TI: dense array initializedLength can be > length




JavaScript Engine
6 years ago
6 years ago


(Reporter: jandem, Assigned: jandem)


(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)



(1 attachment)



6 years ago
Reduced from a failing Mochitest-2 test:
var arr = [2];

arr[0] = 2;
assertEq(arr.length, 1);
$ ./js -n -a -m test.js
test.js:5: Error: Assertion failed: got 0, expected 1

The problem is that jsop_setelem_dense does not update the array length if index < initializedLength.

Comment 1

6 years ago
Ah, just read some code and I think initializedLength should never be smaller than length when TI is enabled (so we only have to check initializedLength). 

Assignee: general → jandemooij
Summary: TI+JM: array length not updated if length < initializedLength → TI: dense array initializedLength can be > length

Comment 2

6 years ago
Created attachment 527258 [details] [diff] [review]

Update initialized length in array_pop_dense. Also checked array_shift and other callers of setDenseArrayLength but this seems to be the only problem.
Attachment #527258 - Flags: review?(bhackett1024)
Attachment #527258 - Flags: review?(bhackett1024) → review+

Comment 3

6 years ago
Last Resolved: 6 years ago
Resolution: --- → FIXED
What happens if I do:
a = [1, 2, 3];
a.length = 0xffff;

I would expect initializedLength to be 3 (plus whatever round-up) and length to be materially larger.  Does this just disable TI?
Yes, the initialized length will still be three here, it can be less than the length property.  If the assignment to a.length shrinks below the initialized length, the initialized length should be adjusted so it is <= the length property (effectively marking later slots as holes).  That is similar to the bug here, where pop() (which shrinks the array) did not ensure the initialized length is <= the length.

When inference is enabled in a compartment, the invariants we want to preserve are:

initializedLength <= length   (property of the object)
initializedLength <= capacity (allocated space for slots)

It can be less than either though (not a MINLENCAP retread).  This is designed to handle patterns like:

x = Array(1000);
for (i = 0; i < 1000; i++)
  x[i] = 0;

At the head of the loop, the initialized length will be 'i', though the length and capacity are generally larger, and we can determine there are no holes below the initialized length.  This doesn't handle patterns like:

x = Array(1000);
for (i = 999; i >= 0; i--)
  x[i] = 0;

This is similar to the array usage pattern seen in v8-crypto, and if we could dynamically determine the array is packed afterwards, that would help this benchmark.

Comment 6

6 years ago
Follow-up fix as discussed on IRC: http://hg.mozilla.org/projects/jaegermonkey/rev/c8cf06975dcf

If initializedLength < length we should not change it.
You need to log in before you can comment on or make changes to this bug.