Page MenuHomePhabricator
Differential D118361

Bug 1717438 part 3 - Use the InvalidatedTeleporting flag also for shadowed properties. r?tcampbell!
ClosedPublic
Actions

Authored by jandem on Jun 21 2021, 2:49 PM.
Tags
Referenced Files
Unknown Object (File)
Mar 11 2025, 2:23 AM
Unknown Object (File)
Jan 20 2025, 4:30 AM
Unknown Object (File)
Jul 23 2024, 12:02 PM
Subscribers
None

Details

Reviewers
tcampbell
Commits
Restricted Diffusion Commit
rMOZILLACENTRAL7a624fe10146: Bug 1717438 part 3 - Use the InvalidatedTeleporting flag also for shadowed…
rMOZILLACENTRAL95e913632f6a: Bug 1717438 part 3 - Use the InvalidatedTeleporting flag also for shadowed…
Bugzilla Bug ID
1717438
Summary

The flag is now used to guard against both cases teleporting has to watch out
for: proto changes and shadowed properties.

This lets us get rid of dictionary conversions and reshaping for ReshapeForShadowedProp.

Diff Detail

Repository
rMOZILLACENTRAL mozilla-central
Lint
Lint Not Applicable
Unit
Tests Not Applicable
Build Status
Buildable 336580
Build 430651: arc lint + arc unit

Event Timeline

jandem created this revision.Jun 21 2021, 2:49 PM
Herald added a project: secure-revision. · View Herald TranscriptJun 21 2021, 2:49 PM
Harbormaster completed remote builds in B330839: Diff 453114.Jun 21 2021, 2:49 PM
phab-bot published this revision for review.Jun 21 2021, 2:49 PM
phab-bot changed the visibility from "Custom Policy" to "Public (No Login Required)".
phab-bot changed the edit policy from "Custom Policy" to "Restricted Project (Project)".
phab-bot removed a project: secure-revision.
jandem updated this revision to Diff 454124.Jun 23 2021, 3:58 PM
jandem edited the summary of this revision. (Show Details)

Rebase on central

Harbormaster completed remote builds in B331670: Diff 454124.Jun 23 2021, 3:58 PM
tcampbell accepted this revision.Jun 23 2021, 9:30 PM
tcampbell added a project: testing-exception-unchanged (Doesn't change behavior for users).

This is a pretty nice cleanup.

Since you have the simple flag now, I wonder if it makes sense to expose as a testing function so that we can write a few tests to show this behaviour (and we don't even need JITs).

One impact of this change is that shadowing the ObjectPrototype will now cause future accesses to common properties to not use teleporting anymore. This was always the can for SetProto invalidations, but now is expanded to shadowing. In practice, I think the avoidance of dictionary mode here outweighs this, and the invalidation flag has much more gradual JIT impact.

A potential thing we could do if we are concerned about in-the-wild behaviour is to capture telemetry when tearing down the realm about if ObjectPrototype has set the flag.

This revision is now accepted and ready to land.Jun 23 2021, 9:30 PM
jandem updated this revision to Diff 455742.Jul 5 2021, 7:32 AM

Rebase

Harbormaster completed remote builds in B332906: Diff 455742.Jul 5 2021, 7:32 AM
jandem updated this revision to Diff 455745.Jul 5 2021, 8:15 AM
Harbormaster completed remote builds in B332909: Diff 455745.Jul 5 2021, 8:15 AM
jandem added a comment.Jul 5 2021, 9:35 AM

Testing function is a good idea, I posted D119063.

Regarding Object.prototype: it helps that we only check the flag on the holder object. I don't think Object.prototype has very hot properties except for toString and hasOwnProperty, so hopefully it would still be okay if we happen to invalidate teleporting for it.

jandem added a child revision: D119063: Bug 1717438 part 4 - Add testing function and tests for teleporting. r?tcampbell!.Jul 5 2021, 9:36 AM
Closed by commit rMOZILLACENTRAL95e913632f6a: Bug 1717438 part 3 - Use the InvalidatedTeleporting flag also for shadowed… (authored by jandem). · Explain WhyJul 15 2021, 1:31 PM
This revision was automatically updated to reflect the committed changes.
jandem added a commit: rMOZILLACENTRAL95e913632f6a: Bug 1717438 part 3 - Use the InvalidatedTeleporting flag also for shadowed….
cbrindusan reopened this revision.Jul 15 2021, 3:09 PM
This revision is now accepted and ready to land.Jul 15 2021, 3:09 PM
cbrindusan added a reverting change: rMOZILLACENTRAL6778252284f5: Backed out 4 changesets (bug 1717438) for causing bc failures in….Jul 15 2021, 3:09 PM
jandem updated this revision to Diff 459943.Jul 19 2021, 1:59 PM
Harbormaster completed remote builds in B336150: Diff 459943.Jul 19 2021, 1:59 PM
jandem updated this revision to Diff 459946.Jul 19 2021, 2:03 PM
Harbormaster completed remote builds in B336153: Diff 459946.Jul 19 2021, 2:03 PM
jandem requested review of this revision.Jul 19 2021, 2:05 PM
jandem added inline comments.
js/src/jit/CacheIR.cpp
698

@tcampbell: putting this back in your queue. This was backed out because of a silly bug I should have seen: if we reuse the flag for shadowing properties instead of reshaping the holder each time, this must now do a shape guard instead of a proto guard so that we properly detect shadowing properties after the first one. See test1 in the test case for the buggy scenario.

I think this should be okay: shape guards are faster than proto guards, and falling back to shape guards when teleporting doesn't work is more robust and more obviously correct.

tcampbell accepted this revision.Jul 19 2021, 11:43 PM
tcampbell added inline comments.
js/src/jit/CacheIR.cpp
698

Ah, I missed this as well. This is much nicer code anyways, the previous code was quite tricky here so simplifing to just a shape-guard is welcome.

This revision is now accepted and ready to land.Jul 19 2021, 11:43 PM
jandem marked an inline comment as done.Jul 20 2021, 7:29 AM
Closed by commit rMOZILLACENTRAL7a624fe10146: Bug 1717438 part 3 - Use the InvalidatedTeleporting flag also for shadowed… (authored by jandem). · Explain WhyJul 20 2021, 7:34 AM
This revision was automatically updated to reflect the committed changes.
jandem added a commit: rMOZILLACENTRAL7a624fe10146: Bug 1717438 part 3 - Use the InvalidatedTeleporting flag also for shadowed….
jandem added a commit: Restricted Diffusion Commit.Jul 21 2021, 9:36 AM
Harbormaster completed remote builds in B336580: Diff 460215.Jul 21 2021, 9:36 AM

Revision Contents
Changeset List

PathSizeCoverage (All)Coverage (Touched)
js/
src/
jit-test/
tests/
cacheir/
32 lines--
jit/
34 lines95%
Loading...
vm/
23 lines94%
Loading...
3 lines99%
Loading...
11 lines93%
Loading...
3 lines97%
Loading...

Diff 460215

View Options

js/src/jit-test/tests/cacheir/shape-teleporting-3.js

Loading...
View Options

js/src/jit/CacheIR.cpp

Loading...
View Options

js/src/vm/JSObject.h

Loading...
View Options

js/src/vm/NativeObject.h

Loading...
View Options

js/src/vm/NativeObject.cpp

Loading...
View Options

js/src/vm/Shape.h

Loading...
Privacy · Cookies · Legal