Open Bug 839474 Opened 12 years ago Updated 1 year ago

Need to assert somewhere that we don't break code that uses getFixedSlotOffset when we do a JSObject::swap

Categories

(Core :: JavaScript Engine, enhancement, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
enhancement

Tracking

()

People

(Reporter: bzbarsky, Unassigned)

References

(Blocks 1 open bug)

Details

It looks like JSObject::swap can lead to situations in which an object has some non-fixed reserved slots, if the classes of the objects being swapped have different numbers of reserved slots. We don't have that many uses of getFixedSlotOffset in our tree, though. The main ones I can think of that are relevant here are in ion's CodeGenerator::visitGetDOMProperty/visitSetDOMProperty/visitCallDOMNative and those only care about reserved slot 0 being a fixed slot, which is true for both DOM objects and anything they'll swap() with (i.e. proxies), so should always work. We just need to assert about this ... somewhere. Not sure where.
Assignee: general → nobody
Severity: normal → S3

I think it's certainly possible we could still improve the assertions in JSObject::swap

Blocks: sm-runtime
Type: defect → enhancement
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.