Add bailout for large objects when allocating arrays in optimized code.

BUG= Review URL: https://codereview.chromium.org/1408553002 Cr-Commit-Position: refs/heads/master@{#31259}
2015-10-14 05:59:55 -07:00 · 2015-10-14 05:59:55 -07:00 · 0c81c4e924
commit 0c81c4e924
parent a0159c1168
1 changed files with 5 additions and 0 deletions
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@ -3514,6 +3514,11 @@ HAllocate* HGraphBuilder::JSArrayBuilder::AllocateArray(
  HValue* elements_size =
      builder()->BuildCalculateElementsSize(kind_, capacity);

+  // Bail out for large objects.
+  HValue* max_regular_heap_object_size =
+      builder()->Add<HConstant>(Page::kMaxRegularHeapObjectSize);
+  builder()->Add<HBoundsCheck>(elements_size, max_regular_heap_object_size);
+
  // Allocate (dealing with failure appropriately)
  HAllocate* array_object = builder()->AllocateJSArrayObject(mode_);