regExpProtoFuncSplitFast should OOM before it swaps
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 27 May 2016 20:45:08 +0000 (20:45 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 27 May 2016 20:45:08 +0000 (20:45 +0000)
commitf0a4c454075bfe671c309ee24c789b29279b7212
treed5d63a6ed2083812a8ca9936a40b2b9e2c220656
parent4364e72c857c7617c3b6c6ee68b0af0b6b66919c
regExpProtoFuncSplitFast should OOM before it swaps
https://bugs.webkit.org/show_bug.cgi?id=158157

Reviewed by Mark Lam.

This is a huge speed-up on some jsfunfuzz test cases because it makes us realize much
sooner that running a regexp split will result in swapping. It uses the same basic
approach as http://trac.webkit.org/changeset/201451: if the result array crosses a certain
size threshold, we proceed with a dry run to see how big the array will get before
allocating anything else. This way, bogus uses of split that would have OOMed only after
killing the user's machine will now OOM before killing the user's machine.

This is an enormous speed-up on some jsfunfuzz tests: they go from running for a long
time to running instantly.

* runtime/RegExpPrototype.cpp:
(JSC::advanceStringIndex):
(JSC::genericSplit):
(JSC::regExpProtoFuncSplitFast):
* runtime/StringObject.h:
(JSC::jsStringWithReuse):
(JSC::jsSubstring):
* tests/stress/big-split-captures.js: Added.
* tests/stress/big-split.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201467 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/RegExpPrototype.cpp
Source/JavaScriptCore/runtime/StringObject.h
Source/JavaScriptCore/tests/stress/big-split-captures.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/big-split.js [new file with mode: 0644]