Bug 195721

Summary: DFG::AbstractValue::validateOSREntry is wrong when isHeapTop and the incoming value is Empty
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, ews-watchlist, fpizlo, ggaren, gskachkov, guijemont, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
WIP
none
patch
none
patch none

Saam Barati
Reported 2019-03-13 18:12:54 PDT
``` bool validate(JSValue value) const { if (isHeapTop()) return true; ``` However, JSValue() is not part of heap top, but would return true if asked to validate on an AbstractValue that isHeapTop().
Attachments
WIP (22.27 KB, patch)
2019-03-20 16:10 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (25.99 KB, patch)
2019-03-20 16:48 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (25.99 KB, patch)
2019-03-20 16:51 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2019-03-13 18:24:39 PDT
(In reply to Saam Barati from comment #0) > ``` > bool validate(JSValue value) const > { > if (isHeapTop()) > return true; > ``` > > However, JSValue() is not part of heap top, but would return true if asked > to validate on an AbstractValue that isHeapTop(). JSValue() in AbstractValue means that the value is “any JSValue”. There is no way to reflect folding to JSValue() in abstract value.
Saam Barati
Comment 2 2019-03-13 18:48:58 PDT
(In reply to Filip Pizlo from comment #1) > (In reply to Saam Barati from comment #0) > > ``` > > bool validate(JSValue value) const > > { > > if (isHeapTop()) > > return true; > > ``` > > > > However, JSValue() is not part of heap top, but would return true if asked > > to validate on an AbstractValue that isHeapTop(). > > JSValue() in AbstractValue means that the value is “any JSValue”. There is > no way to reflect folding to JSValue() in abstract value. The scenario I'm worried about is OSR entry. Let's say that this AbstractValue has type SpecHeapTop (and top for all the other things too). Let's say we deleted a CheckTDZ because we saw the type is SpecHeapTop. Let's also say that we're now OSR entering with the TDZ value (JSValue()). I think that would lead to a bug.
Filip Pizlo
Comment 3 2019-03-20 15:00:48 PDT
(In reply to Saam Barati from comment #2) > (In reply to Filip Pizlo from comment #1) > > (In reply to Saam Barati from comment #0) > > > ``` > > > bool validate(JSValue value) const > > > { > > > if (isHeapTop()) > > > return true; > > > ``` > > > > > > However, JSValue() is not part of heap top, but would return true if asked > > > to validate on an AbstractValue that isHeapTop(). > > > > JSValue() in AbstractValue means that the value is “any JSValue”. There is > > no way to reflect folding to JSValue() in abstract value. > > The scenario I'm worried about is OSR entry. > > Let's say that this AbstractValue has type SpecHeapTop (and top for all the > other things too). Let's say we deleted a CheckTDZ because we saw the type > is SpecHeapTop. Let's also say that we're now OSR entering with the TDZ > value (JSValue()). I think that would lead to a bug. I'm not saying that it wouldn't. I'm just saying that AbstractValue::m_value being JSValue() means "top JSValue". So if AbstractValue::m_value is empty, it doesn't mean JSValue().
Saam Barati
Comment 4 2019-03-20 16:10:47 PDT
Created attachment 365426 [details] WIP Currently crashing in a lot of tests. I need to figure out why.
Saam Barati
Comment 5 2019-03-20 16:48:52 PDT
Created attachment 365437 [details] patch
EWS Watchlist
Comment 6 2019-03-20 16:51:33 PDT
Attachment 365437 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h:235: The parameter name "structure" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/dfg/testdfg.cpp:30: Alphabetical sorting problem. [build/include_order] [4] Total errors found: 2 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.
Saam Barati
Comment 7 2019-03-20 16:51:35 PDT
Created attachment 365439 [details] patch
EWS Watchlist
Comment 8 2019-03-20 16:55:16 PDT
Attachment 365439 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h:235: The parameter name "structure" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/dfg/testdfg.cpp:30: Alphabetical sorting problem. [build/include_order] [4] Total errors found: 2 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.
Yusuke Suzuki
Comment 9 2019-03-20 16:58:39 PDT
Comment on attachment 365439 [details] patch r=me too.
WebKit Commit Bot
Comment 10 2019-03-20 22:43:14 PDT
Comment on attachment 365439 [details] patch Clearing flags on attachment: 365439 Committed r243278: <https://trac.webkit.org/changeset/243278>
WebKit Commit Bot
Comment 11 2019-03-20 22:43:15 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 12 2019-03-20 22:44:49 PDT
<rdar://problem/49095372>
Note You need to log in before you can comment on or make changes to this bug.