Closed Bug 1471841 Opened 6 years ago Closed 6 years ago

Move WouldDefinePastNonwritableLength into NativeObject.cpp

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: anba, Assigned: anba)

Details

Attachments

(1 file, 1 obsolete file)

bug1471841.patch
8.05 KB, patch
anba
: review+
Details | Diff | Splinter Review 
WouldDefinePastNonwritableLength is only used within NativeObject.cpp, so moving it there should helper the compiler potentially inlining it.
Attached patch bug1471841.patch (obsolete) — Splinter Review 
Moves WouldDefinePastNonwritableLength into NativeObject.

I've also removed the type check from WouldDefinePastNonwritableLength, because all callers except for SetDenseOrTypedArrayElement already call it with ArrayObjects.

Also SetDenseOrTypedArrayElement doesn't really seem to need the WouldDefinePastNonwritableLength check, because an existing dense array element can't have an index greater-or-equals than the array's length, can it? 

And I've changed the fail-soft error for typed arrays in SetDenseOrTypedArrayElement from JSMSG_BAD_INDEX to JSMSG_TYPED_ARRAY_DETACHED and added a comment (and an assertion) explaining when the out-of-bounds write access can actually happen.

And finally the patch also removes an unused parameter from SetExistingProperty.

Phew, that was a bit more than simply moving WouldDefinePastNonwritableLength into NativeObject.cpp. :-)
Attachment #8988454 - Flags: review?(jdemooij)
Comment on attachment 8988454 [details] [diff] [review]
bug1471841.patch

Review of attachment 8988454 [details] [diff] [review]:
-----------------------------------------------------------------

Very nice.

::: js/src/vm/NativeObject.cpp
@@ +2657,5 @@
>              TypedArrayObject::setElement(obj->as<TypedArrayObject>(), index, d);
>              return result.succeed();
>          }
>  
> +        // An existing typed array element is now out-of-bounds implies the

s/implies/implying/ ?

@@ +2666,4 @@
>      }
>  
> +    MOZ_ASSERT_IF(obj->is<ArrayObject>(),
> +                  !WouldDefinePastNonwritableLength(&obj->as<ArrayObject>(), index));

Yes this is fine, we could even MOZ_ASSERT(obj->containsDenseElement(index)) I think? If we're just setting an existing element the non-writable length stuff is irrelevant anyway.
Attachment #8988454 - Flags: review?(jdemooij) → review+
Attached patch bug1471841.patchSplinter Review 
Updated patch to use |NativeObject::containsDenseElement(...)| per review comments and slightly reworded one comment. Carrying r+.
Attachment #8988454 - Attachment is obsolete: true
Attachment #8988593 - Flags: review+
Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ffa64e3aff88
Move WouldDefinePastNonwritableLength into NativeObject.cpp. r=jandem
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/ffa64e3aff88
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: