Handle out-of-bounds accesses on lazy arguments better
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox96 | --- | fixed |
People
(Reporter: jandem, Assigned: anba)
References
(Blocks 2 open bugs)
Details
Attachments
(5 files)
Reporter | ||
Comment 1•10 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Comment 3•9 years ago
|
||
Reporter | ||
Comment 4•9 years ago
|
||
Comment 5•9 years ago
|
||
Comment 6•8 years ago
|
||
Assignee | ||
Comment 7•3 years ago
|
||
Moves ClassCanHaveExtraProperties and CanAttachDenseElementHole in preparation
for the next part
Updated•3 years ago
|
Assignee | ||
Comment 8•3 years ago
|
||
The ELEMENT_OVERRIDDEN_BIT
flag is set whenever any element is defined on an
arguments object, irrespective of whether the element is in-bounds or out-of-bounds.
That means that flag can also be used to determine if an arguments object has any
elements besides the frame arguments.
When reading a possible out-of-bounds index, we can therefore use the following
approach:
- Fail whenever
ELEMENT_OVERRIDDEN_BIT
is set. - If the index is in-bounds:
a. Return the in-bounds element unless it'sFORWARD_TO_CALL_SLOT
. - Else,
a. Fail if the index is less than zero.
b. Returnundefined
.
Plus a prototype guard check to ensure the element isn't present on any object
of the prototype chain.
Depends on D129619
Assignee | ||
Comment 9•3 years ago
|
||
Transpile the CacheIR operation from part 2.
Depends on D129620
Assignee | ||
Comment 10•3 years ago
|
||
The follows the existing implementations of MGetInlinedArgument
and
MGetFrameArgument
. There are only two differences:
- A bailout occurs when the index is negative. This implies both instructions
must be guards. - Undefined is returned when the index is larger than the arguments length.
Depends on D129621
Assignee | ||
Comment 11•3 years ago
|
||
Use scoped enums for CanAttachDenseElementHole
to improve the readibility
compared to using three plain bool
parameters.
Depends on D129622
Comment 12•3 years ago
|
||
Comment 13•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2c8232344e98
https://hg.mozilla.org/mozilla-central/rev/c31e81d4c5c9
https://hg.mozilla.org/mozilla-central/rev/cdc0ba4d147b
https://hg.mozilla.org/mozilla-central/rev/f7cb0f166402
https://hg.mozilla.org/mozilla-central/rev/0cf5997d55ea
Description
•