Closed
Bug 1479718
Opened 6 years ago
Closed 6 years ago
Allow Wasm to neuter the constructor for a generated TO struct that has (ref T) typed fields
Categories
(Core :: JavaScript: WebAssembly, enhancement, P3)
Core
JavaScript: WebAssembly
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox63 | --- | fixed |
People
(Reporter: lth, Assigned: lth)
References
Details
Attachments
(1 file)
|
7.29 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
For now, we don't want to deal with type export from a wasm module, so we must not expose functionality that allows JS to store pointers into TO fields that have type constraints more specific than 'anyref'. As the constructor for a type can be obtained from the instance of the type, and the constructor can be used to perform such a store, we must be able to mark the constructor as not-invokable.
|
Assignee | |
Comment 1•6 years ago
|
||
This seems to be sufficient except for the following, which I think we should clean up: The MUTABLE flag that was introduced in bug 1478982 is only really used on primitive fields right now and does double duty here as a CONSTRUCTIBLE flag. I don't actually think this is a great idea since the current TO system can have fields of struct type and those fields can be immutable, while those struct types can themselves be full object types where they will need an independent bit to indicate constructibility. Instead of introducing a bunch of single-bit slots on the object we should shift to a flag vector and then we'll use fewer slots and have greater flexibility.
Attachment #8996249 -
Flags: feedback?(till)
|
||
Comment 2•6 years ago
|
||
Comment on attachment 8996249 [details] [diff] [review] bug1479718-neuter-to-constructor.patch Review of attachment 8996249 [details] [diff] [review]: ----------------------------------------------------------------- I agree that it'd be nice to clean up the flags situation. I'd be entirely ok with landing this as-is in the meantime, however: it doesn't seem strictly necessary to clean this up as a precondition to landing. I'll of course not stand in the way of doing the cleanup, but r=me, with or without nit addressed, just in case :) ::: js/src/builtin/TypedObject.h @@ +334,5 @@ > return getReservedSlot(JS_DESCR_SLOT_TYPROTO).toObject().as<TypedProto>(); > } > + > + bool allowConstruct() const { > + bool b = getReservedSlot(JS_DESCR_SLOT_ALLOW_CONSTRUCT).toBoolean(); Nit: could just return the result of toBoolean directly.
Attachment #8996249 -
Flags: feedback?(till) → review+
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1cd14797e7cc Allow Wasm to prevent a TypedObject constructor from being invoked from JS. r=till
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1cd14797e7cc
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in
before you can comment on or make changes to this bug.
Description
•