Remove InternalPackedArray from V8 |
|||
Issue descriptionV8 currently exports a constructor named InternalPackedArray, that represents a magical InternalArray with PACKED_ELEMENTS backing store. This is highly dangerous because if this ever leaks, it's not too hard to construct a case where you can access arbitrary memory. There's also no real benefit to the InternalPackedArray anyways. The regular Array is usually faster and better tested. To avoid attacks on uses of the Array, you could just set the prototype to null, i.e. elements = []; Object.setPrototypeOf(elements, null); Since it's only used in SimpleQueue (blocked on chromium:743082), it should be easy to refactor this to use Array with null prototype instead, and then drop the InternalPackedArray from V8.
,
Jul 25 2017
Reiterating some discussion with bmeurer@ I had this morning: My main concern is making sure we have a usable **and performant** "vector" type in V8 extras. Currently we are only using "push", but at points in the past we used: pop, push, shift, unshift, splice, slice. I want to ensure that if we remove InternalPackedArray, we can still recover performant versions of those operations in the future. It seems like this could work just by creating our own "internal-ish Array" via nulling out the prototype of an array and transferring the methods from Array.prototype, since they operate generically. I am a little worried that we'll hit deopts inside pop/push/shift/unshift/splice/slice because such an array doesn't look like a normal array to V8, but I don't know V8's code in that area. So I'd be happy to try it out and report back and remove InternalPackedArray usage if the results work well for us. (Concretely, I think this means creating a local benchmark that reverts to the earlier version of the queue, and running it with InternalPackedArray vs. a homegrown null-proto array.)
,
Jul 26 2017
#2: In my opinion, shift() and unshift() are a trap because it's easy to create code that looks performant but which falls off a cliff in a case you didn't test for. Indeed, this already happened in issue chromium:681493 . splice() may be similarly problematic depending on how it is used. I have been doing some rough benchmarking on M-59 and there's no statistically significant difference between array.push(undefined) and array[array.length] = undefined;. The standard deviation is huge, so it would probably be better to start a fresh instance of d8 for each run, rather than trying to benchmark in the noisy environment of the browser.
,
Aug 15 2017
I was reminded that even if InternalPackedArray goes away, InternalArray does not. I had not realized that at the time of my initial comments. So we can just switch to InternalArray; that should be a one-line patch in V8. I think however we need to do the following to avoid breaking any builds: - Land a patch to V8 that exports InternalArray to V8 extras - Land a patch to Chromium that switches usage of InternalPackedArray to InternalArray - Land a patch to V8 that removes the exporting of InternalPackedArray If there is a smarter way to land these sort of breaking changes to V8, let me know.
,
Aug 16 2017
Sounds good to me. InternalArray is a lot less dangerous than InternalArray.
,
Aug 16 2017
...than InternalPackedArray.
,
Aug 23
,
Nov 9
Since we plan to stop using V8 Extras for Streams within a few months, we will probably just wait to remove InternalPackedArray from V8 until after we remove the V8 Extras-based implementation of Streams from Blink. |
|||
►
Sign in to add a comment |
|||
Comment 1 by yangguo@chromium.org
, Jul 25 2017