[compiler] Don't try to inline allocate large arguments arrays

... otherwise we'd abort at runtime. Bug: chromium:1178076 Change-Id: Ic7b4a3b27379ec0d42419e2695ab487904eabd72 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2695395Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#72744}

[compiler] Don't try to inline allocate large arguments arrays
... otherwise we'd abort at runtime. Bug: chromium:1178076 Change-Id: Ic7b4a3b27379ec0d42419e2695ab487904eabd72 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2695395Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#72744}
eb2906ae · Georg Neis · Commit Bot · 053d1e0d · eb2906ae · eb2906ae
Commit eb2906ae authored Feb 15, 2021 by Georg Neis Committed by Commit Bot Feb 15, 2021
4 changed files
--- a/src/compiler/allocation-builder-inl.h
+++ b/src/compiler/allocation-builder-inl.h
@@ -27,11 +27,21 @@ void AllocationBuilder::AllocateContext(int variadic_part_length, MapRef map) {
        jsgraph()->Constant(variadic_part_length));
 }
+// static
+bool AllocationBuilder::CanAllocateArray(int length, MapRef map,
+                                         AllocationType allocation) {
+  DCHECK(map.instance_type() == FIXED_ARRAY_TYPE ||
+         map.instance_type() == FIXED_DOUBLE_ARRAY_TYPE);
+  int const size = (map.instance_type() == FIXED_ARRAY_TYPE)
+                       ? FixedArray::SizeFor(length)
+                       : FixedDoubleArray::SizeFor(length);
+  return size <= Heap::MaxRegularHeapObjectSize(allocation);
+}
 // Compound allocation of a FixedArray.
 void AllocationBuilder::AllocateArray(int length, MapRef map,
                                      AllocationType allocation) {
-  DCHECK(map.instance_type() == FIXED_ARRAY_TYPE ||
+  DCHECK(CanAllocateArray(length, map, allocation));
-         map.instance_type() == FIXED_DOUBLE_ARRAY_TYPE);
  int size = (map.instance_type() == FIXED_ARRAY_TYPE)
                 ? FixedArray::SizeFor(length)
                 : FixedDoubleArray::SizeFor(length);
@@ -40,8 +50,16 @@ void AllocationBuilder::AllocateArray(int length, MapRef map,
  Store(AccessBuilder::ForFixedArrayLength(), jsgraph()->Constant(length));
 }
+// static
+bool AllocationBuilder::CanAllocateSloppyArgumentElements(
+    int length, MapRef map, AllocationType allocation) {
+  int const size = SloppyArgumentsElements::SizeFor(length);
+  return size <= Heap::MaxRegularHeapObjectSize(allocation);
+}
 void AllocationBuilder::AllocateSloppyArgumentElements(
    int length, MapRef map, AllocationType allocation) {
+  DCHECK(CanAllocateSloppyArgumentElements(length, map, allocation));
  int size = SloppyArgumentsElements::SizeFor(length);
  Allocate(size, allocation, Type::OtherInternal());
  Store(AccessBuilder::ForMap(), map);

--- a/src/compiler/allocation-builder.h
+++ b/src/compiler/allocation-builder.h
@@ -52,10 +52,16 @@ class AllocationBuilder final {
  inline void AllocateContext(int variadic_part_length, MapRef map);
  // Compound allocation of a FixedArray.
+  inline static bool CanAllocateArray(
+      int length, MapRef map,
+      AllocationType allocation = AllocationType::kYoung);
  inline void AllocateArray(int length, MapRef map,
                            AllocationType allocation = AllocationType::kYoung);
  // Compound allocation of a SloppyArgumentsElements
+  static inline bool CanAllocateSloppyArgumentElements(
+      int length, MapRef map,
+      AllocationType allocation = AllocationType::kYoung);
  inline void AllocateSloppyArgumentElements(
      int length, MapRef map,
      AllocationType allocation = AllocationType::kYoung);

--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
--- a/src/compiler/js-create-lowering.h
+++ b/src/compiler/js-create-lowering.h
@@ -83,17 +83,21 @@ class V8_EXPORT_PRIVATE JSCreateLowering final
      const SlackTrackingPrediction& slack_tracking_prediction);
  Reduction ReduceJSCreateObject(Node* node);
-  Node* AllocateArguments(Node* effect, Node* control, FrameState frame_state);
+  // The following functions all return nullptr iff there are too many arguments
-  Node* AllocateRestArguments(Node* effect, Node* control,
+  // for inline allocation.
-                              FrameState frame_state, int start_index);
+  Node* TryAllocateArguments(Node* effect, Node* control,
-  Node* AllocateAliasedArguments(Node* effect, Node* control,
+                             FrameState frame_state);
-                                 FrameState frame_state, Node* context,
+  Node* TryAllocateRestArguments(Node* effect, Node* control,
-                                 const SharedFunctionInfoRef& shared,
+                                 FrameState frame_state, int start_index);
-                                 bool* has_aliased_arguments);
+  Node* TryAllocateAliasedArguments(Node* effect, Node* control,
-  Node* AllocateAliasedArguments(Node* effect, Node* control, Node* context,
+                                    FrameState frame_state, Node* context,
-                                 Node* arguments_length,
+                                    const SharedFunctionInfoRef& shared,
-                                 const SharedFunctionInfoRef& shared,
+                                    bool* has_aliased_arguments);
-                                 bool* has_aliased_arguments);
+  Node* TryAllocateAliasedArguments(Node* effect, Node* control, Node* context,
+                                    Node* arguments_length,
+                                    const SharedFunctionInfoRef& shared,
+                                    bool* has_aliased_arguments);
  Node* AllocateElements(Node* effect, Node* control,
                         ElementsKind elements_kind, int capacity,
                         AllocationType allocation);