[Webkit-unassigned] [Bug 184328] New: [JSC] super call to Array constructor fails if InternalFunctionAllocationProfile's stored Structure does not fit to required IndexingType
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 5 06:29:20 PDT 2018
https://bugs.webkit.org/show_bug.cgi?id=184328
Bug ID: 184328
Summary: [JSC] super call to Array constructor fails if
InternalFunctionAllocationProfile's stored Structure
does not fit to required IndexingType
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: utatane.tea at gmail.com
class DerivedArray extends Array {
constructor(n)
{
super(n);
}
}
function hello(n)
{
return new DerivedArray(n);
}
noInline(hello);
for (var i = 0; i < 1e6; ++i)
hello(20);
hello(0x1fffffff); // Out of memory error.
The above error happens because,
1. DerivedArray function's InternalFunctionAllocationProfile caches Structure.
2. But cached Structure's IndexingType may be Int32/Double/Contiguous
3. If you pass very large size (like, 0x1fffffff) which only fits to ArrayStorage, we always fail to allocate JSArray in JSArray::tryCreate.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180405/be5360d8/attachment-0002.html>
More information about the webkit-unassigned
mailing list