Bug 269785

Summary:	Missed "cc" inline asm clobber in ARM64 memory operations
Product:	WebKit	Reporter:	Kristina Bessonova <kbessonova>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Local Build
Hardware:	Unspecified
OS:	Unspecified

Kristina Bessonova

Reported 2024-02-20 06:02:33 PST

Inline assembly in the following functions: * JSC::gcSafeMemcpy * JSC::gcSafeMemmove * JSC::gcSafeZeroMemory doesn't set "cc" clobber, but could change flags. It leaves a room for a compiler to misschedule the fragment. The issue happens on Cortex-A CPUs with clang-16 and newer. See, for example, a peace of code from JSArray::unshiftCountSlowCase(): ``` //APP movi d0, #0000000000000000 movi d1, #0000000000000000 .p2align 4 .Ltmp21: cmp x9, x12 b.eq .Ltmp22 stnp q0, q0, [x9] stnp q0, q0, [x9, #32] add x9, x9, #64 b .Ltmp21 .Ltmp22: cmp x9, x11 b.eq .Ltmp23 str d0, [x9], #8 b .Ltmp22 .Ltmp23: //NO_APP ldur w8, [x29, #-4] // 4-byte Folded Reload csel w8, wzr, w8, hs tbnz w8, #0, .LBB33_124 b .LBB33_125 ``` W/o "cc" clobber clang doesn't schedule `cmp` before `csel`, so it uses flags set by JSC::gcSafeZeroMemory(). Here how this is supposed to look like: ``` //APP movi d0, #0000000000000000 movi d1, #0000000000000000 .p2align 4 .Ltmp21: cmp x10, x14 b.eq .Ltmp22 stnp q0, q0, [x10] stnp q0, q0, [x10, #32] add x10, x10, #64 b .Ltmp21 .Ltmp22: cmp x10, x13 b.eq .Ltmp23 str d0, [x10], #8 b .Ltmp22 .Ltmp23: //NO_APP cmp w23, w24 ldur w10, [x29, #-12] // 4-byte Folded Reload csel w10, wzr, w10, hs tbnz w10, #0, .LBB33_117 b .LBB33_118 ``` I also found that at least 3 tests failed due to this issue on Cortex-A55/A57: Tools/Scripts/run-javascriptcore-tests --jsc-only --release --no-build --no-fail-fast --memory-limited --remote-config-file ./remote-jsc-tests-config.json --filter=unshift* ``` 6/65 ....Segmentation fault stress/array-unshift-should-not-race-against-compiler-thread.js.no-cjit-collect-continuously: ERROR: Unexpected exit code: 139 10/65 (failed 1) ....Segmentation fault stress/array-unshift-should-not-race-against-compiler-thread.js.dfg-eager-no-cjit-validate: ERROR: Unexpected exit code: 139 12/65 (failed 2) ....Segmentation fault stress/array-unshift-should-not-race-against-compiler-thread.js.ftl-eager-no-cjit: ERROR: Unexpected exit code: 139 65/65 (failed 3) test_results 100% 2618 23.0KB/s 00:00 ** The following JSC stress test failures have been introduced: stress/array-unshift-should-not-race-against-compiler-thread.js.dfg-eager-no-cjit-validate stress/array-unshift-should-not-race-against-compiler-thread.js.ftl-eager-no-cjit stress/array-unshift-should-not-race-against-compiler-thread.js.no-cjit-collect-continuously ```

Attachments
Add attachment proposed patch, testcase, etc.

Kristina Bessonova

Comment 1 2024-02-20 06:08:32 PST

Pull request: https://github.com/WebKit/WebKit/pull/24812

EWS

Comment 2 2024-02-20 11:24:33 PST

Committed 275057@main (a6fdfba9eced): <https://commits.webkit.org/275057@main> Reviewed commits have been landed. Closing PR #24812 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2024-02-20 11:25:16 PST

<rdar://problem/123324577>

Note You need to log in before you can comment on or make changes to this bug.