Changeset 242081 in webkit


Ignore:
Timestamp:
Feb 26, 2019 12:50:48 AM (5 years ago)
Author:
guijemont@igalia.com
Message:

[JSC] Repeat string created from Array.prototype.join() take too much memory
https://bugs.webkit.org/show_bug.cgi?id=193912

Reviewed by Saam Barati.

JSTests:

Added a test and a microbenchmark for corner cases of
Array.prototype.join() with an uninitialized array.

  • microbenchmarks/array-prototype-join-uninitialized.js: Added.
  • stress/array-prototype-join-uninitialized.js: Added.

(testArray):
(testABC):
(B):
(C):

Source/JavaScriptCore:

Added a fast case in Array.prototype.join when the array is
uninitialized.

  • runtime/ArrayPrototype.cpp:

(JSC::canUseFastJoin):
(JSC::fastJoin):

  • runtime/JSStringInlines.h:

(JSC::repeatCharacter): moved from StringPrototype.cpp

  • runtime/StringPrototype.cpp:
Location:
trunk
Files:
2 added
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r241968 r242081  
     12019-02-26  Guillaume Emont  <guijemont@igalia.com>
     2
     3        [JSC] Repeat string created from Array.prototype.join() take too much memory
     4        https://bugs.webkit.org/show_bug.cgi?id=193912
     5
     6        Reviewed by Saam Barati.
     7
     8        Added a test and a microbenchmark for corner cases of
     9        Array.prototype.join() with an uninitialized array.
     10
     11        * microbenchmarks/array-prototype-join-uninitialized.js: Added.
     12        * stress/array-prototype-join-uninitialized.js: Added.
     13        (testArray):
     14        (testABC):
     15        (B):
     16        (C):
     17
    1182019-02-22  Robin Morisset  <rmorisset@apple.com>
    219

  • trunk/Source/JavaScriptCore/ChangeLog

    r242071 r242081  
     12019-02-26  Guillaume Emont  <guijemont@igalia.com>
     2
     3        [JSC] Repeat string created from Array.prototype.join() take too much memory
     4        https://bugs.webkit.org/show_bug.cgi?id=193912
     5
     6        Reviewed by Saam Barati.
     7
     8        Added a fast case in Array.prototype.join when the array is
     9        uninitialized.
     10
     11        * runtime/ArrayPrototype.cpp:
     12        (JSC::canUseFastJoin):
     13        (JSC::fastJoin):
     14        * runtime/JSStringInlines.h:
     15        (JSC::repeatCharacter): moved from StringPrototype.cpp
     16        * runtime/StringPrototype.cpp:
     17
    1182019-02-25  Mark Lam  <mark.lam@apple.com>
    219

  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r236697 r242081  
    391391    case ALL_INT32_INDEXING_TYPES:
    392392    case ALL_DOUBLE_INDEXING_TYPES:
     393    case ALL_UNDECIDED_INDEXING_TYPES:
    393394        return true;
    394395    default:
     
    504505        RELEASE_AND_RETURN(scope, joiner.join(state));
    505506    }
     507    case ALL_UNDECIDED_INDEXING_TYPES: {
     508        if (length && holesMustForwardToPrototype(vm, thisObject))
     509            goto generalCase;
     510        switch (separator.length()) {
     511        case 0:
     512            RELEASE_AND_RETURN(scope, jsEmptyString(&state));
     513        case 1: {
     514            if (length <= 1)
     515                RELEASE_AND_RETURN(scope, jsEmptyString(&state));
     516            if (separator.is8Bit())
     517                RELEASE_AND_RETURN(scope, repeatCharacter(state, separator.characters8()[0], length - 1));
     518            RELEASE_AND_RETURN(scope, repeatCharacter(state, separator.characters16()[0], length - 1));
     519        }
     520        }
     521    }
    506522    }
    507523

  • trunk/Source/JavaScriptCore/runtime/JSStringInlines.h

    r236804 r242081  
    5555}
    5656
     57template <typename CharacterType>
     58inline JSString* repeatCharacter(ExecState& exec, CharacterType character, unsigned repeatCount)
     59{
     60    VM& vm = exec.vm();
     61    auto scope = DECLARE_THROW_SCOPE(vm);
     62
     63    CharacterType* buffer = nullptr;
     64    auto impl = StringImpl::tryCreateUninitialized(repeatCount, buffer);
     65    if (!impl) {
     66        throwOutOfMemoryError(&exec, scope);
     67        return nullptr;
     68    }
     69
     70    std::fill_n(buffer, repeatCount, character);
     71
     72    RELEASE_AND_RETURN(scope, jsString(&exec, WTFMove(impl)));
     73}
     74
    5775} // namespace JSC

  • trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

    r242064 r242081  
    838838}
    839839
    840 template <typename CharacterType>
    841 static inline JSString* repeatCharacter(ExecState& exec, CharacterType character, unsigned repeatCount)
    842 {
    843     VM& vm = exec.vm();
    844     auto scope = DECLARE_THROW_SCOPE(vm);
    845 
    846     CharacterType* buffer = nullptr;
    847     auto impl = StringImpl::tryCreateUninitialized(repeatCount, buffer);
    848     if (!impl) {
    849         throwOutOfMemoryError(&exec, scope);
    850         return nullptr;
    851     }
    852 
    853     std::fill_n(buffer, repeatCount, character);
    854 
    855     RELEASE_AND_RETURN(scope, jsString(&exec, WTFMove(impl)));
    856 }
    857 
    858840EncodedJSValue JSC_HOST_CALL stringProtoFuncRepeatCharacter(ExecState* exec)
    859841{
Note: See TracChangeset for help on using the changeset viewer.