Skip to content

V
V8
Commit c2eb0750 authored by verwaest's avatar verwaest Committed by Commit bot
Browse files
Options

Abort if we ever allocate a non-0-sized packed array 

BUG=chromium:621147

Review-Url: https://codereview.chromium.org/2122943002
Cr-Commit-Position: refs/heads/master@{#37535}
parent 9d66b3f3
Hide whitespace changes
Inline Side-by-side
Showing with 31 additions and 16 deletions
src/bailout-reason.h
View file @ c2eb0750
...@@ -14,6 +14,7 @@ namespace internal { ...@@ -14,6 +14,7 @@ namespace internal {
\ \
V(k32BitValueInRegisterIsNotZeroExtended, \ V(k32BitValueInRegisterIsNotZeroExtended, \
"32 bit value in register is not zero-extended") \ "32 bit value in register is not zero-extended") \
V(kAllocatingNonEmptyPackedArray, "Allocating non-empty packed array") \
V(kAllocationIsNotDoubleAligned, "Allocation is not double aligned") \ V(kAllocationIsNotDoubleAligned, "Allocation is not double aligned") \
V(kAPICallReturnedInvalidObject, "API call returned invalid object") \ V(kAPICallReturnedInvalidObject, "API call returned invalid object") \
V(kArgumentsObjectValueInATestContext, \ V(kArgumentsObjectValueInATestContext, \
......
src/code-stub-assembler.cc
View file @ c2eb0750
...@@ -834,8 +834,7 @@ Node* CodeStubAssembler::AllocateJSArray(ElementsKind kind, Node* array_map, ...@@ -834,8 +834,7 @@ Node* CodeStubAssembler::AllocateJSArray(ElementsKind kind, Node* array_map,
Heap* heap = isolate()->heap(); Heap* heap = isolate()->heap();
Node* array = Allocate(total_size); Node* array = Allocate(total_size);
StoreMapNoWriteBarrier(array, array_map); StoreMapNoWriteBarrier(array, array_map);
Node* empty_properties = Node* empty_properties = LoadRoot(Heap::kEmptyFixedArrayRootIndex);
HeapConstant(Handle<HeapObject>(heap->empty_fixed_array()));
StoreObjectFieldNoWriteBarrier(array, JSArray::kPropertiesOffset, StoreObjectFieldNoWriteBarrier(array, JSArray::kPropertiesOffset,
empty_properties); empty_properties);
StoreObjectFieldNoWriteBarrier( StoreObjectFieldNoWriteBarrier(
......
src/code-stubs.cc
View file @ c2eb0750
...@@ -4759,16 +4759,31 @@ void SingleArgumentConstructorCommon(CodeStubAssembler* assembler, ...@@ -4759,16 +4759,31 @@ void SingleArgumentConstructorCommon(CodeStubAssembler* assembler,
assembler->Branch(assembler->WordIsSmi(size), &smi_size, &call_runtime); assembler->Branch(assembler->WordIsSmi(size), &smi_size, &call_runtime);
assembler->Bind(&smi_size); assembler->Bind(&smi_size);
int element_size =
IsFastDoubleElementsKind(elements_kind) ? kDoubleSize : kPointerSize; if (IsFastPackedElementsKind(elements_kind)) {
int max_fast_elements = Label abort(assembler, Label::kDeferred);
(Page::kMaxRegularHeapObjectSize - FixedArray::kHeaderSize - assembler->Branch(
JSArray::kSize - AllocationMemento::kSize) / assembler->SmiEqual(size, assembler->SmiConstant(Smi::FromInt(0))),
element_size; &small_smi_size, &abort);
assembler->Branch(
assembler->SmiAboveOrEqual( assembler->Bind(&abort);
size, assembler->SmiConstant(Smi::FromInt(max_fast_elements))), Node* reason =
&call_runtime, &small_smi_size); assembler->SmiConstant(Smi::FromInt(kAllocatingNonEmptyPackedArray));
Node* context = assembler->Parameter(
ArraySingleArgumentConstructorDescriptor::kContextIndex);
assembler->TailCallRuntime(Runtime::kAbort, context, reason);
} else {
int element_size =
IsFastDoubleElementsKind(elements_kind) ? kDoubleSize : kPointerSize;
int max_fast_elements =
(Page::kMaxRegularHeapObjectSize - FixedArray::kHeaderSize -
JSArray::kSize - AllocationMemento::kSize) /
element_size;
assembler->Branch(
assembler->SmiAboveOrEqual(
size, assembler->SmiConstant(Smi::FromInt(max_fast_elements))),
&call_runtime, &small_smi_size);
}
assembler->Bind(&small_smi_size); assembler->Bind(&small_smi_size);
{ {
......
test/cctest/interpreter/bytecode_expectations/Generators.golden
View file @ c2eb0750
...@@ -25,7 +25,7 @@ bytecodes: [ ...@@ -25,7 +25,7 @@ bytecodes: [
B(LdaZero), B(LdaZero),
B(TestEqualStrict), R(1), B(TestEqualStrict), R(1),
B(JumpIfTrue), U8(56), B(JumpIfTrue), U8(56),
B(LdaSmi), U8(75), B(LdaSmi), U8(76),
B(Star), R(2), B(Star), R(2),
B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1), B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1),
B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1), B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
...@@ -131,7 +131,7 @@ bytecodes: [ ...@@ -131,7 +131,7 @@ bytecodes: [
B(LdaSmi), U8(1), B(LdaSmi), U8(1),
B(TestEqualStrict), R(1), B(TestEqualStrict), R(1),
B(JumpIfTrueConstant), U8(0), B(JumpIfTrueConstant), U8(0),
B(LdaSmi), U8(75), B(LdaSmi), U8(76),
B(Star), R(2), B(Star), R(2),
B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1), B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1),
B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1), B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
...@@ -277,7 +277,7 @@ bytecodes: [ ...@@ -277,7 +277,7 @@ bytecodes: [
B(LdaSmi), U8(1), B(LdaSmi), U8(1),
B(TestEqualStrict), R(3), B(TestEqualStrict), R(3),
B(JumpIfTrueConstant), U8(3), B(JumpIfTrueConstant), U8(3),
B(LdaSmi), U8(75), B(LdaSmi), U8(76),
B(Star), R(4), B(Star), R(4),
B(CallRuntime), U16(Runtime::kAbort), R(4), U8(1), B(CallRuntime), U16(Runtime::kAbort), R(4), U8(1),
B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1), B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
...@@ -345,7 +345,7 @@ bytecodes: [ ...@@ -345,7 +345,7 @@ bytecodes: [
B(LdaSmi), U8(1), B(LdaSmi), U8(1),
B(TestEqualStrict), R(3), B(TestEqualStrict), R(3),
B(JumpIfTrueConstant), U8(9), B(JumpIfTrueConstant), U8(9),
B(LdaSmi), U8(75), B(LdaSmi), U8(76),
B(Star), R(11), B(Star), R(11),
B(CallRuntime), U16(Runtime::kAbort), R(11), U8(1), B(CallRuntime), U16(Runtime::kAbort), R(11), U8(1),
/* 27 S> */ B(LdrContextSlot), R(1), U8(7), R(13), /* 27 S> */ B(LdrContextSlot), R(1), U8(7), R(13),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment