[webkit-reviews] review granted: [Bug 196055] Cap length of an array with spread to MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH. : [Attachment 365484] proposed patch.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 21 00:18:56 PDT 2019


Yusuke Suzuki <ysuzuki at apple.com> has granted Mark Lam <mark.lam at apple.com>'s
request for review:
Bug 196055: Cap length of an array with spread to
MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
https://bugs.webkit.org/show_bug.cgi?id=196055

Attachment 365484: proposed patch.

https://bugs.webkit.org/attachment.cgi?id=365484&action=review




--- Comment #3 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 365484
  --> https://bugs.webkit.org/attachment.cgi?id=365484
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=365484&action=review

r=me

> Source/JavaScriptCore/dfg/DFGOperations.cpp:2727
> +    }

If some program hits this, we could

1. make `length >= MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH` OSR exit with
Overflow (this is already done in this patch)
2. In operationNewArrayWithSpreadSlow, we return some information, and cause
OSR exit with Overflow
3. In baseline / LLInt, we just allocate ArrayStorage JSArray
4. avoids emitting NewArrayWithSpread DFG nodes if hasExitSite(Overflow) = true
in DFG

but I think throwing OOM error is OK until we find some real programs hit this
condition.


More information about the webkit-reviews mailing list