Closed Bug 1772858 Opened 3 years ago Closed 1 year ago

Change OOB set for TypedArray target and different receiver

Categories

(Core :: JavaScript Engine, task, P3)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
131 Branch
Tracking Flags:
Tracking Status
firefox131 --- fixed

People

(Reporter: yulia, Assigned: anba)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(7 files)

Bug 1772858 - Part 1: Update spec references. r=#spidermonkey-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1772858 - Part 2: Move resolving check to the outer if-statement. r=#spidermonkey-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1772858 - Part 3: Sync NativeDefineProperty with current spec. r=#spidermonkey-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1772858 - Part 4: Remove AutoResolving::Kind. r=#spidermonkey-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1772858 - Part 5: Don't manually inline SetTypedArrayElement in DefineTypedArrayElement. r=#spidermonkey-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1772858 - Part 6: Merge SetTypedArrayElement and SetTypedArrayElementOutOfBounds. r=#spidermonkey-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1772858 - Part 7: Don't call OrdinarySet for out-of-bounds typed array elements. r=#spidermonkey-reviewers!
48 bytes, text/x-phabricator-request
Details | Review

We are currently the odd browser out for typed objects when setting out of bounds. We fall through to OrdinarySet where other browsers exit early. After discussion at tc39, it was decided to use the behavior shared by v8 and JSC

(Reading the PR I think this is typed arrays and not typed objects?)

Summary: Change OOB set for TypedObject target and different receiver → Change OOB set for TypedArray target and different receiver
Depends on: 1781205
No longer depends on: 1781205
Duplicate of this bug: 1913490

See also duplicate bug 1913490

Drive-by changes:

  • Make SetPropertyByDefining a file static function.
  • Remove unused functions SetPropertyOnProto and PropertyResult::setWasmGcProperty.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED

Instead of checking desc_.resolving() repeatedly, move the check into the
outer if-statement.

Drive-by change:

  • Remove some unnecessary re-rooting of already rooted variables.

ValidateAndApplyPropertyDescriptor was refactored in https://github.com/tc39/ecma262/pull/2468,
make sure our implementation follows the current spec text more closely.

But also include the fix from https://github.com/tc39/ecma262/pull/3404.

We don't use AutoResolving::Kind::WATCH anymore, so we can remove the
whole AutoResolving::Kind enum.

It doesn't seem necessary to effectively inline SetTypedArrayElement here.

SetTypedArrayElement doesn't allow to be called with out-of-bounds indices and
SetTypedArrayElementOutOfBounds must only be called with out-of-bounds indices.
Since we need to rerun the bounds check anyway in TypedArrayObjectTemplate::setElement
after calling convertValue, it doesn't seem useful to have these two separate
functions. And using a single SetTypedArrayElement function which allows out-of-bounds
indices also follows the spec more closely.

When SetNonexistentProperty is called with out-of-bounds typed array indices, the
spec want us to call SetTypedArrayElement only if the current object pobj is the
receiver.

Two changes are necessary to plumb the relevant information to SetNonexistentProperty:

  1. PropertyResult::ignoreProtoChain_ needs an additional bit to track out-of-bounds
    typed array indices. We can store this extra bit efficiently by changing ignoreProtoChain_
    from bool to uint8_t.
  2. The current object pobj needs to be passed to SetNonexistentProperty in addition to
    obj and receiver.

There's additional test coverage in test262, but we first need to update test262 again.

Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/8ae7bdf2f383 Part 1: Update spec references. r=spidermonkey-reviewers,jandem https://hg.mozilla.org/integration/autoland/rev/c24248022ef2 Part 2: Move resolving check to the outer if-statement. r=spidermonkey-reviewers,jandem https://hg.mozilla.org/integration/autoland/rev/b15419ec07fa Part 3: Sync NativeDefineProperty with current spec. r=spidermonkey-reviewers,jandem https://hg.mozilla.org/integration/autoland/rev/1f084420eb9f Part 4: Remove AutoResolving::Kind. r=spidermonkey-reviewers,jandem https://hg.mozilla.org/integration/autoland/rev/e5650c79587b Part 5: Don't manually inline SetTypedArrayElement in DefineTypedArrayElement. r=spidermonkey-reviewers,jandem https://hg.mozilla.org/integration/autoland/rev/b086d0061631 Part 6: Merge SetTypedArrayElement and SetTypedArrayElementOutOfBounds. r=spidermonkey-reviewers,jandem https://hg.mozilla.org/integration/autoland/rev/e969f552745a Part 7: Don't call OrdinarySet for out-of-bounds typed array elements. r=spidermonkey-reviewers,jandem
No longer depends on: 1658319
Regressions: 1939008
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: