[v8-dev] Lower kInitialMaxFastElementArray constant to 95K (issue 22877039)

Mon, 26 Aug 2013 05:53:16 -0700 

Reviewers: Hannes Payer,

Message:
PTAL.

Description:
Lower kInitialMaxFastElementArray constant to 95K

to work around erroneous "illegal access" error on x64.

BUG=v8:2790

Please review this at https://codereview.chromium.org/22877039/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/objects.h
  A + test/mjsunit/regress/regress-2790.js


Index: src/objects.h
diff --git a/src/objects.h b/src/objects.h
index 0379660100ddb1668808b4af2d4f2a4566d85151..7933cd863965dfd8df34d62ca7420077312bb049 100644 
--- a/src/objects.h
+++ b/src/objects.h
@@ -2715,7 +2715,11 @@ class JSObject: public JSReceiver {
   // don't want to be wasteful with long lived objects.
   static const int kMaxUncheckedOldFastElementsLength = 500;

-  static const int kInitialMaxFastElementArray = 100000;
+  // TODO(2790): HAllocate currently always allocates fast backing stores
+  // in new space, where on x64 we can only fit ~98K elements. Keep this
+  // limit lower than that until HAllocate is made smarter.
+  static const int kInitialMaxFastElementArray = 95000;
+
   static const int kFastPropertiesSoftLimit = 12;
   static const int kMaxFastProperties = 64;
   static const int kMaxInstanceSize = 255 * kPointerSize;
Index: test/mjsunit/regress/regress-2790.js
diff --git a/test/mjsunit/regress/regress-crbug-172345.js b/test/mjsunit/regress/regress-2790.js 
similarity index 93%
copy from test/mjsunit/regress/regress-crbug-172345.js
copy to test/mjsunit/regress/regress-2790.js
index 711501caa791f2974635ac4dd894568a2e3fc982..86305b8867a1b96c65a1731c98bc9a331d9197aa 100644 
--- a/test/mjsunit/regress/regress-crbug-172345.js
+++ b/test/mjsunit/regress/regress-2790.js
@@ -25,10 +25,7 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-function f(a,i) {
-  return a[i];
+// Test that we can create arrays of any size.
+for (var i = 1000; i < 1000000; i += 97) {
+  new Array(i);
 }
-
-f([1,2,3], "length");
-f([1,2,3], "length");
-f([1,2,3], 2);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to