Open Bug 1729596 Opened 3 years ago Updated 2 years ago

Assert that all NativeObject slot accesses touch only slot indices within the slot span

Categories

(Core :: JavaScript Engine, enhancement, P3)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement

Tracking

()

People

(Reporter: mismith, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1729596 - Assert all NativeObject slot accesses are in-span r?iain
(deleted), text/x-phabricator-request
Details

Previously, slot accessors in NativeObject asserted only that slot indices were within capacity (i.e., slot < numFixedSlots() or slot < numFixedSlots() + numDynamicSlots()). However, slot accesses should also be within the actual slot span. If a shape says that "objects with this shape span 3 slots", then slot indices accessed on those objects should be within [0, 3), even if we allocate 4 slots' worth of capacity in practice to avoid reallocation. Add asserts to ensure this is truly the case.

The attached patch passes all jstests and jit-tests, but a broader try run may be in order before fully landing it.

Previously, slot accessors in NativeObject asserted only that slot
indices were within capacity (i.e., slot < numFixedSlots() or slot < numFixedSlots() + numDynamicSlots()). However, slot accesses should
also be within the actual slot span. If a shape says that "objects
with this shape span 3 slots", then slot indices accessed on those
objects should be within [0, 3), even if we allocate 4 slots' worth of
capacity in practice to avoid reallocation. Add asserts to ensure this
is truly the case.

This patch gets there in a few steps:

  • Add a few more xxxMaybeForwarded method variants to NativeObject
    to account for accesses coming from trace hooks.

  • Change NativeObject::slotInRange from checking the slot index
    against the slot capacity to checking it against the slot span, while
    still asserting that the slot span is within capacity.

  • Annotate anywhere we assert NativeObject::slotIsFixed(slot) with an
    additional NativeObject::slotInRange(slot).

Assignee: nobody → lists
Status: NEW → ASSIGNED

Required Rationale: Changing severity to S3 because enhancement

Severity: -- → S3
Priority: -- → P3

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mismith, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(lists)
Flags: needinfo?(iireland)
Flags: needinfo?(iireland)

The bug assignee didn't login in Bugzilla in the last 7 months, so the assignee is being reset.

Assignee: lists → nobody
Status: ASSIGNED → NEW

Redirect a needinfo that is pending on an inactive user to the triage owner.
:sdetar, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(lists) → needinfo?(sdetar)
Flags: needinfo?(sdetar)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: