constructArray() should always allocate the requested length.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 06:21:22 +0000 (06:21 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 06:21:22 +0000 (06:21 +0000)
commit5e28724ce909378f2ae3ac126239ae84ec008a56
tree2122f065f7bf57be0122408e9eb9602a418580fd
parentef0b0c3a0f779012f0a63739054349b13432fd64
constructArray() should always allocate the requested length.
https://bugs.webkit.org/show_bug.cgi?id=187543
<rdar://problem/41947884>

Reviewed by Saam Barati.

JSTests:

* stress/regress-187543-2.js: Added.
* stress/regress-187543-3.js: Added.
* stress/regress-187543.js: Added.

Source/JavaScriptCore:

Currently, it does not when we're having a bad time.  We fix this by switching
back to using tryCreateUninitializedRestricted() exclusively in constructArray().
If we detect that a structure transition is possible before we can initialize
the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
We will introduce JSArray::eagerlyInitializeButterfly() to handle this.

Also enhanced the DisallowScope and ObjectInitializationScope to support this
eager initialization when needed.

* dfg/DFGOperations.cpp:
- the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
  the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
  it clearer that we encountered an OutOfMemory condition instead of failing in FTL
  generated code, which will appear as a generic null pointer dereference.

* runtime/ArrayPrototype.cpp:
(JSC::concatAppendOne):
- the code here clearly wants to check for an allocation failure.  Switched to
  using JSArray::tryCreate() instead of JSArray::create().

* runtime/DisallowScope.h:
(JSC::DisallowScope::disable):
* runtime/JSArray.cpp:
(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::eagerlyInitializeButterfly):
(JSC::constructArray):
* runtime/JSArray.h:
* runtime/ObjectInitializationScope.cpp:
(JSC::ObjectInitializationScope::notifyInitialized):
* runtime/ObjectInitializationScope.h:
(JSC::ObjectInitializationScope::notifyInitialized):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233722 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
JSTests/ChangeLog
JSTests/stress/regress-187543-2.js [new file with mode: 0644]
JSTests/stress/regress-187543-3.js [new file with mode: 0644]
JSTests/stress/regress-187543.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/DisallowScope.h
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSArray.h
Source/JavaScriptCore/runtime/ObjectInitializationScope.cpp
Source/JavaScriptCore/runtime/ObjectInitializationScope.h