rwaldron/array-oob.js

## array-oob.js
/*
Discovered in https://github.com/tc39/test262/blob/master/test/built-ins/Array/S15.4_A1.1_T10.js
*/

var x = [];
var k = 1;
for (var i = 0; i < 32; i++) {
  k = k * 2;
  x[k - 2] = k;
}


/*

$ prepack array-oob.js

<--- Last few GCs --->

   18080 ms: Mark-sweep 1317.0 (1365.2) -> 824.2 (867.2) MB, 244.8 / 0.0 ms (+ 0.3 ms in 1 steps since start of marking, biggest step 0.3 ms) [allocation failure] [GC in old space requested].
   21311 ms: Mark-sweep 1385.8 (1434.2) -> 895.9 (940.2) MB, 129.2 / 0.0 ms (+ 136.9 ms in 68 steps since start of marking, biggest step 4.8 ms) [allocation failure] [GC in old space requested].


<--- JS stacktrace --->

==== JS stack trace =========================================

Security context: 0x1b40f97cfb39 <JS Object>
    2: _serializeArrayIndexProperties [/Users/rwaldron/clonez/prepack/lib/serializer/ResidualHeapSerializer.js:~696] [pc=0x3774c7f4741b] (this=0x2fdf3b26fa79 <a ResidualHeapSerializer with map 0x236da3cf4629>,array=0x2fdf3b26fbd1 <an ArrayValue with map 0x236da3cf2a51>,indexPropertyLength=0x2fdf3b26fc09 <Number: 4.29497e+09>,remainingProperties=0x2fdf3b26fbe9 <a Map with map 0x82ddc80a191>)
   ...

FATAL ERROR: invalid array length Allocation failed - JavaScript heap out of memory
 1: node::Abort() [/usr/local/bin/node]
 2: node::FatalException(v8::Isolate*, v8::Local<v8::Value>, v8::Local<v8::Message>) [/usr/local/bin/node]
 3: v8::internal::V8::FatalProcessOutOfMemory(char const*, bool) [/usr/local/bin/node]
 4: v8::internal::Heap::AllocateUninitializedFixedArray(int) [/usr/local/bin/node]
 5: v8::internal::Factory::NewUninitializedFixedArray(int) [/usr/local/bin/node]
 6: v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::ConvertElementsWithCapacity(v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::FixedArrayBase>, v8::internal::ElementsKind, unsigned int, unsigned int, unsigned int, int) [/usr/local/bin/node]
 7: v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::GrowCapacityAndConvertImpl(v8::internal::Handle<v8::internal::JSObject>, unsigned int) [/usr/local/bin/node]
 8: v8::internal::Runtime_GrowArrayElements(int, v8::internal::Object**, v8::internal::Isolate*) [/usr/local/bin/node]
 9: 0x3774c77079a7
10: 0x3774c772e9c5
11: 0x3774c7f4741b
Abort trap: 6

*/
	/*
	Discovered in https://github.com/tc39/test262/blob/master/test/built-ins/Array/S15.4_A1.1_T10.js
	*/

	var x = [];
	var k = 1;
	for (var i = 0; i < 32; i++) {
	k = k * 2;
	x[k - 2] = k;
	}


	/*

	$ prepack array-oob.js

	<--- Last few GCs --->

	18080 ms: Mark-sweep 1317.0 (1365.2) -> 824.2 (867.2) MB, 244.8 / 0.0 ms (+ 0.3 ms in 1 steps since start of marking, biggest step 0.3 ms) [allocation failure] [GC in old space requested].
	21311 ms: Mark-sweep 1385.8 (1434.2) -> 895.9 (940.2) MB, 129.2 / 0.0 ms (+ 136.9 ms in 68 steps since start of marking, biggest step 4.8 ms) [allocation failure] [GC in old space requested].


	<--- JS stacktrace --->

	==== JS stack trace =========================================

	Security context: 0x1b40f97cfb39 <JS Object>
	2: _serializeArrayIndexProperties [/Users/rwaldron/clonez/prepack/lib/serializer/ResidualHeapSerializer.js:~696] [pc=0x3774c7f4741b] (this=0x2fdf3b26fa79 <a ResidualHeapSerializer with map 0x236da3cf4629>,array=0x2fdf3b26fbd1 <an ArrayValue with map 0x236da3cf2a51>,indexPropertyLength=0x2fdf3b26fc09 <Number: 4.29497e+09>,remainingProperties=0x2fdf3b26fbe9 <a Map with map 0x82ddc80a191>)
	...

	FATAL ERROR: invalid array length Allocation failed - JavaScript heap out of memory
	1: node::Abort() [/usr/local/bin/node]
	2: node::FatalException(v8::Isolate*, v8::Local<v8::Value>, v8::Local<v8::Message>) [/usr/local/bin/node]
	3: v8::internal::V8::FatalProcessOutOfMemory(char const*, bool) [/usr/local/bin/node]
	4: v8::internal::Heap::AllocateUninitializedFixedArray(int) [/usr/local/bin/node]
	5: v8::internal::Factory::NewUninitializedFixedArray(int) [/usr/local/bin/node]
	6: v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::ConvertElementsWithCapacity(v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::FixedArrayBase>, v8::internal::ElementsKind, unsigned int, unsigned int, unsigned int, int) [/usr/local/bin/node]
	7: v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::GrowCapacityAndConvertImpl(v8::internal::Handle<v8::internal::JSObject>, unsigned int) [/usr/local/bin/node]
	8: v8::internal::Runtime_GrowArrayElements(int, v8::internal::Object*, v8::internal::Isolate) [/usr/local/bin/node]
	9: 0x3774c77079a7
	10: 0x3774c772e9c5
	11: 0x3774c7f4741b
	Abort trap: 6

	*/