Bug 207075

Summary:

Audit safe to execute

Product:

WebKit

Reporter:

Saam Barati <saam>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, fpizlo, ggaren, gskachkov, guijemont, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

206805, 207074, 207082

Bug Blocks:

Attachments:

Description	Flags
patch	none

Description Saam Barati 2020-01-31 15:21:40 PST

For things like:
https://bugs.webkit.org/show_bug.cgi?id=206805

For example, GetButterfly should probably be checking that its base is an object

Comment 1 Radar WebKit Bug Importer 2020-01-31 22:36:43 PST

<rdar://problem/59085094>

Comment 2 Filip Pizlo 2020-06-03 11:36:14 PDT

(In reply to Saam Barati from comment #0)
> For things like:
> https://bugs.webkit.org/show_bug.cgi?id=206805
> 
> For example, GetButterfly should probably be checking that its base is an
> object

Isn’t that covered by safeToExecute’s edge processing?

Comment 3 Saam Barati 2020-06-03 11:52:41 PDT

(In reply to Filip Pizlo from comment #2)
> (In reply to Saam Barati from comment #0)
> > For things like:
> > https://bugs.webkit.org/show_bug.cgi?id=206805
> > 
> > For example, GetButterfly should probably be checking that its base is an
> > object
> 
> Isn’t that covered by safeToExecute’s edge processing?

GetButterfly only speculates Cell on its base.

Comment 4 Saam Barati 2020-06-03 11:52:53 PDT

(In reply to Saam Barati from comment #3)
> (In reply to Filip Pizlo from comment #2)
> > (In reply to Saam Barati from comment #0)
> > > For things like:
> > > https://bugs.webkit.org/show_bug.cgi?id=206805
> > > 
> > > For example, GetButterfly should probably be checking that its base is an
> > > object
> > 
> > Isn’t that covered by safeToExecute’s edge processing?
> 
> GetButterfly only speculates Cell on its base.

Probably it should speculate Object.

Comment 5 Saam Barati 2020-06-03 17:14:53 PDT

Created attachment 400984 [details]
patch

Comment 6 Saam Barati 2020-06-04 12:21:17 PDT

Comment on attachment 400984 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=400984&action=review

> Source/JavaScriptCore/tools/JSDollarVM.cpp:1220
> +static const DOMJIT::Signature DOMJITFunctionObjectSignature(DOMJITFunctionObject::functionWithoutTypeCheck, DOMJITFunctionObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange(DOMJIT::HeapRange::ConstExpr, 0, 1)), SpecInt32Only);

we only had one test using this functionality, and it didn't rely on the old behavior, so I just changed it to this so I didn't have to create a new class.

Comment 7 Yusuke Suzuki 2020-06-04 14:35:03 PDT

Comment on attachment 400984 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=400984&action=review

r=me

> Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> +        bool isSafe = true;
> +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> +        structures.forEach([&] (RegisteredStructure structure) {
> +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> +        });
> +        return isSafe;
> +    }

What happens if structure set is empty?

Comment 8 Saam Barati 2020-06-04 14:41:27 PDT

(In reply to Yusuke Suzuki from comment #7)
> Comment on attachment 400984 [details]
> patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> > +        bool isSafe = true;
> > +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> > +        structures.forEach([&] (RegisteredStructure structure) {
> > +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> > +        });
> > +        return isSafe;
> > +    }
> 
> What happens if structure set is empty?

We should never reach such a point in the program, so we can return true or false.

Comment 9 Filip Pizlo 2020-06-04 14:44:26 PDT

(In reply to Saam Barati from comment #8)
> (In reply to Yusuke Suzuki from comment #7)
> > Comment on attachment 400984 [details]
> > patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> > 
> > r=me
> > 
> > > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> > > +        bool isSafe = true;
> > > +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> > > +        structures.forEach([&] (RegisteredStructure structure) {
> > > +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> > > +        });
> > > +        return isSafe;
> > > +    }
> > 
> > What happens if structure set is empty?
> 
> We should never reach such a point in the program, so we can return true or
> false.

I think empty set means you have to return false.

Comment 10 Filip Pizlo 2020-06-04 14:45:25 PDT

(In reply to Saam Barati from comment #4)
> (In reply to Saam Barati from comment #3)
> > (In reply to Filip Pizlo from comment #2)
> > > (In reply to Saam Barati from comment #0)
> > > > For things like:
> > > > https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > 
> > > > For example, GetButterfly should probably be checking that its base is an
> > > > object
> > > 
> > > Isn’t that covered by safeToExecute’s edge processing?
> > 
> > GetButterfly only speculates Cell on its base.
> 
> Probably it should speculate Object.

Oh interesting. If we said it speculates object then we would really want it to be like KnownObject - so safe to execute if known object, but never actually checks it.

Comment 11 Saam Barati 2020-06-04 14:50:09 PDT

(In reply to Filip Pizlo from comment #10)
> (In reply to Saam Barati from comment #4)
> > (In reply to Saam Barati from comment #3)
> > > (In reply to Filip Pizlo from comment #2)
> > > > (In reply to Saam Barati from comment #0)
> > > > > For things like:
> > > > > https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > > 
> > > > > For example, GetButterfly should probably be checking that its base is an
> > > > > object
> > > > 
> > > > Isn’t that covered by safeToExecute’s edge processing?
> > > 
> > > GetButterfly only speculates Cell on its base.
> > 
> > Probably it should speculate Object.
> 
> Oh interesting. If we said it speculates object then we would really want it
> to be like KnownObject - so safe to execute if known object, but never
> actually checks it.

Yeah exactly. I fixed this issue a while ago where we only hoist GetButterfly if we prove the base is an object.

KnownObject probably sounds like the better long-term thing since it's what we really mean anyways

Comment 12 Saam Barati 2020-06-04 15:09:53 PDT

(In reply to Filip Pizlo from comment #9)
> (In reply to Saam Barati from comment #8)
> > (In reply to Yusuke Suzuki from comment #7)
> > > Comment on attachment 400984 [details]
> > > patch
> > > 
> > > View in context:
> > > https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> > > 
> > > r=me
> > > 
> > > > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> > > > +        bool isSafe = true;
> > > > +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> > > > +        structures.forEach([&] (RegisteredStructure structure) {
> > > > +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> > > > +        });
> > > > +        return isSafe;
> > > > +    }
> > > 
> > > What happens if structure set is empty?
> > 
> > We should never reach such a point in the program, so we can return true or
> > false.
> 
> I think empty set means you have to return false.

Doesn't the empty set prove we would have exitted?

Comment 13 EWS 2020-06-05 12:32:21 PDT

Committed r262642: <https://trac.webkit.org/changeset/262642>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 400984 [details].