v8/regress-cr895860.js at d735882d2d482e3d12a4da0fec722569007c566e - v8 - Gitea: Git with a cup of tea

AuroraMiddleware/v8

Hai Dang 779d102ca8 Use slow path in IterableToList for big input strings.

AllocateJSArray always allocates in new space, so we bailout of the fast
path for strings if the new array does not fit in new space.

Bug found by ClusterFuzz. Regression test added.

This also switches to the BranchIf pattern to avoid materialize a bool.

Bug: chromium:895860, v8:7980
Change-Id: Ic7c41268c394ac2796b7694252390ab50fd74838
Reviewed-on: https://chromium-review.googlesource.com/c/1286337
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56759}

2018-10-18 08:44:21 +00:00

15 lines

350 B

JavaScript

Raw Blame History

 // Copyright 2018 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 (function() {
   var s = "f";
   // 2^18 length, enough to ensure an array (of pointers) bigger than 500KB.
   for (var i = 0; i < 18; i++) {
     s += s;
   }
   var ss = [...s];
 })();