Bug 215487

Summary: Have an OOB+SaneChain Array::Speculation
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, fpizlo, ggaren, gskachkov, guijemont, jsc32, keith_miller, mark.lam, msaboff, rmorisset, ross.kirsling, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=215639
Attachments:
Description Flags
WIP
none
patch
none
patch
none
patch
none
patch
ysuzuki: review+
patch for landing
none
patch for landing
none
patch for landing none

Description Saam Barati 2020-08-13 19:11:53 PDT 
So we can return undefined when we're OOB.
Comment 1 Saam Barati 2020-08-13 19:16:38 PDT 
Created attachment 406565 [details]
WIP
Comment 2 Saam Barati 2020-08-13 19:16:55 PDT 
This at least helps crypto-md5-SP
Comment 3 Saam Barati 2020-08-14 18:36:46 PDT 
Created attachment 406645 [details]
patch
Comment 4 Saam Barati 2020-08-14 18:38:06 PDT 
Created attachment 406646 [details]
patch
Comment 5 Saam Barati 2020-08-14 19:50:20 PDT 
Created attachment 406650 [details]
patch
Comment 6 Saam Barati 2020-08-14 19:51:16 PDT 
Comment on attachment 406650 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=406650&action=review

> Source/JavaScriptCore/dfg/DFGValidate.cpp:386
> +                        // We rely on being an original array structure so we can return undefined for negative indices.
> +                        // We could do better in the future, and have and have an feedback based profiling mechanism
> +                        // where we speculate against the index being >= 0.

Will update this comment to reflect new reason we need to be original
Comment 7 Saam Barati 2020-08-14 19:53:13 PDT 
Created attachment 406651 [details]
patch
Comment 8 Yusuke Suzuki 2020-08-14 20:36:00 PDT 
Comment on attachment 406651 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=406651&action=review

r=me with one comment.

> Source/JavaScriptCore/dfg/DFGClobberize.h:945
> +                LocationKind kind = mode.isInBoundsSaneChain() ? IndexedPropertyDoubleSaneChainLoc : IndexedPropertyDoubleLoc;

This means that we will use IndexedPropertyDoubleLoc for OutOfBoundsSaneChain, is it correct?
Comment 9 Saam Barati 2020-08-15 17:52:49 PDT 
(In reply to Yusuke Suzuki from comment #8)
> Comment on attachment 406651 [details]
> patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=406651&action=review
> 
> r=me with one comment.
> 
> > Source/JavaScriptCore/dfg/DFGClobberize.h:945
> > +                LocationKind kind = mode.isInBoundsSaneChain() ? IndexedPropertyDoubleSaneChainLoc : IndexedPropertyDoubleLoc;
> 
> This means that we will use IndexedPropertyDoubleLoc for
> OutOfBoundsSaneChain, is it correct?

Yeah. Maybe we should introduce a new heap just out of paranoia that’s for OOBSaneChain
Comment 10 Saam Barati 2020-08-17 12:24:57 PDT 
(In reply to Saam Barati from comment #9)
> (In reply to Yusuke Suzuki from comment #8)
> > Comment on attachment 406651 [details]
> > patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=406651&action=review
> > 
> > r=me with one comment.
> > 
> > > Source/JavaScriptCore/dfg/DFGClobberize.h:945
> > > +                LocationKind kind = mode.isInBoundsSaneChain() ? IndexedPropertyDoubleSaneChainLoc : IndexedPropertyDoubleLoc;
> > 
> > This means that we will use IndexedPropertyDoubleLoc for
> > OutOfBoundsSaneChain, is it correct?
> 
> Yeah. Maybe we should introduce a new heap just out of paranoia that’s for
> OOBSaneChain

I did some more reading. What's going on here is SaneChain may return NaN, where InBounds-non-sane-chain won't ever return NaN. So that's why we have two heap locations.

The change I'm making that I discussed with Yusuke is:
- OOB+SaneChain+NoUsesAsOther, we'll now return unboxed double value, to behave like in bounds SaneChain. Then, we can use the same heap location
- OOB+SaneChain+UsesAsOther => return JSValue, and new heap location
Comment 11 Saam Barati 2020-08-17 12:32:26 PDT 
Created attachment 406730 [details]
patch for landing
Comment 12 Saam Barati 2020-08-17 12:33:41 PDT 
Comment on attachment 406730 [details]
patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=406730&action=review

> Source/JavaScriptCore/dfg/DFGClobberize.h:932
> +            if (mode.isInBounds() || mode.isOutOfBoundsSaneChain()) {

I need a new heap location for this.
Comment 13 Saam Barati 2020-08-17 12:46:36 PDT 
Comment on attachment 406730 [details]
patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=406730&action=review

>> Source/JavaScriptCore/dfg/DFGClobberize.h:932
>> +            if (mode.isInBounds() || mode.isOutOfBoundsSaneChain()) {
> 
> I need a new heap location for this.

The issue is, AI might say we only return Int32 for a node. If we  CSE it with something that says "Int32 | Other", we've  broken an AI invariant by growing the type.
Comment 14 Saam Barati 2020-08-17 12:49:06 PDT 
Created attachment 406733 [details]
patch for landing
Comment 15 Saam Barati 2020-08-17 13:28:31 PDT 
Created attachment 406741 [details]
patch for landing

Turn off OOBSaneChain for 32-bit
Comment 16 EWS 2020-08-17 15:10:18 PDT 
Committed r265775: <https://trac.webkit.org/changeset/265775>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 406741 [details].
Comment 17 Radar WebKit Bug Importer 2020-08-17 15:11:59 PDT 
<rdar://problem/67274231>