Closed
Bug 651451
Opened 13 years ago
Closed 13 years ago
TI: dense array initializedLength can be > length
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: jandem, Assigned: jandem)
References
Details
Attachments
(1 file)
|
1.13 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
Reduced from a failing Mochitest-2 test: -- var arr = [2]; arr.pop(); arr[0] = 2; assertEq(arr.length, 1); -- $ ./js -n -a -m test.js test.js:5: Error: Assertion failed: got 0, expected 1 The problem is that jsop_setelem_dense does not update the array length if index < initializedLength.
|
Assignee | |
Comment 1•13 years ago
|
||
Ah, just read some code and I think initializedLength should never be smaller than length when TI is enabled (so we only have to check initializedLength). Taking.
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Summary: TI+JM: array length not updated if length < initializedLength → TI: dense array initializedLength can be > length
|
|
Assignee | |
Comment 2•13 years ago
|
||
Update initialized length in array_pop_dense. Also checked array_shift and other callers of setDenseArrayLength but this seems to be the only problem.
Attachment #527258 -
Flags: review?(bhackett1024)
|
||
Updated•13 years ago
|
Attachment #527258 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
http://hg.mozilla.org/projects/jaegermonkey/rev/a1accb5f00f0
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
What happens if I do: a = [1, 2, 3]; a.length = 0xffff; I would expect initializedLength to be 3 (plus whatever round-up) and length to be materially larger. Does this just disable TI?
|
|
||
Comment 5•13 years ago
|
||
Yes, the initialized length will still be three here, it can be less than the length property. If the assignment to a.length shrinks below the initialized length, the initialized length should be adjusted so it is <= the length property (effectively marking later slots as holes). That is similar to the bug here, where pop() (which shrinks the array) did not ensure the initialized length is <= the length. When inference is enabled in a compartment, the invariants we want to preserve are: initializedLength <= length (property of the object) initializedLength <= capacity (allocated space for slots) It can be less than either though (not a MINLENCAP retread). This is designed to handle patterns like: x = Array(1000); for (i = 0; i < 1000; i++) x[i] = 0; At the head of the loop, the initialized length will be 'i', though the length and capacity are generally larger, and we can determine there are no holes below the initialized length. This doesn't handle patterns like: x = Array(1000); for (i = 999; i >= 0; i--) x[i] = 0; This is similar to the array usage pattern seen in v8-crypto, and if we could dynamically determine the array is packed afterwards, that would help this benchmark.
|
|
Assignee | |
Comment 6•13 years ago
|
||
Follow-up fix as discussed on IRC: http://hg.mozilla.org/projects/jaegermonkey/rev/c8cf06975dcf If initializedLength < length we should not change it.
You need to log in
before you can comment on or make changes to this bug.
Description
•