Open Bug 1545278 Opened 7 months ago Updated 4 months ago

Programatically restrict the types of objects that may JS_TransplantObject

Categories

(Core :: JavaScript Engine: JIT, enhancement, P3)

enhancement

Tracking

()

REOPENED
mozilla70
Tracking Status
firefox70 --- affected

People

(Reporter: tcampbell, Assigned: tcampbell)

Details

(Keywords: leave-open)

Attachments

(2 files)

So-called "brain transplants" are a thorn in the side of the JITs that can restrict optimizations or introduce bugs. In practice, we use these for very specialized use-cases (eg. Document.adoptNode and WindowProxy navigation). We should add a js::ObjectMayBeSwapped() helper that JSObject::swap will check as well as an JIT optimizations that that rely on the absence of swapping. This has the effect of documenting the places in the JITs that would like to ignore transplants in order to achieve simplicity or performance.

JS_TransplantObject is a very powerful API that results in the JITs
having to worry about the type of objects changing in surprising ways.
In practice though, there are very limited uses of this API so we can
add an API to determine which objects have to worry about transplanting.
This can then by asserted in JITs to document places that optimize
performance by expecting not to deal with transplants.

Before the JIT assumes that an object with the same pointer identity
will have the same immutable state it did last time, we now assert
!js::ObjectMayBeSwapped.

Also add CacheIR helpers to better classify different reasons for using
guardSpecificObject.

Depends on D27975

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0385c65eab37
Add js::ObjectMayBeSwapped and restrict transplanting. r=iain
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

(I forgot to set leave-open. The part two patch needs some work, but something similar is still worth landing)

Status: RESOLVED → REOPENED
Keywords: leave-open
Resolution: FIXED → ---
You need to log in before you can comment on or make changes to this bug.