[builtins] Allow large allocations when unboxing double arrays.

Large allocations would fail due to the flag not being set. Bug: chromium:732836 Change-Id: I31686e382386a2d08582c86b29dc8f89841040d1 Reviewed-on: https://chromium-review.googlesource.com/535563Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#45999}

[builtins] Allow large allocations when unboxing double arrays.
Large allocations would fail due to the flag not being set. Bug: chromium:732836 Change-Id: I31686e382386a2d08582c86b29dc8f89841040d1 Reviewed-on: https://chromium-review.googlesource.com/535563Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#45999}
a1baf265 · Peter Marshall · Commit Bot · 166a52ff · a1baf265 · a1baf265
Commit a1baf265 authored Jun 14, 2017 by Peter Marshall Committed by Commit Bot Jun 19, 2017
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 3 deletions

builtins-call-gen.cc src/builtins/builtins-call-gen.cc +7 -3

regress-732836.js test/mjsunit/regress/regress-732836.js +11 -0

No files found.
--- a/src/builtins/builtins-call-gen.cc
+++ b/src/builtins/builtins-call-gen.cc
@@ -179,9 +179,13 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithArrayLike(
    Node* elements = var_elements.value();
    Node* length = ChangeInt32ToIntPtr(var_length.value());
    const ElementsKind new_kind = FAST_ELEMENTS;
+    const ParameterMode mode = INTPTR_PARAMETERS;
+    const WriteBarrierMode barrier_mode = UPDATE_WRITE_BARRIER;
    // Allocate a new FixedArray of Objects.
-    Node* new_elements = AllocateFixedArray(FAST_ELEMENTS, length);
+    Node* new_elements =
+        AllocateFixedArray(FAST_ELEMENTS, length, mode,
+                           CodeStubAssembler::kAllowLargeObjectAllocation);
    Branch(Word32Equal(kind, Int32Constant(FAST_HOLEY_DOUBLE_ELEMENTS)),
           &if_holey_double, &if_packed_double);
@@ -189,7 +193,7 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithArrayLike(
    {
      // Fill the FixedArray with pointers to HeapObjects.
      CopyFixedArrayElements(FAST_HOLEY_DOUBLE_ELEMENTS, elements, new_kind,
-                             new_elements, length, length);
+                             new_elements, length, length, barrier_mode);
      var_elements.Bind(new_elements);
      Goto(&if_done);
    }
@@ -197,7 +201,7 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithArrayLike(
    BIND(&if_packed_double);
    {
      CopyFixedArrayElements(FAST_DOUBLE_ELEMENTS, elements, new_kind,
-                             new_elements, length, length);
+                             new_elements, length, length, barrier_mode);
      var_elements.Bind(new_elements);
      Goto(&if_done);
    }

--- a/test/mjsunit/regress/regress-732836.js
+++ b/test/mjsunit/regress/regress-732836.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+function boom() {
+  var args = [];
+  for (var i = 0; i < 125000; i++)
+    args.push(1.1);
+  return Array.apply(Array, args);
+}
+var array = boom();