[webkit-reviews] review granted: [Bug 196055] Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. : [Attachment 365484] proposed patch.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 21 00:18:56 PDT 2019
Yusuke Suzuki <ysuzuki at apple.com> has granted Mark Lam <mark.lam at apple.com>'s
request for review:
Bug 196055: Cap length of an array with spread to
MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
https://bugs.webkit.org/show_bug.cgi?id=196055
Attachment 365484: proposed patch.
https://bugs.webkit.org/attachment.cgi?id=365484&action=review
--- Comment #3 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 365484
--> https://bugs.webkit.org/attachment.cgi?id=365484
proposed patch.
View in context: https://bugs.webkit.org/attachment.cgi?id=365484&action=review
r=me
> Source/JavaScriptCore/dfg/DFGOperations.cpp:2727
> + }
If some program hits this, we could
1. make `length >= MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH` OSR exit with
Overflow (this is already done in this patch)
2. In operationNewArrayWithSpreadSlow, we return some information, and cause
OSR exit with Overflow
3. In baseline / LLInt, we just allocate ArrayStorage JSArray
4. avoids emitting NewArrayWithSpread DFG nodes if hasExitSite(Overflow) = true
in DFG
but I think throwing OOM error is OK until we find some real programs hit this
condition.
More information about the webkit-reviews
mailing list