[webkit-changes] [235008] branches/safari-606.1.36.1-branch

Fri, 17 Aug 2018 21:05:20 -0700

Title: [235008] branches/safari-606.1.36.1-branch
Revision
235008
Author
[email protected]
Date
2018-08-17 21:03:53 -0700 (Fri, 17 Aug 2018)

Log Message

Cherry-pick r235007. rdar://problem/43445973

    intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
    https://bugs.webkit.org/show_bug.cgi?id=188707
    <rdar://problem/43015442>

    Reviewed by Mark Lam.

    JSTests:

    * stress/cfa-expected-values-must-set-clobbered-to-false.js: Added.
    (foo):
    (let.comp.valueOf):
    (result):

    Source/_javascript_Core:

    We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
    OSR enter at the head of a block. We verify it's safe to OSR enter by checking
    that each incoming value is compatible with its corresponding AbstractValue.

    The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
    with abstract values that were clobbererd. This meant that the value we're
    verifying with at OSR entry effectively has an infinite structure set because
    it's clobbered. So, imagine we have code like this:
    ```
    ---> We OSR enter here, and we're clobbered here
    InvalidationPoint
    GetByOffset(@base)
    ```

    The abstract value for @base inside intersectionOfPastValuesAtHead has a
    clobberred structure set, so we'd allow an incoming object with any
    structure. However, this is wrong because the invalidation point is no
    longer fulfilling its promise that it filters the structure that @base has.

    We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
    as if the incoming value may be live past an InvalidationPoint.
    This places a stricter requirement that to safely OSR enter at any basic
    block, all incoming values must be compatible as if they lived past
    the execution of an invalidation point.

    * dfg/DFGCFAPhase.cpp:
    (JSC::DFG::CFAPhase::run):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235007 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-606.1.36.1-branch/JSTests/ChangeLog (235007 => 235008)


--- branches/safari-606.1.36.1-branch/JSTests/ChangeLog	2018-08-18 02:05:09 UTC (rev 235007)
+++ branches/safari-606.1.36.1-branch/JSTests/ChangeLog	2018-08-18 04:03:53 UTC (rev 235008)
@@ -1,3 +1,67 @@
+2018-08-17  Kocsen Chung  <[email protected]>
+
+        Cherry-pick r235007. rdar://problem/43445973
+
+    intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
+    https://bugs.webkit.org/show_bug.cgi?id=188707
+    <rdar://problem/43015442>
+    
+    Reviewed by Mark Lam.
+    
+    JSTests:
+    
+    * stress/cfa-expected-values-must-set-clobbered-to-false.js: Added.
+    (foo):
+    (let.comp.valueOf):
+    (result):
+    
+    Source/_javascript_Core:
+    
+    We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
+    OSR enter at the head of a block. We verify it's safe to OSR enter by checking
+    that each incoming value is compatible with its corresponding AbstractValue.
+            
+    The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
+    with abstract values that were clobbererd. This meant that the value we're
+    verifying with at OSR entry effectively has an infinite structure set because
+    it's clobbered. So, imagine we have code like this:
+    ```
+    ---> We OSR enter here, and we're clobbered here
+    InvalidationPoint
+    GetByOffset(@base)
+    ```
+            
+    The abstract value for @base inside intersectionOfPastValuesAtHead has a
+    clobberred structure set, so we'd allow an incoming object with any
+    structure. However, this is wrong because the invalidation point is no
+    longer fulfilling its promise that it filters the structure that @base has.
+            
+    We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
+    as if the incoming value may be live past an InvalidationPoint.
+    This places a stricter requirement that to safely OSR enter at any basic
+    block, all incoming values must be compatible as if they lived past
+    the execution of an invalidation point.
+    
+    * dfg/DFGCFAPhase.cpp:
+    (JSC::DFG::CFAPhase::run):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235007 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-08-17  Saam barati  <[email protected]>
+
+            intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
+            https://bugs.webkit.org/show_bug.cgi?id=188707
+            <rdar://problem/43015442>
+
+            Reviewed by Mark Lam.
+
+            * stress/cfa-expected-values-must-set-clobbered-to-false.js: Added.
+            (foo):
+            (let.comp.valueOf):
+            (result):
+
 2018-07-26  Babak Shafiei  <[email protected]>
 
         Cherry-pick r234269. rdar://problem/42650430

Added: branches/safari-606.1.36.1-branch/JSTests/stress/cfa-expected-values-must-set-clobbered-to-false.js (0 => 235008)


--- branches/safari-606.1.36.1-branch/JSTests/stress/cfa-expected-values-must-set-clobbered-to-false.js	                        (rev 0)
+++ branches/safari-606.1.36.1-branch/JSTests/stress/cfa-expected-values-must-set-clobbered-to-false.js	2018-08-18 04:03:53 UTC (rev 235008)
@@ -0,0 +1,38 @@
+//@ runDefault("--useFTLJIT=0", "--useConcurrentJIT=false")
+
+let num = 150;
+
+function foo(comp, o, b) {
+    let sum = o.f;
+    if (b)
+        OSRExit();
+    for (let i = 0; i < comp; ++i) {
+        sum += o.f;
+    }
+    return sum;
+}
+noInline(foo);
+
+let o = {f:25};
+let o2 = {f:25, g:44};
+o2.f = 45;
+o2.f = 45;
+o2.f = 45;
+o2.f = 45;
+let comp = {
+    valueOf() { return num; }
+}
+
+foo(comp, o2, true);
+foo(comp, o2, true);
+for (let i = 0; i < 500; ++i) {
+    foo(comp, o2, false);
+}
+
+let o3 = {g:24, f:73};
+num = 10000000;
+let result = foo(comp, o3, false);
+
+if (result !== (num + 1)*73) {
+    throw new Error("Bad: " + result);
+}

Modified: branches/safari-606.1.36.1-branch/Source/_javascript_Core/ChangeLog (235007 => 235008)


--- branches/safari-606.1.36.1-branch/Source/_javascript_Core/ChangeLog	2018-08-18 02:05:09 UTC (rev 235007)
+++ branches/safari-606.1.36.1-branch/Source/_javascript_Core/ChangeLog	2018-08-18 04:03:53 UTC (rev 235008)
@@ -1,3 +1,90 @@
+2018-08-17  Kocsen Chung  <[email protected]>
+
+        Cherry-pick r235007. rdar://problem/43445973
+
+    intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
+    https://bugs.webkit.org/show_bug.cgi?id=188707
+    <rdar://problem/43015442>
+    
+    Reviewed by Mark Lam.
+    
+    JSTests:
+    
+    * stress/cfa-expected-values-must-set-clobbered-to-false.js: Added.
+    (foo):
+    (let.comp.valueOf):
+    (result):
+    
+    Source/_javascript_Core:
+    
+    We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
+    OSR enter at the head of a block. We verify it's safe to OSR enter by checking
+    that each incoming value is compatible with its corresponding AbstractValue.
+            
+    The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
+    with abstract values that were clobbererd. This meant that the value we're
+    verifying with at OSR entry effectively has an infinite structure set because
+    it's clobbered. So, imagine we have code like this:
+    ```
+    ---> We OSR enter here, and we're clobbered here
+    InvalidationPoint
+    GetByOffset(@base)
+    ```
+            
+    The abstract value for @base inside intersectionOfPastValuesAtHead has a
+    clobberred structure set, so we'd allow an incoming object with any
+    structure. However, this is wrong because the invalidation point is no
+    longer fulfilling its promise that it filters the structure that @base has.
+            
+    We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
+    as if the incoming value may be live past an InvalidationPoint.
+    This places a stricter requirement that to safely OSR enter at any basic
+    block, all incoming values must be compatible as if they lived past
+    the execution of an invalidation point.
+    
+    * dfg/DFGCFAPhase.cpp:
+    (JSC::DFG::CFAPhase::run):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235007 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-08-17  Saam barati  <[email protected]>
+
+            intersectionOfPastValuesAtHead must filter values after they've observed an invalidation point
+            https://bugs.webkit.org/show_bug.cgi?id=188707
+            <rdar://problem/43015442>
+
+            Reviewed by Mark Lam.
+
+            We use the values in intersectionOfPastValuesAtHead to verify that it is safe to
+            OSR enter at the head of a block. We verify it's safe to OSR enter by checking
+            that each incoming value is compatible with its corresponding AbstractValue.
+
+            The bug is that we were sometimes filtering the intersectionOfPastValuesAtHead
+            with abstract values that were clobbererd. This meant that the value we're
+            verifying with at OSR entry effectively has an infinite structure set because
+            it's clobbered. So, imagine we have code like this:
+            ```
+            ---> We OSR enter here, and we're clobbered here
+            InvalidationPoint
+            GetByOffset(@base)
+            ```
+
+            The abstract value for @base inside intersectionOfPastValuesAtHead has a
+            clobberred structure set, so we'd allow an incoming object with any
+            structure. However, this is wrong because the invalidation point is no
+            longer fulfilling its promise that it filters the structure that @base has.
+
+            We fix this by filtering the AbstractValues in intersectionOfPastValuesAtHead
+            as if the incoming value may be live past an InvalidationPoint.
+            This places a stricter requirement that to safely OSR enter at any basic
+            block, all incoming values must be compatible as if they lived past
+            the execution of an invalidation point.
+
+            * dfg/DFGCFAPhase.cpp:
+            (JSC::DFG::CFAPhase::run):
+
 2018-08-06  Kocsen Chung  <[email protected]>
 
         Cherry-pick r234576. rdar://problem/42973449

Modified: branches/safari-606.1.36.1-branch/Source/_javascript_Core/dfg/DFGCFAPhase.cpp (235007 => 235008)


--- branches/safari-606.1.36.1-branch/Source/_javascript_Core/dfg/DFGCFAPhase.cpp	2018-08-18 02:05:09 UTC (rev 235007)
+++ branches/safari-606.1.36.1-branch/Source/_javascript_Core/dfg/DFGCFAPhase.cpp	2018-08-18 04:03:53 UTC (rev 235008)
@@ -141,8 +141,15 @@
                     continue;
                 
                 block->intersectionOfCFAHasVisited &= block->cfaHasVisited;
-                for (unsigned i = block->intersectionOfPastValuesAtHead.size(); i--;)
-                    block->intersectionOfPastValuesAtHead[i].filter(block->valuesAtHead[i]);
+                for (unsigned i = block->intersectionOfPastValuesAtHead.size(); i--;) {
+                    AbstractValue value = block->valuesAtHead[i];
+                    // We need to guarantee that when we do an OSR entry, we validate the incoming
+                    // value as if it could be live past an invalidation point. Otherwise, we may
+                    // OSR enter with a value with the wrong structure, and an InvalidationPoint's
+                    // promise of filtering the structure set of certain values is no longer upheld.
+                    value.m_structure.observeInvalidationPoint();
+                    block->intersectionOfPastValuesAtHead[i].filter(value);
+                }
             }
         }
         

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to