Array.prototype.indexOf: Be more careful about handle creation.

The slow path in Runtime_ArrayIndexOf allocates handles in each iteration over the input object. This CL gives each iteration its own handle scope in order to avoid consuming more and more memory the longer the loop runs. This can be observed e.g. by executing console.log(new Proxy(new Array(2**30), {}).indexOf(42)) which used to run out of memory on my machine. Bug: v8:8386 Change-Id: Idab98ef7e1e4047c21c1dc0e01ba2d3d363c1f09 Reviewed-on: https://chromium-review.googlesource.com/c/1309759 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#57173}
2018-10-31 14:16:24 +01:00 · 2018-10-31 14:16:24 +01:00 · cc5e11f4b0
commit cc5e11f4b0
parent fd22cfc8a4
1 changed files with 2 additions and 1 deletions
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@ -833,7 +833,7 @@ RUNTIME_FUNCTION(Runtime_ArrayIncludes_Slow) {
 }

 RUNTIME_FUNCTION(Runtime_ArrayIndexOf) {
-  HandleScope shs(isolate);
+  HandleScope hs(isolate);
  DCHECK_EQ(3, args.length());
  CONVERT_ARG_HANDLE_CHECKED(Object, search_element, 1);
  CONVERT_ARG_HANDLE_CHECKED(Object, from_index, 2);
@ -911,6 +911,7 @@ RUNTIME_FUNCTION(Runtime_ArrayIndexOf) {

  // Otherwise, perform slow lookups for special receiver types
  for (; index < len; ++index) {
+    HandleScope iteration_hs(isolate);
    // Let elementK be the result of ? Get(O, ! ToString(k)).
    Handle<Object> element_k;
    {