AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Abort if we ever allocate a non-0-sized packed array

Browse Source 
BUG=chromium:621147

Review-Url: https://codereview.chromium.org/2122943002
Cr-Commit-Position: refs/heads/master@{#37535}
This commit is contained in:
verwaest 2016-07-05 08:49:52 -07:00 committed by Commit bot
parent 9d66b3f3d3
commit c2eb07505c
4 changed files with 31 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/bailout-reason.h
View File

@ -14,6 +14,7 @@ namespace internal {
\
V(k32BitValueInRegisterIsNotZeroExtended, \
"32 bit value in register is not zero-extended") \
V(kAllocatingNonEmptyPackedArray, "Allocating non-empty packed array") \
V(kAllocationIsNotDoubleAligned, "Allocation is not double aligned") \
V(kAPICallReturnedInvalidObject, "API call returned invalid object") \
V(kArgumentsObjectValueInATestContext, \

3
src/code-stub-assembler.cc
View File

@ -834,8 +834,7 @@ Node* CodeStubAssembler::AllocateJSArray(ElementsKind kind, Node* array_map,
Heap* heap = isolate()->heap();
Node* array = Allocate(total_size);
StoreMapNoWriteBarrier(array, array_map);
Node* empty_properties =
HeapConstant(Handle<HeapObject>(heap->empty_fixed_array()));
Node* empty_properties = LoadRoot(Heap::kEmptyFixedArrayRootIndex);
StoreObjectFieldNoWriteBarrier(array, JSArray::kPropertiesOffset,
empty_properties);
StoreObjectFieldNoWriteBarrier(

35
src/code-stubs.cc
View File

@ -4759,16 +4759,31 @@ void SingleArgumentConstructorCommon(CodeStubAssembler* assembler,
assembler->Branch(assembler->WordIsSmi(size), &smi_size, &call_runtime);
assembler->Bind(&smi_size);
int element_size =
IsFastDoubleElementsKind(elements_kind) ? kDoubleSize : kPointerSize;
int max_fast_elements =
(Page::kMaxRegularHeapObjectSize - FixedArray::kHeaderSize -
JSArray::kSize - AllocationMemento::kSize) /
element_size;
assembler->Branch(
assembler->SmiAboveOrEqual(
size, assembler->SmiConstant(Smi::FromInt(max_fast_elements))),
&call_runtime, &small_smi_size);
if (IsFastPackedElementsKind(elements_kind)) {
Label abort(assembler, Label::kDeferred);
assembler->Branch(
assembler->SmiEqual(size, assembler->SmiConstant(Smi::FromInt(0))),
&small_smi_size, &abort);
assembler->Bind(&abort);
Node* reason =
assembler->SmiConstant(Smi::FromInt(kAllocatingNonEmptyPackedArray));
Node* context = assembler->Parameter(
ArraySingleArgumentConstructorDescriptor::kContextIndex);
assembler->TailCallRuntime(Runtime::kAbort, context, reason);
} else {
int element_size =
IsFastDoubleElementsKind(elements_kind) ? kDoubleSize : kPointerSize;
int max_fast_elements =
(Page::kMaxRegularHeapObjectSize - FixedArray::kHeaderSize -
JSArray::kSize - AllocationMemento::kSize) /
element_size;
assembler->Branch(
assembler->SmiAboveOrEqual(
size, assembler->SmiConstant(Smi::FromInt(max_fast_elements))),
&call_runtime, &small_smi_size);
}
assembler->Bind(&small_smi_size);
{

8
test/cctest/interpreter/bytecode_expectations/Generators.golden
View File

@ -25,7 +25,7 @@ bytecodes: [
B(LdaZero),
B(TestEqualStrict), R(1),
B(JumpIfTrue), U8(56),
B(LdaSmi), U8(75),
B(LdaSmi), U8(76),
B(Star), R(2),
B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1),
B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
@ -131,7 +131,7 @@ bytecodes: [
B(LdaSmi), U8(1),
B(TestEqualStrict), R(1),
B(JumpIfTrueConstant), U8(0),
B(LdaSmi), U8(75),
B(LdaSmi), U8(76),
B(Star), R(2),
B(CallRuntime), U16(Runtime::kAbort), R(2), U8(1),
B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
@ -277,7 +277,7 @@ bytecodes: [
B(LdaSmi), U8(1),
B(TestEqualStrict), R(3),
B(JumpIfTrueConstant), U8(3),
B(LdaSmi), U8(75),
B(LdaSmi), U8(76),
B(Star), R(4),
B(CallRuntime), U16(Runtime::kAbort), R(4), U8(1),
B(CallRuntime), U16(Runtime::kNewFunctionContext), R(closure), U8(1),
@ -345,7 +345,7 @@ bytecodes: [
B(LdaSmi), U8(1),
B(TestEqualStrict), R(3),
B(JumpIfTrueConstant), U8(9),
B(LdaSmi), U8(75),
B(LdaSmi), U8(76),
B(Star), R(11),
B(CallRuntime), U16(Runtime::kAbort), R(11), U8(1),
/* 27 S> */ B(LdrContextSlot), R(1), U8(7), R(13),