Bug 195924

Summary:

FTL: Emit code to validate AI's state when running the compiled code

Product:

WebKit

Reporter:

Saam Barati <saam>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, commit-queue, ews-watchlist, fpizlo, ggaren, gskachkov, guijemont, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=195980
https://bugs.webkit.org/show_bug.cgi?id=195981
https://bugs.webkit.org/show_bug.cgi?id=196030

Attachments:

Description	Flags
WIP	none
WIP	none
WIP	none
WIP	none
patch	none
WIP	none
WIP	none
WIP	none
patch	none
patch	none

Saam Barati

Reported 2019-03-18 18:23:52 PDT

...

Attachments
WIP (5.10 KB, patch) 2019-03-19 16:19 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (5.56 KB, patch) 2019-03-19 16:24 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (6.13 KB, patch) 2019-03-19 16:40 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (7.08 KB, patch) 2019-03-19 17:14 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (8.47 KB, patch) 2019-03-19 18:46 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (10.24 KB, patch) 2019-03-19 19:21 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (10.88 KB, patch) 2019-03-19 19:38 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (13.35 KB, patch) 2019-03-20 18:30 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (9.25 KB, patch) 2019-03-25 15:44 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (10.35 KB, patch) 2019-03-25 17:23 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (9) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-03-18 18:40:56 PDT

<rdar://problem/49003422>

Saam Barati

Comment 2 2019-03-19 16:19:35 PDT

Created attachment 365252 [details] WIP

Saam Barati

Comment 3 2019-03-19 16:24:05 PDT

Created attachment 365255 [details] WIP

Saam Barati

Comment 4 2019-03-19 16:40:09 PDT

Created attachment 365261 [details] WIP

Saam Barati

Comment 5 2019-03-19 16:51:19 PDT

seems possible it's already found some bugs...

Saam Barati

Comment 6 2019-03-19 17:10:28 PDT

(In reply to Saam Barati from comment #5) > seems possible it's already found some bugs... Perhaps not. It seems like using combined liveness may not work, since AI only tracks live in IR values.

Saam Barati

Comment 7 2019-03-19 17:14:47 PDT

Created attachment 365267 [details] WIP

Saam Barati

Comment 8 2019-03-19 18:12:26 PDT

It found a bug: ``` case ValueBitXor: case ValueBitAnd: case ValueBitOr: if (node->binaryUseKind() == BigIntUse) setTypeForNode(node, SpecBigInt); else { clobberWorld(); setTypeForNode(node, SpecBoolInt32 | SpecBigInt); } break; ``` Should be: ``` case ValueBitXor: case ValueBitAnd: case ValueBitOr: if (node->binaryUseKind() == BigIntUse) setTypeForNode(node, SpecBigInt); else { clobberWorld(); setTypeForNode(node, SpecInt32Only | SpecBigInt); } break; ````

Saam Barati

Comment 9 2019-03-19 18:46:03 PDT

Created attachment 365284 [details] patch WIP

Saam Barati

Comment 10 2019-03-19 19:21:31 PDT

Created attachment 365288 [details] WIP

Saam Barati

Comment 11 2019-03-19 19:38:56 PDT

Created attachment 365293 [details] WIP

Saam Barati

Comment 12 2019-03-20 18:30:47 PDT

Created attachment 365457 [details] WIP

Saam Barati

Comment 13 2019-03-25 15:44:38 PDT

Created attachment 365910 [details] patch

Saam Barati

Comment 14 2019-03-25 16:01:17 PDT

Comment on attachment 365910 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:177 > + live.add(child.node()); I’ll also make this addVoid

EWS Watchlist

Comment 15 2019-03-25 16:02:56 PDT

Attachment 365910 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:12: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.

Saam Barati

Comment 16 2019-03-25 16:57:27 PDT

Comment on attachment 365910 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:597 > + input = boxDouble(lowDouble(Edge(node, DoubleRepUse))); this logic is somewhat wrong for doubles. I think I need to validate them unboxed.

Saam Barati

Comment 17 2019-03-25 17:23:40 PDT

Created attachment 365926 [details] patch

EWS Watchlist

Comment 18 2019-03-25 17:27:49 PDT

Attachment 365926 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:12: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.

WebKit Commit Bot

Comment 19 2019-03-26 17:08:52 PDT

Comment on attachment 365926 [details] patch Clearing flags on attachment: 365926 Committed r243530: <https://trac.webkit.org/changeset/243530>

WebKit Commit Bot

Comment 20 2019-03-26 17:08:54 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.