[runtime] Decrease the maximum number of descriptors.

This ensures that MigrateFastToFast does not overflow the length of the property array. Bug: chromium:789393 Change-Id: I77adc319c1c8c469ea482bad35ead8661d535192 Reviewed-on: https://chromium-review.googlesource.com/824167 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Cr-Commit-Position: refs/heads/master@{#50086}
2017-12-13 16:24:51 +01:00 · 2017-12-13 16:24:51 +01:00 · 3ecb047aba
commit 3ecb047aba
parent db46a3099d
3 changed files with 8 additions and 5 deletions
--- a/src/objects.h
+++ b/src/objects.h
@ -1939,6 +1939,7 @@ class PropertyArray : public HeapObject {

  static const int kLengthFieldSize = 10;
  class LengthField : public BitField<int, 0, kLengthFieldSize> {};
+  static const int kMaxLength = LengthField::kMax;
  class HashField : public BitField<int, kLengthFieldSize,
                                    kSmiValueSize - kLengthFieldSize - 1> {};

@ -2643,6 +2644,8 @@ class JSObject: public JSReceiver {
  // its size by more than the 1 entry necessary, so sequentially adding fields
  // to the same object requires fewer allocations and copies.
  static const int kFieldsAdded = 3;
+  STATIC_ASSERT(kMaxNumberOfDescriptors + kFieldsAdded <=
+                PropertyArray::kMaxLength);

  // Layout description.
  static const int kElementsOffset = JSReceiver::kHeaderSize;
--- a/src/property-details.h
+++ b/src/property-details.h
@ -197,10 +197,10 @@ class Representation {


 static const int kDescriptorIndexBitCount = 10;
-// The maximum number of descriptors we want in a descriptor array (should
-// fit in a page).
-static const int kMaxNumberOfDescriptors =
-    (1 << kDescriptorIndexBitCount) - 2;
+// The maximum number of descriptors we want in a descriptor array.  It should
+// fit in a page and also the following should hold:
+// kMaxNumberOfDescriptors + kFieldsAdded <= PropertyArray::kMaxLength.
+static const int kMaxNumberOfDescriptors = (1 << kDescriptorIndexBitCount) - 4;
 static const int kInvalidEnumCacheSentinel =
    (1 << kDescriptorIndexBitCount) - 1;

--- a/test/mjsunit/dictionary-prototypes.js
+++ b/test/mjsunit/dictionary-prototypes.js
@ -12,7 +12,7 @@ function EnsureDictionaryMode(obj, properties=1500) {
 }

 function EnsureAlmostDictionaryMode(obj) {
-  for (let i = 0; i < 1022; i++) {
+  for (let i = 0; i < 1020; i++) {
    obj["x" + i] = 0;
  }
 }