Fix for issue 37429

rakudrama · commit-bot@chromium.org · commit 327f5eb82653 · 2019-07-03T22:24:57.000Z
Fix by not tracking very large or negative sizes. TBR=johnniwinther@google.com Bug: 37429 Change-Id: Ibb3c7499f0afaec8cbb9398f780294ad0befeab2 Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/108202 Reviewed-by: Stephen Adams <sra@google.com> Commit-Queue: Stephen Adams <sra@google.com>
diff --git a/pkg/compiler/lib/src/inferrer/builder_kernel.dart b/pkg/compiler/lib/src/inferrer/builder_kernel.dart
@@ -1125,25 +1125,35 @@ class KernelTypeGraphBuilder extends ir.Visitor<TypeInformation> {
 
   /// Try to find the length given to a fixed array constructor call.
   int _findLength(ir.Arguments arguments) {
+    int finish(int length) {
+      // Filter out lengths that should not be tracked.
+      if (length < 0) return null;
+      // Serialization limit.
+      if (length >= (1 << 30)) return null;
+      return length;
+    }
+
     ir.Expression firstArgument = arguments.positional.first;
     if (firstArgument is ir.ConstantExpression &&
         firstArgument.constant is ir.DoubleConstant) {
       ir.DoubleConstant constant = firstArgument.constant;
       double doubleValue = constant.value;
       int truncatedValue = doubleValue.truncate();
       if (doubleValue == truncatedValue) {
-        return truncatedValue;
+        return finish(truncatedValue);
       }
     } else if (firstArgument is ir.IntLiteral) {
-      return firstArgument.value;
+      return finish(firstArgument.value);
     } else if (firstArgument is ir.StaticGet) {
       MemberEntity member = _elementMap.getMember(firstArgument.target);
       if (member.isField) {
         FieldAnalysisData fieldData =
             _closedWorld.fieldAnalysis.getFieldData(member);
         if (fieldData.isEffectivelyConstant && fieldData.constantValue.isInt) {
           IntConstantValue intValue = fieldData.constantValue;
-          return intValue.intValue.toInt();
+          if (intValue.intValue.isValidInt) {
+            return finish(intValue.intValue.toInt());
+          }
         }
       }
     }
diff --git a/tests/compiler/dart2js/inference/data/list_huge.dart b/tests/compiler/dart2js/inference/data/list_huge.dart
@@ -2,23 +2,27 @@
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
+// Test for Container type for Lists with huge or negative sizes.
+
 /*element: main:[null]*/
 main() {
   hugeList1();
   hugeList2();
+  hugeList3();
+  hugeList4();
 }
 
 /*element: _huge1:[subclass=JSPositiveInt]*/
 final _huge1 = 5000000000;
 
-/*element: hugeList1:Container([exact=JSFixedArray], element: [null], length: 5000000000)*/
+/*element: hugeList1:Container([exact=JSFixedArray], element: [null], length: null)*/
 hugeList1() => List(_huge1);
 
 /*strong.element: _huge2a:[subclass=JSPositiveInt]*/
 /*omit.element: _huge2a:[subclass=JSPositiveInt]*/
 const _huge2a = 10000000000
-/*strong.invoke: [subclass=JSPositiveInt]*/
-/*omit.invoke: [subclass=JSPositiveInt]*/
+    /*strong.invoke: [subclass=JSPositiveInt]*/
+    /*omit.invoke: [subclass=JSPositiveInt]*/
     *
     10000000000;
 
@@ -28,5 +32,29 @@ const _huge2a = 10000000000
 /*omitConst.element: _huge2b:[subclass=JSPositiveInt]*/
 final _huge2b = _huge2a;
 
-/*element: hugeList2:Container([exact=JSFixedArray], element: [null], length: 9223372036854775807)*/
+/*element: hugeList2:Container([exact=JSFixedArray], element: [null], length: null)*/
 hugeList2() => List(_huge2b);
+
+/*strong.element: _huge3a:[subclass=JSInt]*/
+/*omit.element: _huge3a:[subclass=JSInt]*/
+const _huge3a =
+    /*strong.invoke: [exact=JSUInt31]*/
+    /*omit.invoke: [exact=JSUInt31]*/
+    -10000000;
+
+/*strong.element: _huge3b:[null|subclass=JSInt]*/
+/*omit.element: _huge3b:[null|subclass=JSInt]*/
+/*strongConst.element: _huge3b:[subclass=JSInt]*/
+/*omitConst.element: _huge3b:[subclass=JSInt]*/
+final _huge3b = _huge3a;
+
+/*element: hugeList3:Container([exact=JSFixedArray], element: [null], length: null)*/
+hugeList3() => List(_huge3b);
+
+// 'Small' limits are still tracked.
+
+/*element: _huge4:[exact=JSUInt31]*/
+final _huge4 = 10000000;
+
+/*element: hugeList4:Container([exact=JSFixedArray], element: [null], length: 10000000)*/
+hugeList4() => List(_huge4);
