Abort if we ever allocate a non-0-sized packed array

BUG=chromium:621147 Review-Url: https://codereview.chromium.org/2122943002 Cr-Commit-Position: refs/heads/master@{#37535}

Abort if we ever allocate a non-0-sized packed array
BUG=chromium:621147 Review-Url: https://codereview.chromium.org/2122943002 Cr-Commit-Position: refs/heads/master@{#37535}
c2eb0750 · verwaest · Commit bot · 9d66b3f3 · c2eb0750 · c2eb0750
Commit c2eb0750 authored Jul 05, 2016 by verwaest Committed by Commit bot Jul 05, 2016
4 changed files
--- a/src/bailout-reason.h
+++ b/src/bailout-reason.h
@@ -14,6 +14,7 @@ namespace internal {
                                                                               \
  V(k32BitValueInRegisterIsNotZeroExtended,                                    \
    "32 bit value in register is not zero-extended")                           \
+  V(kAllocatingNonEmptyPackedArray, "Allocating non-empty packed array")       \
  V(kAllocationIsNotDoubleAligned, "Allocation is not double aligned")         \
  V(kAPICallReturnedInvalidObject, "API call returned invalid object")         \
  V(kArgumentsObjectValueInATestContext,                                       \

--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -834,8 +834,7 @@ Node* CodeStubAssembler::AllocateJSArray(ElementsKind kind, Node* array_map,
  Heap* heap = isolate()->heap();
  Node* array = Allocate(total_size);
  StoreMapNoWriteBarrier(array, array_map);
-  Node* empty_properties =
-      HeapConstant(Handle<HeapObject>(heap->empty_fixed_array()));
+  Node* empty_properties = LoadRoot(Heap::kEmptyFixedArrayRootIndex);
  StoreObjectFieldNoWriteBarrier(array, JSArray::kPropertiesOffset,
                                 empty_properties);
  StoreObjectFieldNoWriteBarrier(

--- a/src/code-stubs.cc
+++ b/src/code-stubs.cc
@@ -4759,16 +4759,31 @@ void SingleArgumentConstructorCommon(CodeStubAssembler* assembler,
  assembler->Branch(assembler->WordIsSmi(size), &smi_size, &call_runtime);

  assembler->Bind(&smi_size);
-  int element_size =
-      IsFastDoubleElementsKind(elements_kind) ? kDoubleSize : kPointerSize;
-  int max_fast_elements =
-      (Page::kMaxRegularHeapObjectSize - FixedArray::kHeaderSize -
-       JSArray::kSize - AllocationMemento::kSize) /
-      element_size;
-  assembler->Branch(
-      assembler->SmiAboveOrEqual(
-          size, assembler->SmiConstant(Smi::FromInt(max_fast_elements))),
-      &call_runtime, &small_smi_size);
+
+  if (IsFastPackedElementsKind(elements_kind)) {
+    Label abort(assembler, Label::kDeferred);
+    assembler->Branch(
+        assembler->SmiEqual(size, assembler->SmiConstant(Smi::FromInt(0))),
+        &small_smi_size, &abort);
+
+    assembler->Bind(&abort);
+    Node* reason =
+        assembler->SmiConstant(Smi::FromInt(kAllocatingNonEmptyPackedArray));
+    Node* context = assembler->Parameter(
+        ArraySingleArgumentConstructorDescriptor::kContextIndex);
+    assembler->TailCallRuntime(Runtime::kAbort, context, reason);
+  } else {
+    int element_size =
+        IsFastDoubleElementsKind(elements_kind) ? kDoubleSize : kPointerSize;
+    int max_fast_elements =
+        (Page::kMaxRegularHeapObjectSize - FixedArray::kHeaderSize -
+         JSArray::kSize - AllocationMemento::kSize) /
+        element_size;
+    assembler->Branch(
+        assembler->SmiAboveOrEqual(
+            size, assembler->SmiConstant(Smi::FromInt(max_fast_elements))),
+        &call_runtime, &small_smi_size);
+  }

  assembler->Bind(&small_smi_size);
  {

--- a/test/cctest/interpreter/bytecode_expectations/Generators.golden
+++ b/test/cctest/interpreter/bytecode_expectations/Generators.golden
@@ -25,7 +25,7 @@ bytecodes: [
                B(LdaZero),
                B(TestEqualStrict), R(1),
                B(JumpIfTrue), U8(56),
-                B(LdaSmi), U8(75),
+                B(LdaSmi), U8(76),
                B(Star), R(2),
                B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1),
                B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
@@ -131,7 +131,7 @@ bytecodes: [
                B(LdaSmi), U8(1),
                B(TestEqualStrict), R(1),
                B(JumpIfTrueConstant), U8(0),
-                B(LdaSmi), U8(75),
+                B(LdaSmi), U8(76),
                B(Star), R(2),
                B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1),
                B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
@@ -277,7 +277,7 @@ bytecodes: [
                B(LdaSmi), U8(1),
                B(TestEqualStrict), R(3),
                B(JumpIfTrueConstant), U8(3),
-                B(LdaSmi), U8(75),
+                B(LdaSmi), U8(76),
                B(Star), R(4),
                B(CallRuntime), U16(Runtime::kAbort), R(4), U8(1),
                B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
@@ -345,7 +345,7 @@ bytecodes: [
                B(LdaSmi), U8(1),
                B(TestEqualStrict), R(3),
                B(JumpIfTrueConstant), U8(9),
-                B(LdaSmi), U8(75),
+                B(LdaSmi), U8(76),
                B(Star), R(11),
                B(CallRuntime), U16(Runtime::kAbort), R(11), U8(1),
  /*   27 S> */ B(LdrContextSlot), R(1), U8(7), R(13),