| Summary: | FTL: Emit code to validate AI's state when running the compiled code | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> | ||||||||||||||||||||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||||||||||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||||||||||||
| Severity: | Normal | CC: | benjamin, commit-queue, ews-watchlist, fpizlo, ggaren, gskachkov, guijemont, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki | ||||||||||||||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||||||||||||||
| Version: | WebKit Nightly Build | ||||||||||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||||||||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=195980 https://bugs.webkit.org/show_bug.cgi?id=195981 https://bugs.webkit.org/show_bug.cgi?id=196030 |
||||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||||
|
Description
Saam Barati
2019-03-18 18:23:52 PDT
Created attachment 365252 [details]
WIP
Created attachment 365255 [details]
WIP
Created attachment 365261 [details]
WIP
seems possible it's already found some bugs... (In reply to Saam Barati from comment #5) > seems possible it's already found some bugs... Perhaps not. It seems like using combined liveness may not work, since AI only tracks live in IR values. Created attachment 365267 [details]
WIP
It found a bug:
```
case ValueBitXor:
case ValueBitAnd:
case ValueBitOr:
if (node->binaryUseKind() == BigIntUse)
setTypeForNode(node, SpecBigInt);
else {
clobberWorld();
setTypeForNode(node, SpecBoolInt32 | SpecBigInt);
}
break;
```
Should be:
```
case ValueBitXor:
case ValueBitAnd:
case ValueBitOr:
if (node->binaryUseKind() == BigIntUse)
setTypeForNode(node, SpecBigInt);
else {
clobberWorld();
setTypeForNode(node, SpecInt32Only | SpecBigInt);
}
break;
````
Created attachment 365284 [details]
patch
WIP
Created attachment 365288 [details]
WIP
Created attachment 365293 [details]
WIP
Created attachment 365457 [details]
WIP
Created attachment 365910 [details]
patch
Comment on attachment 365910 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:177 > + live.add(child.node()); I’ll also make this addVoid Attachment 365910 [details] did not pass style-queue:
ERROR: Source/JavaScriptCore/ChangeLog:12: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 3 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 365910 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:597 > + input = boxDouble(lowDouble(Edge(node, DoubleRepUse))); this logic is somewhat wrong for doubles. I think I need to validate them unboxed. Created attachment 365926 [details]
patch
Attachment 365926 [details] did not pass style-queue:
ERROR: Source/JavaScriptCore/ChangeLog:12: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 3 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 365926 [details] patch Clearing flags on attachment: 365926 Committed r243530: <https://trac.webkit.org/changeset/243530> All reviewed patches have been landed. Closing bug. |