[turbofan] Skip optimizations for huge 'arguments'

An 'arguments' array cannot be allocated in young space when its size exceeds kMaxRegularHeapObjectSize. In this case the optimizations in JSCreateLowering::ReduceJSCreateArguments are skipped. Bug: chromium:1098565 Change-Id: I30fdc78a1eb6e51fcd293785a46c9fd78995da9a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2273121Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#68585}

[turbofan] Skip optimizations for huge 'arguments'
An 'arguments' array cannot be allocated in young space when its size exceeds kMaxRegularHeapObjectSize. In this case the optimizations in JSCreateLowering::ReduceJSCreateArguments are skipped. Bug: chromium:1098565 Change-Id: I30fdc78a1eb6e51fcd293785a46c9fd78995da9a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2273121Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#68585}
da67c2ae · Nico Hartmann · Commit Bot · 4ece1067 · da67c2ae · da67c2ae
Commit da67c2ae authored Jun 29, 2020 by Nico Hartmann Committed by Commit Bot Jun 29, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 1 deletion

js-create-lowering.cc src/compiler/js-create-lowering.cc +6 -1

regress-1098565.js test/mjsunit/regress/regress-1098565.js +23 -0

No files found.
--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
@@ -280,6 +280,12 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
        return NoChange();
      }
      FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
+      int length = args_state_info.parameter_count() - 1;  // Minus receiver.
+      // Check that the array allocated for arguments is not "large".
+      {
+        const int alloc_size = FixedArray::SizeFor(length);
+        if (alloc_size > kMaxRegularHeapObjectSize) return NoChange();
+      }
      // Prepare element backing store to be used by arguments object.
      bool has_aliased_arguments = false;
      Node* const elements = AllocateAliasedArguments(
@@ -291,7 +297,6 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
                                : native_context().sloppy_arguments_map());
      // Actually allocate and initialize the arguments object.
      AllocationBuilder a(jsgraph(), effect, control);
-      int length = args_state_info.parameter_count() - 1;  // Minus receiver.
      STATIC_ASSERT(JSSloppyArgumentsObject::kSize == 5 * kTaggedSize);
      a.Allocate(JSSloppyArgumentsObject::kSize);
      a.Store(AccessBuilder::ForMap(), arguments_map);

--- a/test/mjsunit/regress/regress-1098565.js
+++ b/test/mjsunit/regress/regress-1098565.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+    return arguments;
+}
+
+arr = [];
+arr.length=0x8000;
+g = f.bind(null,...arr);
+
+function test() {
+    return g();
+}
+
+%PrepareFunctionForOptimization(f);
+%PrepareFunctionForOptimization(test);
+test();
+%OptimizeFunctionOnNextCall(test);
+assertEquals(test().length, arr.length);