Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 07:51:12 +0000 (07:51 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 07:51:12 +0000 (07:51 +0000)
commit370a01a3e61b360ece14ae5968a55625d0523b4d
tree6b627282f8db5c3dcc58c7abeba9dd3326f6f68c
parent0d4c98b56375ac7923f3914091766a85caba437f
Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
https://bugs.webkit.org/show_bug.cgi?id=196055
<rdar://problem/49067448>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added.

Source/JavaScriptCore:

We are doing this because:
1. We expect the array to be densely packed.
2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent)
   expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH
   if we don't want to use an ArrayStorage shape.
3. There's no reason why an array with spread needs to be that large anyway.
   MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty.

In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and
emitAllocateButterfly() to check for overflows.

* assembler/AbortReason.h:
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
(JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
(JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
* runtime/ArrayConventions.h:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/AbortReason.h
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/runtime/ArrayConventions.h
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp