Bug 238302

Summary: CSE should be more careful with values that have WritesPinned, ExitsSideways, or are of different sizes
Product: WebKit Reporter: Justin Michaud <justin_michaud>
Component: JavaScriptCoreAssignee: Justin Michaud <justin_michaud>
Status: RESOLVED FIXED    
Severity: Normal CC: ajn35, anthony.bowker, bfulgham, carlo, ews-watchlist, keith_miller, mark.lam, msaboff, roman.wache, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P1 Keywords: InRadar
Version: Safari 15   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 237180    
Attachments:
Description Flags
Crashing unity project
none
Working unity project
none
Patch
none
Patch
none
Patch
ews-feeder: commit-queue-
Patch
none
Patch
ews-feeder: commit-queue-
Patch
none
Patch
none
Patch
none
TestCaseRepro none

Justin Michaud
Reported 2022-03-23 18:29:47 PDT
processWasmAddressValue is not looking at the full set of basic blocks between use and def before concluding it can CSE a WasmAddressValue
Attachments
Crashing unity project (6.42 MB, application/zip)
2022-03-23 18:31 PDT, Justin Michaud 		no flags
Details
Working unity project (6.42 MB, application/zip)
2022-03-23 18:32 PDT, Justin Michaud 		no flags
Details
Patch (7.73 KB, patch)
2022-03-29 16:08 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (24.38 KB, patch)
2022-04-01 11:45 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (24.38 KB, patch)
2022-04-01 11:47 PDT, Justin Michaud 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (22.22 KB, patch)
2022-04-01 13:03 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (22.09 KB, patch)
2022-04-01 13:09 PDT, Justin Michaud 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (24.65 KB, patch)
2022-04-01 16:11 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (24.23 KB, patch)
2022-04-04 13:12 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (24.58 KB, patch)
2022-04-05 15:14 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
TestCaseRepro (404.67 KB, application/x-zip-compressed)
2022-04-07 07:56 PDT, ajn35 		no flags
Details
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
Justin Michaud
Comment 1 2022-03-23 18:31:48 PDT
Created attachment 455592 [details] Crashing unity project
Justin Michaud
Comment 2 2022-03-23 18:32:15 PDT
Created attachment 455593 [details] Working unity project
Justin Michaud
Comment 3 2022-03-23 18:34:16 PDT
Ruffle.rs test case repro: 1. Load https://ruffle.rs/demo/ 2. Select Sample SWF "Bites of Brackenwood" 3. Click play button 4. See if we throw an out of bounds exception or not using web inspector (web inspector may need to be open for duration of the above steps). Test case summary: iOS 15.4 safari-613.1.17.0-branch: - Crashing unity project crashes with OOM - Working unity project works - Ruffle.rs crashes With this pass disabled: - All 3 work
Justin Michaud
Comment 4 2022-03-29 16:08:48 PDT
Created attachment 456073 [details] Patch
Saam Barati
Comment 5 2022-03-29 16:24:47 PDT
Comment on attachment 456073 [details] Patch r=me
Radar WebKit Bug Importer
Comment 6 2022-03-30 18:30:24 PDT
<rdar://problem/91078546>
Justin Michaud
Comment 7 2022-04-01 11:45:28 PDT
Created attachment 456379 [details] Patch
Justin Michaud
Comment 8 2022-04-01 11:47:07 PDT
Created attachment 456381 [details] Patch
Saam Barati
Comment 9 2022-04-01 11:52:13 PDT
Comment on attachment 456381 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=456381&action=review > Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:2631 > + result->effects.reads = B3::HeapRange::top(); by default this watchpoint is Effects::forCall(). Why do we need this?
Keith Miller
Comment 10 2022-04-01 12:46:46 PDT
I think your missing a file.
Keith Miller
Comment 11 2022-04-01 12:47:01 PDT
(In reply to Keith Miller from comment #10) > I think your missing a file. ugh, you are*
Justin Michaud
Comment 12 2022-04-01 13:03:38 PDT
Created attachment 456392 [details] Patch
Justin Michaud
Comment 13 2022-04-01 13:09:56 PDT
Created attachment 456394 [details] Patch
Yusuke Suzuki
Comment 14 2022-04-01 14:40:36 PDT
Comment on attachment 456394 [details] Patch r=me
Justin Michaud
Comment 15 2022-04-01 16:11:13 PDT
Created attachment 456414 [details] Patch
Saam Barati
Comment 16 2022-04-01 17:15:40 PDT
Comment on attachment 456414 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=456414&action=review I think my comment about filter not doing the right thing is legit. But otherwise, LGTM > Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp:542 > + if (memoryValue->lastChild() == ptr && filter(memoryValue) > + && memoryValue->accessWidth() >= m_value->as<MemoryValue>()->accessWidth()) Why is the filter function not handling this? > Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp:561 > + if (match && match != m_value && match->accessWidth() >= m_value->as<MemoryValue>()->accessWidth()) ditto > Source/JavaScriptCore/b3/B3Validate.cpp:573 > + // Conceptually, if you exit sideways, you should read Top or (AbstractHeapRepository) root. > + // Since we can't easily find out what root is, we settle for this, to make sure things aren't > + // horribly wrong at least. Might be worth making note that this is a pretty strict validation rule, and philosophically isn't actually necessary. But it's serving a practical use case. Like, theoretically, you can sideExit and never read anything. But practically speaking, we never use sideExit like this. So it helps us find bugs.
ajn35
Comment 17 2022-04-04 02:59:06 PDT
Hi, We are affected as well. Thanks for the patch.
Saam Barati
Comment 18 2022-04-04 11:04:47 PDT
(In reply to ajn35 from comment #17) > Hi, > We are affected as well. > Thanks for the patch. Do you have a test case you can share?
Justin Michaud
Comment 19 2022-04-04 13:12:09 PDT
Created attachment 456612 [details] Patch
Saam Barati
Comment 20 2022-04-04 18:44:02 PDT
Comment on attachment 456612 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=456612&action=review r=me > Source/JavaScriptCore/ChangeLog:17 > + you're missing some blurb here about WasmBoundCheck needed to read top
Justin Michaud
Comment 21 2022-04-05 15:14:52 PDT
Created attachment 456759 [details] Patch
EWS
Comment 22 2022-04-06 10:06:24 PDT
Committed r292475 (249326@main): <https://commits.webkit.org/249326@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 456759 [details].
ajn35
Comment 23 2022-04-07 07:56:24 PDT
Created attachment 456925 [details] TestCaseRepro Sorry for the delay, please find enclosed a test case that reproduces the bug on Safari iOS 15.4. Instructions for repro are in README file.
ajn35
Comment 24 2022-04-07 07:58:00 PDT
(In reply to Saam Barati from comment #18) > (In reply to ajn35 from comment #17) > > Hi, > > We are affected as well. > > Thanks for the patch. > > Do you have a test case you can share? Yes, please see attachment 456925 [details]
Justin Michaud
Comment 25 2022-04-08 17:19:46 PDT
I have confirmed that your test case is fixed! Thanks for including it.
Saam Barati
Comment 26 2022-05-04 11:08:26 PDT
The fix for this is in iOS 15.5 Beta 4. Can folks confirm it resolves issues, and if not, report back to us? Thanks
Justin Michaud
Comment 27 2022-05-04 11:39:45 PDT
The parent https://bugs.webkit.org/show_bug.cgi?id=237180 has some reports that the issue is resolved by beta 4.
ajn35
Comment 28 2022-05-06 02:13:10 PDT
(In reply to Saam Barati from comment #26) > The fix for this is in iOS 15.5 Beta 4. Can folks confirm it resolves > issues, and if not, report back to us? > > Thanks Hi, I confirm it solves our issue. Thanks
Brent Fulgham
Comment 29 2022-05-26 14:41:59 PDT
This fix shipped with Safari 15.5 (all platforms).
Note You need to log in before you can comment on or make changes to this bug.