Added handle scope to inner loop of replace to avoid unbounded handle creation.

src/runtime.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.

[Erik Corry, 2009/03/16 09:48:09]

2009?

 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
 //       with the distribution.
@@ skipping 1116 matching lines @@
       : subject_(subject),
         parts_(Factory::NewFixedArray(estimated_part_count)),
         part_count_(0),
         character_count_(0),
         is_ascii_(StringShape(*subject).IsAsciiRepresentation()) {
     // Require a non-zero initial size. Ensures that doubling the size to
     // extend the array will work.
     ASSERT(estimated_part_count > 0);
   }
 
+  void EnsureCapacity(int elements) {
+    int length = parts_->length();
+    int required_length = part_count_ + elements;
+    if (length < required_length) {
+      int new_length = length;
+      do {
+        new_length *= 2;
+      } while (new_length < required_length);
+      Handle<FixedArray> extended_array =
+          Factory::NewFixedArray(new_length);
+      parts_->CopyTo(0, *extended_array, 0, part_count_);
+      parts_ = extended_array;
+    }
+  }
+
   void AddSubjectSlice(int from, int to) {
     ASSERT(from >= 0);
     int length = to - from;
-    ASSERT(length >= 0);
-    if (length > 0) {
-      // Can we encode the slice in 11 bits for length and 19 bits for
-      // start position - as used by StringBuilderConcatHelper?
-      if (StringBuilderSubstringLength::is_valid(length) &&
-          StringBuilderSubstringPosition::is_valid(from)) {
-        int encoded_slice = StringBuilderSubstringLength::encode(length) |
-            StringBuilderSubstringPosition::encode(from);
-        AddElement(Handle<Object>(Smi::FromInt(encoded_slice)));
-      } else {
-        Handle<String> slice = Factory::NewStringSlice(subject_, from, to);
-        AddElement(slice);
-      }
-      IncrementCharacterCount(length);
+    ASSERT(length > 0);
+    // Can we encode the slice in 11 bits for length and 19 bits for
+    // start position - as used by StringBuilderConcatHelper?
+    if (StringBuilderSubstringLength::is_valid(length) &&
+        StringBuilderSubstringPosition::is_valid(from)) {
+      int encoded_slice = StringBuilderSubstringLength::encode(length) |
+          StringBuilderSubstringPosition::encode(from);
+      AddElement(Handle<Object>(Smi::FromInt(encoded_slice)));
+    } else {
+      Handle<String> slice = Factory::NewStringSlice(subject_, from, to);
+      AddElement(slice);
     }
+    IncrementCharacterCount(length);
   }
 
 
   void AddString(Handle<String> string) {
     StringShape shape(*string);
     int length = string->length(shape);
-    if (length > 0) {
-      AddElement(string);
-      if (!shape.IsAsciiRepresentation()) {
-        is_ascii_ = false;
-      }
-      IncrementCharacterCount(length);
+    ASSERT(length > 0);
+    AddElement(string);
+    if (!shape.IsAsciiRepresentation()) {
+      is_ascii_ = false;
     }
+    IncrementCharacterCount(length);
   }
 
 
   Handle<String> ToString() {
     if (part_count_ == 0) {
       return Factory::empty_string();
     }
 
     Handle<String> joined_string;
     if (is_ascii_) {
@@ skipping 37 matching lines @@
 
 
   Handle<String> NewRawTwoByteString(int size) {
     CALL_HEAP_FUNCTION(Heap::AllocateRawTwoByteString(size), String);
   }
 
 
   void AddElement(Handle<Object> element) {
     ASSERT(element->IsSmi() || element->IsString());
     // Extend parts_ array if necessary.
-    if (parts_->length() == part_count_) {
-      Handle<FixedArray> extended_array =
-          Factory::NewFixedArray(part_count_ * 2);
-      parts_->CopyTo(0, *extended_array, 0, part_count_);
-      parts_ = extended_array;
-    }
     parts_->set(part_count_, *element);
     part_count_++;
   }
 
   Handle<String> subject_;
   Handle<FixedArray> parts_;
   int part_count_;
   int character_count_;
   bool is_ascii_;
 };
@@ skipping 225 matching lines @@
 
 
 void CompiledReplacement::Apply(ReplacementStringBuilder* builder,
                                 int match_from,
                                 int match_to,
                                 Handle<JSArray> last_match_info) {
   for (int i = 0, n = parts_.length(); i < n; i++) {
     ReplacementPart part = parts_[i];
     switch (part.tag) {
       case SUBJECT_PREFIX:
-        builder->AddSubjectSlice(0, match_from);
+        if (match_from > 0) builder->AddSubjectSlice(0, match_from);
         break;
       case SUBJECT_SUFFIX: {
         int subject_length = part.data;
-        builder->AddSubjectSlice(match_to, subject_length);
+        if (match_to < subject_length) {
+          builder->AddSubjectSlice(match_to, subject_length);
+        }
         break;
       }
       case SUBJECT_CAPTURE: {
         int capture = part.data;
         FixedArray* match_info = last_match_info->elements();
         int from = RegExpImpl::GetCapture(match_info, capture * 2);
         int to = RegExpImpl::GetCapture(match_info, capture * 2 + 1);
         if (from >= 0 && to > from) {
           builder->AddSubjectSlice(from, to);
         }
@@ skipping 50 matching lines @@
   // Guessing the number of parts that the final result string is built
   // from. Global regexps can match any number of times, so we guess
   // conservatively.
   int expected_parts =
       (compiled_replacement.parts() + 1) * (is_global ? 4 : 1) + 1;
   ReplacementStringBuilder builder(subject_handle, expected_parts);
 
   // Index of end of last match.
   int prev = 0;
 
+  // Number of parts added by compiled replacement plus preceeding string
+  // and possibly suffix after last match.
+  const int parts_added_per_loop = compiled_replacement.parts() + 2;
+  bool matched;
   do {
     ASSERT(last_match_info_handle->HasFastElements());
+    // Increase the capacity of the builder before entering local handle-scope,
+    // so its internal buffer can safely allocate a new handle if it grows.
+    builder.EnsureCapacity(parts_added_per_loop);
+
+    HandleScope loop_scope;
     int start, end;
     {
       AssertNoAllocation match_info_array_is_not_in_a_handle;
       FixedArray* match_info_array = last_match_info_handle->elements();
 
       ASSERT_EQ(capture_count * 2 + 2,
                 RegExpImpl::GetLastCaptureCount(match_info_array));
       start = RegExpImpl::GetCapture(match_info_array, 0);
       end = RegExpImpl::GetCapture(match_info_array, 1);
     }
@@ skipping 17 matching lines @@
       if (next > length) break;
     }
 
     match = RegExpImpl::Exec(regexp_handle,
                              subject_handle,
                              next,
                              last_match_info_handle);
     if (match.is_null()) {
       return Failure::Exception();
     }
-  } while (!match->IsNull());
+    matched = !match->IsNull();
+  } while (matched);
 
   if (prev < length) {
     builder.AddSubjectSlice(prev, length);
   }
 
   return *(builder.ToString());
 }
 
 
 static Object* Runtime_StringReplaceRegExpWithString(Arguments args) {
@@ skipping 5054 matching lines @@
   } else {
     // Handle last resort GC and make sure to allow future allocations
     // to grow the heap without causing GCs (if possible).
     Counters::gc_last_resort_from_js.Increment();
     Heap::CollectAllGarbage();
   }
 }
 
 
 } }  // namespace v8::internal