Closed Bug 1724803 Opened 3 years ago Closed 3 years ago

Cleanup XDR handling of js::ImmutableScriptData

Categories

(Core :: JavaScript Engine, task, P2)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox93 --- fixed

People

(Reporter: tcampbell, Assigned: tcampbell)

References

(Blocks 1 open bug)

Details

Attachments

(5 files)

Bug 1724803 - Use codeEnum32 to transcode SharedScriptDataContainer kind. r?arai!
(deleted), text/x-phabricator-request
Details
Bug 1724803 - Move XDRImmutableScriptData to StencilXdr.cpp r?arai!
(deleted), text/x-phabricator-request
Details
Bug 1724803 - Inline XDRImmutableScriptData into codeSharedData. r?arai!
(deleted), text/x-phabricator-request
Details
Bug 1724803 - Update XDR coding of nullptr SharedImmutableScriptData. r?arai!
(deleted), text/x-phabricator-request
Details
Bug 1724803 - Clean up js::ImmutableScriptData layout validation. r?arai!
(deleted), text/x-phabricator-request
Details

A few patches to clean up the XDR code for ImmutableScriptData as well as harden XDR coding further again memory/disk corruption.

Harden XDR code against memory / disk corruption by using the codeEnum32
helper instead of small integers. This is only once per CompilationStencil so
size impact is neglible.

This function is only being used in that file now, so move the code and mark it
as static.

Depends on D122153

Transcoding the SharedImmutableScriptData and ImmutableScriptData together gives
more flexibility. A later patch will support handling a nullptr sisd by coding
a length of zero instead.

Depends on D122154

When transcoding a js::frontend::SharedDataContainer that is in "vector"
configuration, we may encounter nullptrs in the vector. Instead of coding a byte
for each entry to determine if it is nullptr or not, start coding the
ImmutableScriptData size with a value of zero. In "vector" mode, this container
is dense and most entries are non-nullptr with a non-zero size anyways. Overall,
this should reduce the size of XDR data needed by removing the is-empty byte and
associated alignment padding.

Depends on D122155

In Bug 1710984 we added extra checks to avoid certain crashes that looked like
memory corruption. This patch makes those checks slightly more robust by
checking the 'optional-offsets' array is in-bounds before dereferencing it for
the rest of the checks.

Depends on D122156

Here is an example of the crash that the last patch helps: https://crash-stats.mozilla.org/report/index/b4dcfd9a-9117-4e8a-bd09-2533e0210809

Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f1ad83b1e704 Use codeEnum32 to transcode SharedScriptDataContainer kind. r=arai https://hg.mozilla.org/integration/autoland/rev/019d13cbb22f Move XDRImmutableScriptData to StencilXdr.cpp r=arai https://hg.mozilla.org/integration/autoland/rev/58f3627453a7 Inline XDRImmutableScriptData into codeSharedData. r=arai https://hg.mozilla.org/integration/autoland/rev/5fdc6f93f436 Update XDR coding of nullptr SharedImmutableScriptData. r=arai https://hg.mozilla.org/integration/autoland/rev/efefbf74d3fc Clean up js::ImmutableScriptData layout validation. r=arai
Regressions: 1725066
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: