Closed
Bug 463320
Opened 17 years ago
Closed 17 years ago
TM: Check for error return from Array_p_push1/pop on trace
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jorendorff, Assigned: jorendorff)
Details
(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
570 bytes,
patch
|
Details | Diff | Splinter Review |
Traceable natives with errtype FAIL_JSVAL return JSVAL_ERROR_COOKIE to indicate that an error occurred, but currently we don't guard for that.
|
||
Updated•17 years ago
|
Flags: blocking1.9.1+
|
||
Updated•17 years ago
|
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
|
|
||
Comment 1•17 years ago
|
||
Attachment #351095 -
Flags: review?(jorendorff)
|
Assignee | |
Comment 2•17 years ago
|
||
Comment on attachment 351095 [details] [diff] [review]
Is this really it?
If push or pop fails in certain ways *after* modifying the array, then this has a bug.
OOM_EXIT causes control to return to the interpreter, which retries the instruction.
If retrying succeeds (e.g. if the traceable native failed because GC was needed), then the element was pushed or popped twice.
Offhand I don't see how that can happen. But I don't like the fragility here.
r+ but let's rip this stuff out once we can call JSFastNatives on trace.
|
|
Assignee | |
Updated•17 years ago
|
Attachment #351095 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 3•17 years ago
|
||
Comment on attachment 351095 [details] [diff] [review]
Is this really it?
I take it back. There may be a better reason we can't do this; redirecting the review to gal.
Attachment #351095 -
Flags: review+ → review?(gal)
|
|
||
Comment 4•17 years ago
|
||
Comment on attachment 351095 [details] [diff] [review]
Is this really it?
(In reply to comment #2)
> (From update of attachment 351095 [details] [diff] [review])
> If push or pop fails in certain ways *after* modifying the array, then this has
> a bug.
>
> OOM_EXIT causes control to return to the interpreter, which retries the
> instruction.
>
> If retrying succeeds (e.g. if the traceable native failed because GC was
> needed), then the element was pushed or popped twice.
>
> Offhand I don't see how that can happen. But I don't like the fragility here.
I do -- if we handled it correctly, push on an array with 2**32-2 elements would add properties and then throw when trying to set length to 2**32 (because ToUint32(2**32) != 2**32).
Frankly, I don't see how it's possible to differentiate between the two. Maybe we could check whether such functions are pure or not?
Attachment #351095 -
Flags: review?(gal)
|
|
Assignee | |
Comment 5•17 years ago
|
||
Oh, now I see what you were asking on IRC earlier. Throwing an actual exception is no problem, because when we fall back into the interpreter, we check (cx->throwing) and we do not retry if it's set.
|
|
||
Comment 6•17 years ago
|
||
Comment on attachment 351095 [details] [diff] [review]
Is this really it?
Ah, restoring flag then...
Attachment #351095 -
Flags: review?(gal)
|
|
||
Comment 7•17 years ago
|
||
I mentioned a recent es-discuss thread on this topic, and Waldo recalled ES3.1 addressing the issue (or else that it should). If we can catch length overflow early before effects are committed, and track or get that into 3.1, we should.
/be
|
|
||
Comment 8•17 years ago
|
||
Summary of discussion with waldo: push should return always int, and error flag if index very large (> signed int). pop should not ever error. If it does (sealed object) that it should check error first so we can re-execute safely.
|
|
||
Comment 9•17 years ago
|
||
Note: we ALWAYS re-execute, even across branches.
|
|
||
Comment 10•17 years ago
|
||
Comment on attachment 351095 [details] [diff] [review]
Is this really it?
Waldo will rewrite the patch as discussed above.
Attachment #351095 -
Flags: review?(gal)
|
|
Assignee | |
Comment 11•17 years ago
|
||
(In reply to comment #8)
> Summary of discussion with waldo: push should return always int, and error flag
> if index very large (> signed int). pop should not ever error. If it does
> (sealed object) that it should check error first so we can re-execute safely.
Is comment 5 wrong? I thought exceptions were no problem.
|
|
||
Updated•17 years ago
|
Priority: -- → P1
|
|
||
Comment 12•17 years ago
|
||
I think I'm going to have to throw this back in the pool; I have other blockers I'm making much more progress on, and to be honest I don't actually remember the rationales that backed comment 8, so I'd need to address that first before making progress here anyway. Next time that gets explained we need to make sure to put the explanation here so it's not forgotten. :-\
Assignee: jwalden+bmo → general
Status: ASSIGNED → NEW
|
|
Assignee | |
Comment 13•17 years ago
|
||
This is P1, blocking, and unassigned. I'll take it since I'm in that neighborhood right now...
Assignee: general → jorendorff
|
|
Assignee | |
Comment 14•17 years ago
|
||
Note: There's a fix for this in the "part 2" patch in bug 462027.
|
|
Assignee | |
Comment 15•17 years ago
|
||
Fixed in tracemonkey when bug 462027 landed.
Whiteboard: fixed-in-tracemonkey
|
|
||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•