4e12baa62b
This is a reland of ec969ea3b1
Temporarily removes high memory usage test.
Original change's description:
> [builtins] Fix Array.p.join length overflow and invalid string length handling
>
> - Fixes and simplify allocating the temporary fixed array for ToString-ed elements.
> - When the array size is greater than representable by an intptr, it overflowed into a negative value causing a non-negative assert to fail.
> - Simplify fallback behavior by always allocating a conservatively sized temporary fixed array. Previously, if the array had dictionary elements, the temporary fixed array was sized based on %GetNumberDictionaryNumberOfElements() and then resized when entering the fallback.
>
> - Fixes related invalid string length handling. When the running total of the resulting string length overflowed or exceeded String::kMaxLength, a RangeError is thrown. Previously, this thrown RangeError bypassed JoinStackPop and left the receiver on the stack.
>
> Bug: chromium:897404
> Change-Id: I157b71ef04ab06125a5b1c3454e5ed3713bdb591
> Reviewed-on: https://chromium-review.googlesource.com/c/1293070
> Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
> Reviewed-by: Jakob Gruber <jgruber@chromium.org>
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#56907}
Bug: chromium:897404
Change-Id: I4995893f6f9724b26c231d05619ad65dbccc7223
Reviewed-on: https://chromium-review.googlesource.com/c/1297675
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Cr-Commit-Position: refs/heads/master@{#56946}
64 lines
1.7 KiB
JavaScript
64 lines
1.7 KiB
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
(function DictionaryStringRepeatFastPath() {
|
|
const a = new Array(%StringMaxLength());
|
|
assertTrue(%HasDictionaryElements(a));
|
|
const sep = '12';
|
|
assertThrows(() => a.join(sep), RangeError);
|
|
|
|
// Verifies cycle detection still works properly after thrown error.
|
|
assertThrows(() => a.join(sep), RangeError);
|
|
|
|
a.length = 3;
|
|
a[0] = 'a';
|
|
a[1] = 'b';
|
|
a[2] = 'c';
|
|
assertSame('a,b,c', a.join());
|
|
})();
|
|
|
|
(function SeparatorOverflow() {
|
|
const a = ['a',,,,,'b'];
|
|
|
|
const sep = ','.repeat(%StringMaxLength());
|
|
assertThrows(() => a.join(sep), RangeError);
|
|
|
|
// Verifies cycle detection still works properly after thrown error.
|
|
assertThrows(() => a.join(sep), RangeError);
|
|
assertSame('a,,,,,b', a.join());
|
|
})();
|
|
|
|
(function ElementOverflow() {
|
|
const el = ','.repeat(%StringMaxLength());
|
|
const a = [el, el, el, el, el];
|
|
|
|
assertThrows(() => a.join(), RangeError);
|
|
|
|
// Verifies cycle detection still works properly after thrown error.
|
|
assertThrows(() => a.join(), RangeError);
|
|
a[0] = 'a';
|
|
a[1] = 'b';
|
|
a[2] = 'c';
|
|
a[3] = 'd';
|
|
a[4] = 'e';
|
|
assertSame('a,b,c,d,e', a.join());
|
|
})();
|
|
|
|
(function ElementSeparatorOverflow() {
|
|
const el = ','.repeat(%StringMaxLength());
|
|
const a = [el, el, el, el];
|
|
|
|
assertThrows(() => a.join(el), RangeError);
|
|
|
|
// Verifies cycle detection still works properly after thrown error.
|
|
assertThrows(() => a.join(el), RangeError);
|
|
a[0] = 'a';
|
|
a[1] = 'b';
|
|
a[2] = 'c';
|
|
a[3] = 'd';
|
|
assertSame('a,b,c,d', a.join());
|
|
})();
|