Closed Bug 1377055 Opened 7 years ago Closed 7 years ago

Disallow setting JSCLASS_SKIP_NURSERY_FINALIZE on proxies

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Version:
53 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox56 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(Depends on 1 open bug)

Details

Attachments

(1 file)

Assert that JSCLASS_SKIP_NURSERY_FINALIZE is not used on proxies
1.86 KB, patch
jonco
: review+
Details | Diff | Splinter Review
We don't seem to support this at the moment. I tried to implement this, but ran into two problems: 1) Why does js::GetInitialHeap assert that NurseryAllocatedProxy objects don't have this flag set? 2) In ProxyObject::New, why do we disallow nursery allocation if |handler->finalizeInBackground(priv)| returns false? What does background finalization have to do with whether the proxy can be allocated in the nursery? Especially in the case when JSCLASS_SKIP_NURSERY_FINALIZE is set, so the finalizer won't even be called while in the nursery? As a local hack, I've made that condition: (!handler->finalizeInBackground(priv) && !CanNurseryAllocateFinalizedClass(clasp)) but I'm not sure whether that's right. Also, it's a bit odd that we have handler->canNurseryAllocate() which can be set independently of JSCLASS_SKIP_NURSERY_FINALIZE. Note to self: proxy_Finalize does things other than calling the handler's finalize() hook. Need to check whether the freeing of the value array it does is ok.
Er, I meant to needinfo jonco for the questions in comment 0.
Flags: needinfo?(jcoppeard)
(In reply to Boris Zbarsky [:bz] (if a patch has no decent message, automatic r-) from comment #0) > 1) Why does js::GetInitialHeap assert that NurseryAllocatedProxy objects > don't have this flag set? Passing NurseryAllocatedProxy is a way to circumvent the default behaviour for a class with a finalizer and without the JSCLASS_SKIP_NURSERY_FINALIZE flag set which is that it gets allocated in the tenured heap (the last if statement in this function). So if this flag was set you wouldn't need to use NurseryAllocatedProxy.
(In reply to Boris Zbarsky [:bz] (if a patch has no decent message, automatic r-) from comment #0) > 2) In ProxyObject::New, why do we disallow nursery allocation if > |handler->finalizeInBackground(priv)| returns false? I don't know why we do this. Possibly it's something to do with making sure that the background/foreground finalization state of proxies ends up the same as that of their target, but I can't see why right now. I'll try taking the check out and do some testing.
Flags: needinfo?(jcoppeard)
Depends on: 1377190
(In reply to Jon Coppeard (:jonco) from comment #3) > I'll try taking the check out and do some testing. Try push here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c93910fbf53242dcb9d6e59f28ab36880d583ea4&group_state=expanded
Depends on: 1377368
OK, given that question 2 got spun out into bug 1377368, let's mutate this bug to remove the footgun.
Summary: Support JSCLASS_SKIP_NURSERY_FINALIZE proxies → Disallow setting JSCLASS_SKIP_NURSERY_FINALIZE on proxies
Comment on attachment 8882586 [details] [diff] [review] Assert that JSCLASS_SKIP_NURSERY_FINALIZE is not used on proxies Review of attachment 8882586 [details] [diff] [review]: ----------------------------------------------------------------- Great, thanks the the patch.
Attachment #8882586 - Flags: review?(jcoppeard) → review+
Pushed by bzbarsky@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/159610c3ad34 Assert that JSCLASS_SKIP_NURSERY_FINALIZE is not used on proxies. r=jonco
https://hg.mozilla.org/mozilla-central/rev/159610c3ad34
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: