Changeset 243280 in webkit
- Timestamp:
- Mar 21, 2019 12:51:12 AM (5 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r243277 r243280 1 2019-03-21 Mark Lam <mark.lam@apple.com> 2 3 Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. 4 https://bugs.webkit.org/show_bug.cgi?id=196055 5 <rdar://problem/49067448> 6 7 Reviewed by Yusuke Suzuki. 8 9 * stress/new_array_with_spread-should-cap-array-size-to-MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.js: Added. 10 1 11 2019-03-20 Saam Barati <sbarati@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r243279 r243280 1 2019-03-21 Mark Lam <mark.lam@apple.com> 2 3 Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. 4 https://bugs.webkit.org/show_bug.cgi?id=196055 5 <rdar://problem/49067448> 6 7 Reviewed by Yusuke Suzuki. 8 9 We are doing this because: 10 1. We expect the array to be densely packed. 11 2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent) 12 expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH 13 if we don't want to use an ArrayStorage shape. 14 3. There's no reason why an array with spread needs to be that large anyway. 15 MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty. 16 17 In this patch, we also add a debug assert in compileAllocateNewArrayWithSize() and 18 emitAllocateButterfly() to check for overflows. 19 20 * assembler/AbortReason.h: 21 * dfg/DFGOperations.cpp: 22 * dfg/DFGSpeculativeJIT.cpp: 23 (JSC::DFG::SpeculativeJIT::compileCreateRest): 24 (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread): 25 (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): 26 (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize): 27 * ftl/FTLLowerDFGToB3.cpp: 28 (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread): 29 * runtime/ArrayConventions.h: 30 * runtime/CommonSlowPaths.cpp: 31 (JSC::SLOW_PATH_DECL): 32 1 33 2019-03-20 Yusuke Suzuki <ysuzuki@apple.com> 2 34 -
trunk/Source/JavaScriptCore/assembler/AbortReason.h
r219172 r243280 1 1 /* 2 * Copyright (C) 2014-201 6Apple Inc. All rights reserved.2 * Copyright (C) 2014-2019 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 74 74 TGInvalidPointer = 320, 75 75 TGNotSupported = 330, 76 UncheckedOverflow = 335, 76 77 YARRNoInputConsumed = 340, 77 78 }; -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r243232 r243280 1 1 /* 2 * Copyright (C) 2011-201 8Apple Inc. All rights reserved.2 * Copyright (C) 2011-2019 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 2722 2722 2723 2723 unsigned length = checkedLength.unsafeGet(); 2724 if (UNLIKELY(length >= MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH)) { 2725 throwOutOfMemoryError(exec, scope); 2726 return nullptr; 2727 } 2728 2724 2729 JSGlobalObject* globalObject = exec->lexicalGlobalObject(); 2725 2730 Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r243232 r243280 7655 7655 GPRReg arrayResultGPR = arrayResult.gpr(); 7656 7656 7657 // We can tell compileAllocateNewArrayWithSize() that it does not need to check 7658 // for large arrays and use ArrayStorage structure because arrayLength here will 7659 // always be bounded by stack size. Realistically, we won't be able to push enough 7660 // arguments to have arrayLength exceed MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. 7657 7661 bool shouldAllowForArrayStorageStructureForLargeArrays = false; 7658 7662 ASSERT(m_jit.graph().globalObjectFor(node->origin.semantic)->restParameterStructure()->indexingMode() == ArrayWithContiguous || m_jit.graph().globalObjectFor(node->origin.semantic)->isHavingABadTime()); … … 8008 8012 } 8009 8013 8010 8014 speculationCheck(Overflow, JSValueRegs(), nullptr, m_jit.branch32(MacroAssembler::AboveOrEqual, lengthGPR, TrustedImm32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH))); 8015 8016 // We can tell compileAllocateNewArrayWithSize() that it does not need to 8017 // check for large arrays and use ArrayStorage structure because we already 8018 // ensured above that the spread array length will definitely fit in a 8019 // non-ArrayStorage shaped array. 8011 8020 bool shouldAllowForArrayStorageStructureForLargeArrays = false; 8012 8021 ASSERT(m_jit.graph().globalObjectFor(node->origin.semantic)->restParameterStructure()->indexingType() == ArrayWithContiguous || m_jit.graph().globalObjectFor(node->origin.semantic)->isHavingABadTime()); … … 11675 11684 m_jit.lshift32(TrustedImm32(3), scratch1); 11676 11685 m_jit.add32(TrustedImm32(sizeof(IndexingHeader)), scratch1, scratch2); 11686 #if !ASSERT_DISABLED 11687 MacroAssembler::Jump didNotOverflow = m_jit.branch32(MacroAssembler::AboveOrEqual, scratch2, sizeGPR); 11688 m_jit.abortWithReason(UncheckedOverflow); 11689 didNotOverflow.link(&m_jit); 11690 #endif 11677 11691 m_jit.emitAllocateVariableSized( 11678 11692 storageResultGPR, m_jit.vm()->jsValueGigacageAuxiliarySpace, scratch2, scratch1, scratch3, slowCases); … … 12974 12988 if (shouldConvertLargeSizeToArrayStorage) 12975 12989 slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, sizeGPR, TrustedImm32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH))); 12990 #if !ASSERT_DISABLED 12991 else { 12992 MacroAssembler::Jump lengthIsWithinLimits; 12993 lengthIsWithinLimits = m_jit.branch32(MacroAssembler::Below, sizeGPR, TrustedImm32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH)); 12994 m_jit.abortWithReason(UncheckedOverflow); 12995 lengthIsWithinLimits.link(&m_jit); 12996 } 12997 #endif 12976 12998 12977 12999 // We can use resultGPR as a scratch right now. -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r243232 r243280 5840 5840 } 5841 5841 } 5842 5843 LValue exceedsMaxAllowedLength = m_out.aboveOrEqual(length, m_out.constInt32(MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH)); 5844 blessSpeculation(m_out.speculate(exceedsMaxAllowedLength), Overflow, noValue(), nullptr, m_origin); 5842 5845 5843 5846 RegisteredStructure structure = m_graph.registerStructure(m_graph.globalObjectFor(m_node->origin.semantic)->originalArrayStructureForIndexingType(ArrayWithContiguous)); -
trunk/Source/JavaScriptCore/runtime/ArrayConventions.h
r228576 r243280 1 1 /* 2 2 * Copyright (C) 1999-2000 Harri Porten (porten@kde.org) 3 * Copyright (C) 2003-201 7Apple Inc. All rights reserved.3 * Copyright (C) 2003-2019 Apple Inc. All rights reserved. 4 4 * 5 5 * This library is free software; you can redistribute it and/or … … 66 66 // If you try to allocate a contiguous array larger than this, then we will allocate an ArrayStorage 67 67 // array instead. We allow for an array that occupies 1GB of VM. 68 #define MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH 1024 * 1024 * 1024 / 868 #define MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH (1024 * 1024 * 1024 / 8) 69 69 #define MAX_STORAGE_VECTOR_INDEX (MAX_STORAGE_VECTOR_LENGTH - 1) 70 70 // 0xFFFFFFFF is a bit weird -- is not an array index even though it's an integer. -
trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
r242715 r243280 1259 1259 1260 1260 unsigned arraySize = checkedArraySize.unsafeGet(); 1261 if (UNLIKELY(arraySize >= MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH)) 1262 THROW(createOutOfMemoryError(exec)); 1263 1261 1264 JSGlobalObject* globalObject = exec->lexicalGlobalObject(); 1262 1265 Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithContiguous);
Note: See TracChangeset
for help on using the changeset viewer.