Open Bug 1503940 Opened 6 years ago Updated 6 months ago

Audit use of getDenseInitalizedLength outside of fast-path array code

Categories

(Core :: JavaScript Engine, enhancement, P3)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement

Tracking

()

People

(Reporter: jorendorff, Unassigned)

References

(Blocks 1 open bug)

Details

Spun off from <https://phabricator.services.mozilla.com/D10086#inline-43883>, where Ted wrote: > Gah! I'm surprised that getDenseInitializedLength is even accessible.. This > is a dirty implementation detail. [...] follow-up bug for any > getDenseInitalizedLength in Streams/Promises. The helper should also > release-assert NONPACKED and ! INDEXED because we are playing with fire > here. Usage of dense elements is a bit more widespread than that: https://searchfox.org/mozilla-central/search?q=getDenseInitializedLength&path= Stuff like TestingFunctions.cpp!GetWaitForAllPromise is super easy to get rid of; it can just use the standard iteration protocol. For places where we really just want a vector of Values, we could make List-inl.h more full-featured (and assertive) and use that.
I think the focus should be on js/src/builtins. The dense elements are very much an implementation detail and I feel builtins should be at least slightly shielded from it. Array of course is justified in understanding these implementation details, but other types that just need internal vectors should not. - Promise reaction list - Stream read requests, pending pull-intos, queues - MapIteratorObject - WeakSetObject - TypedObject fieldNames
Severity: normal → S3
Blocks: sm-runtime
Severity: S3 → N/A
You need to log in before you can comment on or make changes to this bug.