| Summary: | Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Lam <mark.lam> | ||||
| Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, fpizlo, keith_miller, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Mark Lam
2019-03-20 21:46:32 PDT
Created attachment 365484 [details]
proposed patch.
Let's try this on the EWS first.
Comment on attachment 365484 [details]
proposed patch.
The JSC tests run to completion locally without any failures. Let's get a review.
Comment on attachment 365484 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=365484&action=review r=me > Source/JavaScriptCore/dfg/DFGOperations.cpp:2727 > + } If some program hits this, we could 1. make `length >= MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH` OSR exit with Overflow (this is already done in this patch) 2. In operationNewArrayWithSpreadSlow, we return some information, and cause OSR exit with Overflow 3. In baseline / LLInt, we just allocate ArrayStorage JSArray 4. avoids emitting NewArrayWithSpread DFG nodes if hasExitSite(Overflow) = true in DFG but I think throwing OOM error is OK until we find some real programs hit this condition. Thanks for the review. Landed in r243280: <http://trac.webkit.org/r243280>. |