Bug 196055

Summary: Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, fpizlo, keith_miller, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch. ysuzuki: review+

Mark Lam
Reported 2019-03-20 21:46:32 PDT
We are doing this because: 1. We expect the array to be densely packed. 2. SpeculativeJIT::compileAllocateNewArrayWithSize() (and the FTL equivalent) expects the array length to be less than MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH if we don't want to use an ArrayStorage shape. 3. There's no reason why an array with spread needs to be that large anyway. MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH is plenty. <rdar://problem/49067448>
Attachments
proposed patch. (12.07 KB, patch)
2019-03-20 22:19 PDT, Mark Lam 		ysuzuki: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2019-03-20 22:19:08 PDT
Created attachment 365484 [details] proposed patch. Let's try this on the EWS first.
Mark Lam
Comment 2 2019-03-20 23:00:47 PDT
Comment on attachment 365484 [details] proposed patch. The JSC tests run to completion locally without any failures. Let's get a review.
Yusuke Suzuki
Comment 3 2019-03-21 00:18:56 PDT
Comment on attachment 365484 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=365484&action=review r=me > Source/JavaScriptCore/dfg/DFGOperations.cpp:2727 > + } If some program hits this, we could 1. make `length >= MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH` OSR exit with Overflow (this is already done in this patch) 2. In operationNewArrayWithSpreadSlow, we return some information, and cause OSR exit with Overflow 3. In baseline / LLInt, we just allocate ArrayStorage JSArray 4. avoids emitting NewArrayWithSpread DFG nodes if hasExitSite(Overflow) = true in DFG but I think throwing OOM error is OK until we find some real programs hit this condition.
Mark Lam
Comment 4 2019-03-21 00:52:13 PDT
Thanks for the review. Landed in r243280: <http://trac.webkit.org/r243280>.
Note You need to log in before you can comment on or make changes to this bug.