From 9e83f1f2d93655b102959a7223849d8f87d2f414 Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Tue, 6 Nov 2018 10:45:09 +0100
Subject: [PATCH] Skip spread fast-path if input string size exceeds
 kMaxFastArrayLength.

Bug: chromium:901944
Change-Id: Iaf1dfaa5763162ae7952381fb8b64661d85ea1a8
Reviewed-on: https://chromium-review.googlesource.com/c/1317822
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57269}
---
 src/builtins/builtins-iterator-gen.cc | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/builtins/builtins-iterator-gen.cc b/src/builtins/builtins-iterator-gen.cc
index 55fdf51852..a22c90ff80 100644
--- a/src/builtins/builtins-iterator-gen.cc
+++ b/src/builtins/builtins-iterator-gen.cc
@@ -280,12 +280,17 @@ void IteratorBuiltinsAssembler::FastIterableToList(
 
   BIND(&check_string);
   {
-    Label string_fast_call(this);
+    Label string_maybe_fast_call(this);
     StringBuiltinsAssembler string_assembler(state());
     string_assembler.BranchIfStringPrimitiveWithNoCustomIteration(
-        iterable, context, &string_fast_call, &check_map);
+        iterable, context, &string_maybe_fast_call, &check_map);
 
-    BIND(&string_fast_call);
+    BIND(&string_maybe_fast_call);
+    TNode<IntPtrT> const length = LoadStringLengthAsWord(CAST(iterable));
+    // Use string length as conservative approximation of number of codepoints.
+    GotoIf(
+        IntPtrGreaterThan(length, IntPtrConstant(JSArray::kMaxFastArrayLength)),
+        slow);
     *var_result = CallBuiltin(Builtins::kStringToList, context, iterable);
     Goto(&done);
   }