8:7980, v8:8410 Change-Id: I18e88cb4ceb7ebeca250edd8b8b0eb401fdbd6e4 Reviewed-on: https://chromium-review.googlesource.com/c/1317507 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#57232}

Fix array spread on large sets and maps.
The fast paths for sets and maps did not support allocation in large object space, yet they were taken in these cases. This CL adds support, simply by passing the kAllowLargeObjectAllocation argument to AllocateJSArray. It also changes the fast path for strings to use this argument rather than take the slow path. Bug: v8:7980, v8:8410 Change-Id: I18e88cb4ceb7ebeca250edd8b8b0eb401fdbd6e4 Reviewed-on: https://chromium-review.googlesource.com/c/1317507 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#57232}
9bf8f72c · Georg Neis · Commit Bot · 06c8ce59 · 9bf8f72c · 9bf8f72c
Commit 9bf8f72c authored Nov 05, 2018 by Georg Neis Committed by Commit Bot Nov 05, 2018
Showing with 55 additions and 12 deletions

builtins-collections-gen.cc src/builtins/builtins-collections-gen.cc +6 -2

builtins-string-gen.cc src/builtins/builtins-string-gen.cc +2 -10

spread-large.js test/mjsunit/spread-large.js +47 -0

No files found.
--- a/src/builtins/builtins-collections-gen.cc
+++ b/src/builtins/builtins-collections-gen.cc
@@ -1098,7 +1098,9 @@ TNode<JSArray> CollectionsBuiltinsAssembler::MapIteratorToList(
  const ElementsKind kind = PACKED_ELEMENTS;
  TNode<Map> array_map =
      LoadJSArrayElementsMap(kind, LoadNativeContext(context));
-  TNode<JSArray> array = AllocateJSArray(kind, array_map, size, SmiTag(size));
+  TNode<JSArray> array =
+      AllocateJSArray(kind, array_map, size, SmiTag(size), nullptr,
+                      INTPTR_PARAMETERS, kAllowLargeObjectAllocation);
  TNode<FixedArray> elements = CAST(LoadElements(array));

  const int first_element_offset = FixedArray::kHeaderSize - kHeapObjectTag;
@@ -1209,7 +1211,9 @@ TNode<JSArray> CollectionsBuiltinsAssembler::SetOrSetIteratorToList(
  const ElementsKind kind = PACKED_ELEMENTS;
  TNode<Map> array_map =
      LoadJSArrayElementsMap(kind, LoadNativeContext(context));
-  TNode<JSArray> array = AllocateJSArray(kind, array_map, size, SmiTag(size));
+  TNode<JSArray> array =
+      AllocateJSArray(kind, array_map, size, SmiTag(size), nullptr,
+                      INTPTR_PARAMETERS, kAllowLargeObjectAllocation);
  TNode<FixedArray> elements = CAST(LoadElements(array));

  const int first_element_offset = FixedArray::kHeaderSize - kHeapObjectTag;

--- a/src/builtins/builtins-string-gen.cc
+++ b/src/builtins/builtins-string-gen.cc
@@ -2475,14 +2475,6 @@ void StringBuiltinsAssembler::BranchIfStringPrimitiveWithNoCustomIteration(
  GotoIf(TaggedIsSmi(object), if_false);
  GotoIfNot(IsString(CAST(object)), if_false);

-  // Bailout if the new array doesn't fit in new space.
-  const TNode<IntPtrT> length = LoadStringLengthAsWord(CAST(object));
-  // Since we don't have allocation site, base size does not include
-  // AllocationMemento::kSize.
-  GotoIfFixedArraySizeDoesntFitInNewSpace(
-      length, if_false, JSArray::kSize + FixedArray::kHeaderSize,
-      INTPTR_PARAMETERS);
-
  // Check that the String iterator hasn't been modified in a way that would
  // affect iteration.
  Node* protector_cell = LoadRoot(RootIndex::kStringIteratorProtector);
@@ -2500,9 +2492,9 @@ TNode<JSArray> StringBuiltinsAssembler::StringToList(TNode<Context> context,

  TNode<Map> array_map =
      LoadJSArrayElementsMap(kind, LoadNativeContext(context));
-  // Allocate the array to new space, assuming that the new array will fit in.
  TNode<JSArray> array =
-      AllocateJSArray(kind, array_map, length, SmiTag(length));
+      AllocateJSArray(kind, array_map, length, SmiTag(length), nullptr,
+                      INTPTR_PARAMETERS, kAllowLargeObjectAllocation);
  TNode<FixedArrayBase> elements = LoadElements(array);

  const int first_element_offset = FixedArray::kHeaderSize - kHeapObjectTag;

--- a/test/mjsunit/spread-large.js
+++ b/test/mjsunit/spread-large.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Test that spread can create arrays in large object space.
+
+const n = 130000;
+
+// Array
+{
+  let x = new Array(n);
+  for (let i = 0; i < n; ++i) x[i] = i;
+  let a = [...x];
+}
+
+// String
+{
+  let x = new Array(n);
+  for (let i = 0; i < n; ++i) x[i] = i;
+  let a = [...String(x)];
+}
+
+// Set
+{
+  let x = new Set();
+  for (let i = 0; i < n; ++i) x.add(i);
+  let a = [...x];
+}{
+  let x = new Set();
+  for (let i = 0; i < n; ++i) x.add(i);
+  let a = [...x.values()];
+}{
+  let x = new Set();
+  for (let i = 0; i < n; ++i) x.add(i);
+  let a = [...x.keys()];
+}
+
+// Map
+{
+  let x = new Map();
+  for (let i = 0; i < n; ++i) x.set(i, String(i));
+  let a = [...x.values()];
+}{
+  let x = new Map();
+  for (let i = 0; i < n; ++i) x.set(i, String(i));
+  let a = [...x.keys()];
+}