Diff - 5d338933d647916921a451b7d229bc792ec690d6^! - WebKit

commit	5d338933d647916921a451b7d229bc792ec690d6	[log] [tgz]
author	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed Jul 11 06:21:22 2018 +0000
committer	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed Jul 11 06:21:22 2018 +0000
tree	2122f065f7bf57be0122408e9eb9602a418580fd
parent	86a44b7e6bc0b1e4224ef39135fd46e707e416ae [diff] [blame]

constructArray() should always allocate the requested length. https://bugs.webkit.org/show_bug.cgi?id=187543 <rdar://problem/41947884> Reviewed by Saam Barati. JSTests: * stress/regress-187543-2.js: Added. * stress/regress-187543-3.js: Added. * stress/regress-187543.js: Added. Source/JavaScriptCore: Currently, it does not when we're having a bad time. We fix this by switching back to using tryCreateUninitializedRestricted() exclusively in constructArray(). If we detect that a structure transition is possible before we can initialize the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly. We will introduce JSArray::eagerlyInitializeButterfly() to handle this. Also enhanced the DisallowScope and ObjectInitializationScope to support this eager initialization when needed. * dfg/DFGOperations.cpp: - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects the array allocation to always succeed. Adding this RELEASE_ASSERT here makes it clearer that we encountered an OutOfMemory condition instead of failing in FTL generated code, which will appear as a generic null pointer dereference. * runtime/ArrayPrototype.cpp: (JSC::concatAppendOne): - the code here clearly wants to check for an allocation failure. Switched to using JSArray::tryCreate() instead of JSArray::create(). * runtime/DisallowScope.h: (JSC::DisallowScope::disable): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::eagerlyInitializeButterfly): (JSC::constructArray): * runtime/JSArray.h: * runtime/ObjectInitializationScope.cpp: (JSC::ObjectInitializationScope::notifyInitialized): * runtime/ObjectInitializationScope.h: (JSC::ObjectInitializationScope::notifyInitialized): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@233722 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h index 8ec8f64..a6ee5d3 100644 --- a/Source/JavaScriptCore/runtime/JSArray.h +++ b/Source/JavaScriptCore/runtime/JSArray.h

@@ -80,6 +80,8 @@ return tryCreateUninitializedRestricted(scope, nullptr, structure, initialLength); } + static void eagerlyInitializeButterfly(ObjectInitializationScope&, JSArray*, unsigned initialLength); + JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool throwException); JS_EXPORT_PRIVATE static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);