[stubs] Add option to allow LO space allocation

Passing kAllowLargeObjectAllocation now allocates in LOS if necessary.
Allow such allocations when growing fixed arrays in RegExp's @@match
and @@split operations.

BUG=chromium:670671

Review-Url: https://codereview.chromium.org/2555703003
Cr-Commit-Position: refs/heads/master@{#41526}
This commit is contained in:
jgruber 2016-12-06 06:08:41 -08:00 committed by Commit bot
parent 52fd3c1ec5
commit 9c9c8d7bb5
5 changed files with 46 additions and 3 deletions

View File

@ -1465,9 +1465,12 @@ class GrowableFixedArray {
const ElementsKind kind = FAST_ELEMENTS; const ElementsKind kind = FAST_ELEMENTS;
const WriteBarrierMode barrier_mode = UPDATE_WRITE_BARRIER; const WriteBarrierMode barrier_mode = UPDATE_WRITE_BARRIER;
const CodeStubAssembler::AllocationFlags flags =
CodeStubAssembler::kAllowLargeObjectAllocation;
Node* const from_array = var_array_.value(); Node* const from_array = var_array_.value();
Node* const to_array = a->AllocateFixedArray(kind, new_capacity, mode); Node* const to_array =
a->AllocateFixedArray(kind, new_capacity, mode, flags);
a->CopyFixedArrayElements(kind, from_array, kind, to_array, a->CopyFixedArrayElements(kind, from_array, kind, to_array,
current_capacity, new_capacity, barrier_mode, current_capacity, new_capacity, barrier_mode,
mode); mode);

View File

@ -783,6 +783,22 @@ Node* CodeStubAssembler::AllocateRawUnaligned(Node* size_in_bytes,
Label runtime_call(this, Label::kDeferred), no_runtime_call(this); Label runtime_call(this, Label::kDeferred), no_runtime_call(this);
Label merge_runtime(this, &result); Label merge_runtime(this, &result);
if (flags & kAllowLargeObjectAllocation) {
Label next(this);
GotoIf(IsRegularHeapObjectSize(size_in_bytes), &next);
Node* runtime_flags = SmiConstant(
Smi::FromInt(AllocateDoubleAlignFlag::encode(false) |
AllocateTargetSpace::encode(AllocationSpace::LO_SPACE)));
Node* const runtime_result =
CallRuntime(Runtime::kAllocateInTargetSpace, NoContextConstant(),
SmiTag(size_in_bytes), runtime_flags);
result.Bind(runtime_result);
Goto(&merge_runtime);
Bind(&next);
}
Node* new_top = IntPtrAdd(top, size_in_bytes); Node* new_top = IntPtrAdd(top, size_in_bytes);
Branch(UintPtrGreaterThanOrEqual(new_top, limit), &runtime_call, Branch(UintPtrGreaterThanOrEqual(new_top, limit), &runtime_call,
&no_runtime_call); &no_runtime_call);

View File

@ -58,7 +58,8 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
enum AllocationFlag : uint8_t { enum AllocationFlag : uint8_t {
kNone = 0, kNone = 0,
kDoubleAlignment = 1, kDoubleAlignment = 1,
kPretenured = 1 << 1 kPretenured = 1 << 1,
kAllowLargeObjectAllocation = 1 << 2,
}; };
typedef base::Flags<AllocationFlag> AllocationFlags; typedef base::Flags<AllocationFlag> AllocationFlags;

View File

@ -273,9 +273,9 @@ RUNTIME_FUNCTION(Runtime_AllocateInTargetSpace) {
CONVERT_SMI_ARG_CHECKED(flags, 1); CONVERT_SMI_ARG_CHECKED(flags, 1);
CHECK(IsAligned(size, kPointerSize)); CHECK(IsAligned(size, kPointerSize));
CHECK(size > 0); CHECK(size > 0);
CHECK(size <= kMaxRegularHeapObjectSize);
bool double_align = AllocateDoubleAlignFlag::decode(flags); bool double_align = AllocateDoubleAlignFlag::decode(flags);
AllocationSpace space = AllocateTargetSpace::decode(flags); AllocationSpace space = AllocateTargetSpace::decode(flags);
CHECK(size <= kMaxRegularHeapObjectSize || space == LO_SPACE);
return *isolate->factory()->NewFillerObject(size, double_align, space); return *isolate->factory()->NewFillerObject(size, double_align, space);
} }

View File

@ -0,0 +1,23 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Trigger an infinite loop through RegExp.prototype[@@match], which results
// in unbounded growth of the results array.
// Limit the number of iterations to avoid OOM while still triggering large
// object space allocation.
const min_ptr_size = 4;
const max_regular_heap_object_size = 507136;
const num_iterations = max_regular_heap_object_size / min_ptr_size;
let i = 0;
const re = /foo.bar/;
const RegExpPrototypeExec = RegExp.prototype.exec;
re.exec = (str) => {
return (i++ < num_iterations) ? RegExpPrototypeExec.call(re, str) : null;
};
re.__defineGetter__("global", () => true); // Triggers infinite loop.
"foo*bar".match(re); // Should not crash.