Closed Bug 1605591 Opened 4 years ago Closed 4 years ago

Check if bytecode exists before accessing length in JITs

Categories

(Core :: JavaScript Engine: JIT, task, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: tcampbell, Assigned: tcampbell)

References

Details

Attachments

(5 files)

Bug 1605591 - Factor out BoundFunctionLength in IonMonkey. r?jandem
47 bytes, text/x-phabricator-request
Details | Review
Bug 1605591 - Factor out BoundFunctionFlags in IonMonkey. r?jandem
47 bytes, text/x-phabricator-request
Details | Review
Bug 1605591 - Always check sharedData before reading funLength. r?jandem
47 bytes, text/x-phabricator-request
Details | Review
Bug 1605591 - Factor out BoundFunctionName in IonMonkey. r?jandem
47 bytes, text/x-phabricator-request
Details | Review
Bug 1605591 - Add MacroAssembler::loadFunctionLength method. r?jandem
47 bytes, text/x-phabricator-request
Details | Review
No description provided.

In [1,2] we access the ImmutableScriptData::funLength field after checking for the INTERPRETED bit on function. Once this flag is removed, we'll have to handle the lazy case in another way. This can be done by checking if the BaseScript::sharedData() pointer is null before dereferencing it.

Special care must be taken in the bound function init case in Ion so that side-effects don't cause problems.

[1] https://searchfox.org/mozilla-central/rev/8d04c3f5332d470eeae5aa3dc0ed132359a339c1/js/src/jit/CacheIRCompiler.cpp#2975
[2] https://searchfox.org/mozilla-central/rev/8d04c3f5332d470eeae5aa3dc0ed132359a339c1/js/src/jit/CodeGenerator.cpp#13850

Factor out the bound-function length computation from Ion code generator.
This is to make register usage and clobbers easier to understand.

In the bound function case, we move the length initialization before the name
is set. This may result in the length being set before the guards are all
finished, but that doesn't affect the slow-path.

Depends on D58083

Use this to share the lookup code between CacheIR and Ion. Note that in the
CacheIR case we clobber the flags register, while for Ion we preserve it.

I've added another patch to do some cleanup, but will push the main patches to reduce size of lazyscript-removal stack.

Keywords: leave-open
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/46f0c623959a
Factor out BoundFunctionLength in IonMonkey. r=jandem
https://hg.mozilla.org/integration/autoland/rev/4c34b7791e88
Factor out BoundFunctionFlags in IonMonkey. r=jandem
https://hg.mozilla.org/integration/autoland/rev/9ec61acfd6fc
Always check sharedData before reading funLength. r=jandem
https://hg.mozilla.org/integration/autoland/rev/48159e53bfb8
Factor out BoundFunctionName in IonMonkey. r=jandem
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/44894f33514a
Add MacroAssembler::loadFunctionLength method. r=jandem
Keywords: leave-open

https://hg.mozilla.org/mozilla-central/rev/44894f33514a

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: