TM: unsound embedding of GC things in the jitted code

RESOLVED INVALID

Status

()

Core
JavaScript Engine
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: Igor Bukanov, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
Currently the jitted code may contain embedded pointers to GC-things like JSObject or JSString. This is not sound since the JITed code is not flushed during the GC. Thus it could be possible that the embedded GC thing would be collected and a new GC thing is allocated with the same address defeating the jited code assumption about unique identity of GC things.

Comment 1

9 years ago
Do you have a testcase for this bug?

During GC, TraceTraceMonitor sets TraceMonitor.needFlush, which will flush the trace cache as soon as possible. The reason we dont flush immediately is that native code still might be on the stack and needs to unwind. We do not touch any of the embedded GCThings during unwinding.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

9 years ago
Right, this is what I have missed: the trace can not be entered without calling js_CheckGlobalObjectShape which will return false after the GC forcing js_FlushJITCache.
You need to log in before you can comment on or make changes to this bug.