Revert "[runtime] Reduce spread/apply call max arguments"

This reverts commit 4e3a17d0.

Reason for revert: Web compact issues, see crbug.com/910252

Original change's description:
> [runtime] Reduce spread/apply call max arguments
> 
> Bug: chromium:906043
> Change-Id: I308b29af0644c318d73926b27e65a94913c760c7
> Reviewed-on: https://chromium-review.googlesource.com/c/1346115
> Commit-Queue: Peter Marshall <petermarshall@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#57731}

TBR=jarin@chromium.org,jgruber@chromium.org,petermarshall@chromium.org,bmeurer@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:906043
Change-Id: I240c1b55c10fd3e108e3c49f93ce1d9ca9c61780
Reviewed-on: https://chromium-review.googlesource.com/c/1356502Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57956}

src/builtins/builtins-call-gen.cc

@@ -183,8 +183,6 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithArrayLike(
     Goto(&if_done);
   }
 
-  Label too_many_args(this, Label::kDeferred);
-
   // Tail call to the appropriate builtin (depending on whether we have
   // a {new_target} passed).
   BIND(&if_done);
@@ -195,8 +193,6 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithArrayLike(
     TNode<Int32T> length = var_length.value();
     {
       Label normalize_done(this);
-      GotoIf(Int32GreaterThan(length, Int32Constant(Code::kMaxArguments)),
-             &too_many_args);
       GotoIfNot(Word32Equal(length, Int32Constant(0)), &normalize_done);
       // Make sure we don't accidentally pass along the
       // empty_fixed_double_array since the tailed-called stubs cannot handle
@@ -231,9 +227,6 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithArrayLike(
                                    Int32Constant(HOLEY_DOUBLE_ELEMENTS));
     }
   }
-
-  BIND(&too_many_args);
-  ThrowRangeError(context, MessageTemplate::kTooManyArguments);
 }
 
 // Takes a FixedArray of doubles and creates a new FixedArray with those doubles
@@ -245,11 +238,6 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructDoubleVarargs(
     TNode<Int32T> args_count, TNode<Context> context, TNode<Int32T> kind) {
   const ElementsKind new_kind = PACKED_ELEMENTS;
   const WriteBarrierMode barrier_mode = UPDATE_WRITE_BARRIER;
-
-  Label too_many_args(this, Label::kDeferred);
-  GotoIf(Int32GreaterThan(length, Int32Constant(Code::kMaxArguments)),
-         &too_many_args);
-
   TNode<IntPtrT> intptr_length = ChangeInt32ToIntPtr(length);
   CSA_ASSERT(this, WordNotEqual(intptr_length, IntPtrConstant(0)));
 
@@ -269,16 +257,13 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructDoubleVarargs(
     TailCallStub(callable, context, target, new_target, args_count, length,
                  new_elements);
   }
-
-  BIND(&too_many_args);
-  ThrowRangeError(context, MessageTemplate::kTooManyArguments);
 }
 
 void CallOrConstructBuiltinsAssembler::CallOrConstructWithSpread(
     TNode<Object> target, TNode<Object> new_target, TNode<Object> spread,
     TNode<Int32T> args_count, TNode<Context> context) {
   Label if_smiorobject(this), if_double(this),
-      if_generic(this, Label::kDeferred), too_many_args(this, Label::kDeferred);
+      if_generic(this, Label::kDeferred);
 
   TVARIABLE(Int32T, var_length);
   TVARIABLE(FixedArrayBase, var_elements);
@@ -344,9 +329,6 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithSpread(
     TNode<FixedArrayBase> elements = var_elements.value();
     TNode<Int32T> length = var_length.value();
 
-    GotoIf(Int32GreaterThan(length, Int32Constant(Code::kMaxArguments)),
-           &too_many_args);
-
     if (new_target == nullptr) {
       Callable callable = CodeFactory::CallVarargs(isolate());
       TailCallStub(callable, context, target, args_count, length, elements);
@@ -364,9 +346,6 @@ void CallOrConstructBuiltinsAssembler::CallOrConstructWithSpread(
                                  var_length.value(), args_count, context,
                                  var_elements_kind.value());
   }
-
-  BIND(&too_many_args);
-  ThrowRangeError(context, MessageTemplate::kTooManyArguments);
 }
 
 TF_BUILTIN(CallWithArrayLike, CallOrConstructBuiltinsAssembler) {

src/message-template.h

@@ -459,7 +459,7 @@ namespace internal {
   T(AwaitExpressionFormalParameter,                                            \
     "Illegal await-expression in formal parameters of async function")         \
   T(TooManyArguments,                                                          \
-    "Too many arguments in function call (only 65534 allowed)")                \
+    "Too many arguments in function call (only 65535 allowed)")                \
   T(TooManyParameters,                                                         \
     "Too many parameters in function definition (only 65534 allowed)")         \
   T(TooManySpreads,                                                            \

test/mjsunit/apply.js

@@ -122,10 +122,7 @@ for (var j = 1; j < 0x400000; j <<= 1) {
     a[j - 1] = 42;
     assertEquals(42 + j, al.apply(345, a));
   } catch (e) {
-    assertTrue(
-        e.toString().indexOf('Maximum call stack size exceeded') != -1 ||
-        e.toString().indexOf(
-            'Too many arguments in function call (only 65534 allowed)') != -1);
+    assertTrue(e.toString().indexOf("Maximum call stack size exceeded") != -1);
     for (; j < 0x400000; j <<= 1) {
       var caught = false;
       try {
@@ -136,10 +133,7 @@ for (var j = 1; j < 0x400000; j <<= 1) {
         assertUnreachable("Apply of array with length " + a.length +
                           " should have thrown");
       } catch (e) {
-        assertTrue(
-          e.toString().indexOf('Maximum call stack size exceeded') != -1 ||
-          e.toString().indexOf(
-            'Too many arguments in function call (only 65534 allowed)') != -1);
+        assertTrue(e.toString().indexOf("Maximum call stack size exceeded") != -1);
         caught = true;
       }
       assertTrue(caught, "exception not caught");

test/mjsunit/regress/regress-3027.js

@@ -30,7 +30,7 @@
 
 function boom() {
   var args = [];
-  for (var i = 0; i < 65534; i++) {
+  for (var i = 0; i < 125000; i++) {
     args.push(i);
   }
   return Array.apply(Array, args);
@@ -38,5 +38,5 @@ function boom() {
 
 var array = boom();
 
-assertEquals(65534, array.length);
-assertEquals(65533, array[65533]);
+assertEquals(125000, array.length);
+assertEquals(124999, array[124999]);

test/mjsunit/regress/regress-331444.js

@@ -29,7 +29,7 @@
 
 function boom() {
   var args = [];
-  for (var i = 0; i < 65534; i++)
+  for (var i = 0; i < 125000; i++)
     args.push(i);
   return Array.apply(Array, args);
 }

test/mjsunit/regress/regress-358090.js

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-var x = Array(65534);
+var x = Array(100000);
 y =  Array.apply(Array, x);
 y.unshift(4);
 y.shift();

test/mjsunit/regress/regress-732836.js

@@ -4,7 +4,7 @@
 
 function boom() {
   var args = [];
-  for (var i = 0; i < 65534; i++)
+  for (var i = 0; i < 125000; i++)
     args.push(1.1);
   return Array.apply(Array, args);
 }

test/mjsunit/regress/regress-803750.js

@@ -3,5 +3,5 @@
 // found in the LICENSE file.
 
 // Verify that very large arrays can be constructed.
-assertEquals(Array.isArray(Array.of.apply(Array, Array(65534))), true);
-assertEquals(Array.isArray(Array.of.apply(null, Array(65534))), true);
+assertEquals(Array.isArray(Array.of.apply(Array, Array(65536))), true);
+assertEquals(Array.isArray(Array.of.apply(null, Array(65536))), true);

test/mjsunit/regress/regress-869735.js

@@ -10,5 +10,5 @@ function f() {
 
 var a = [];
 %OptimizeFunctionOnNextCall(f);
-a.length = 65534;
+a.length = 81832;
 f(...a);

test/mjsunit/regress/regress-crbug-614727.js

@@ -7,7 +7,10 @@
 function f(a, b, c) { return arguments }
 function g(...args) { return args }
 
-var length = 65534;
+// On 64-bit machine this produces a 768K array which is sufficiently small to
+// not cause a stack overflow, but big enough to move the allocated arguments
+// object into large object space (kMaxRegularHeapObjectSize == 600K).
+var length = Math.pow(2, 15) * 3;
 var args = new Array(length);
 assertEquals(length, f.apply(null, args).length);
 assertEquals(length, g.apply(null, args).length);

test/mjsunit/regress/regress-crbug-813450.js

@@ -4,7 +4,7 @@
 
 // Flags: --allow-natives-syntax
 
-var constructorArgs = new Array(65534);
+var constructorArgs = new Array(0x10100);
 var constructor = function() {};
 var target = new Proxy(constructor, {
   construct: function() {

test/mjsunit/regress/regress-crbug-906043.js

-// Copyright 2018 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Flags: --allow-natives-syntax
-
-function fun(arg) {
-  let x = arguments.length;
-  a1 = new Array(0x10);
-  a1[0] = 1.1;
-  a2 = new Array(0x10);
-  a2[0] = 1.1;
-  a1[(x >> 16) * 21] = 1.39064994160909e-309;  // 0xffff00000000
-  a1[(x >> 16) * 41] = 8.91238232205e-313;  // 0x2a00000000
-}
-
-var a1, a2;
-var a3 = [1.1,2.2];
-a3.length = 0x11000;
-a3.fill(3.3);
-
-var a4 = [1.1];
-
-for (let i = 0; i < 3; i++) fun(...a4);
-%OptimizeFunctionOnNextCall(fun);
-fun(...a4);
-
-assertThrows(() => fun(...a3), RangeError);
-assertThrows(() => fun.apply(null, a3), RangeError);
-
-const kMaxArguments = 65534;
-let big_array = [];
-for (let i = 0; i < kMaxArguments + 1; i++) big_array.push(i);
-assertThrows(() => fun(...big_array), RangeError);
-assertThrows(() => new fun(...big_array), RangeError);
-assertThrows(() => fun.apply(null, big_array), RangeError);
-assertThrows(() => Reflect.construct(fun, big_array), RangeError);
-assertThrows(() => Reflect.apply(fun, undefined, big_array), RangeError);
-
-big_array = [];
-for (let i = 0; i < kMaxArguments + 1; i++) big_array.push(i + 0.1);
-assertThrows(() => fun(...big_array), RangeError);
-assertThrows(() => new fun(...big_array), RangeError);
-assertThrows(() => fun.apply(null, big_array), RangeError);
-assertThrows(() => Reflect.construct(fun, big_array), RangeError);
-assertThrows(() => Reflect.apply(fun, undefined, big_array), RangeError);
-
-big_array = [];
-for (let i = 0; i < kMaxArguments + 1; i++) big_array.push({i: i});
-assertThrows(() => fun(...big_array), RangeError);
-assertThrows(() => new fun(...big_array), RangeError);
-assertThrows(() => fun.apply(null, big_array), RangeError);
-assertThrows(() => Reflect.construct(fun, big_array), RangeError);
-assertThrows(() => Reflect.apply(fun, undefined, big_array), RangeError);

test/mjsunit/regress/regress-v8-6716.js

@@ -3,5 +3,5 @@
 // found in the LICENSE file.
 
 function f() {}
-var a = Array(65534);
+var a = Array(2 ** 16);  // Elements in large-object-space.
 f.bind(...a);

test/mjsunit/string-indexof-1.js

@@ -133,7 +133,7 @@ assertEquals(-1, asciiString.indexOf("\x2061"));
 
 // Search in string containing many non-ASCII chars.
 var allCodePoints = [];
-for (var i = 0; i < 65534; i++) allCodePoints[i] = i;
+for (var i = 0; i < 65536; i++) allCodePoints[i] = i;
 var allCharsString = String.fromCharCode.apply(String, allCodePoints);
 // Search for string long enough to trigger complex search with ASCII pattern
 // and UC16 subject.

test/mozilla/mozilla.status

@@ -460,9 +460,6 @@
   'js1_5/Regress/regress-313967-02': [FAIL_OK],
   'js1_5/extensions/regress-459606': [FAIL_OK],
 
-  # We restrict the number of apply arguments.
-  'js1_5/Array/regress-350256-01': [SKIP],
-
   # This fails because we don't have stack space for Function.prototype.apply
   # with very large numbers of arguments.  The test uses 2^24 arguments.
   'js1_5/Array/regress-350256-03': [FAIL_OK],

test/webkit/fast/js/function-apply-expected.txt

@@ -54,14 +54,13 @@ PASS arrayApplyChangeLength2() is 2
 PASS arrayApplyChangeLength3() is 2
 PASS arrayApplyChangeLength4() is 0
 PASS var a = []; a.length = 0xFFFE; [].constructor.apply('', a).length is 0xFFFE
-PASS var a = []; a.length = 0xFFFF; [].constructor.apply('', a).length threw exception RangeError: Too many arguments in function call (only 65534 allowed).
-PASS var a = []; a.length = 0x10000; [].constructor.apply('', a).length threw exception RangeError: Too many arguments in function call (only 65534 allowed).
-PASS var a = []; a.length = 0x10001; [].constructor.apply('', a).length threw exception RangeError: Too many arguments in function call (only 65534 allowed).
+PASS var a = []; a.length = 0xFFFF; [].constructor.apply('', a).length is 0xFFFF
+PASS var a = []; a.length = 0x10000; [].constructor.apply('', a).length is 0x10000
+PASS var a = []; a.length = 0x10001; [].constructor.apply('', a).length is 0x10001
 PASS var a = []; a.length = 0xFFFFFFFE; [].constructor.apply('', a).length threw exception RangeError: Invalid array length.
 PASS var a = []; a.length = 0xFFFFFFFF; [].constructor.apply('', a).length threw exception RangeError: Invalid array length.
 PASS (function(a,b,c,d){ return d ? -1 : (a+b+c); }).apply(undefined, {length:3, 0:100, 1:20, 2:3}) is 123
 PASS successfullyParsed is true
 
-
 TEST COMPLETE
 

test/webkit/fast/js/function-apply.js

@@ -308,9 +308,9 @@ shouldBe("arrayApplyChangeLength3()", "2");
 shouldBe("arrayApplyChangeLength4()", "0");
 
 shouldBe("var a = []; a.length = 0xFFFE; [].constructor.apply('', a).length", "0xFFFE");
-shouldThrow("var a = []; a.length = 0xFFFF; [].constructor.apply('', a).length");
-shouldThrow("var a = []; a.length = 0x10000; [].constructor.apply('', a).length");
-shouldThrow("var a = []; a.length = 0x10001; [].constructor.apply('', a).length");
+shouldBe("var a = []; a.length = 0xFFFF; [].constructor.apply('', a).length", "0xFFFF");
+shouldBe("var a = []; a.length = 0x10000; [].constructor.apply('', a).length", "0x10000");
+shouldBe("var a = []; a.length = 0x10001; [].constructor.apply('', a).length", "0x10001");
 shouldThrow("var a = []; a.length = 0xFFFFFFFE; [].constructor.apply('', a).length");
 shouldThrow("var a = []; a.length = 0xFFFFFFFF; [].constructor.apply('', a).length");