195924 – FTL: Emit code to validate AI's state when running the compiled code

RESOLVED FIXED195924

FTL: Emit code to validate AI's state when running the compiled code

https://bugs.webkit.org/show_bug.cgi?id=195924

Summary FTL: Emit code to validate AI's state when running the compiled code

Saam Barati

Reported 2019-03-18 18:23:52 PDT

...

Attachments
WIP (5.10 KB, patch) 2019-03-19 16:19 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (5.56 KB, patch) 2019-03-19 16:24 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (6.13 KB, patch) 2019-03-19 16:40 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (7.08 KB, patch) 2019-03-19 17:14 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (8.47 KB, patch) 2019-03-19 18:46 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (10.24 KB, patch) 2019-03-19 19:21 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (10.88 KB, patch) 2019-03-19 19:38 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (13.35 KB, patch) 2019-03-20 18:30 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (9.25 KB, patch) 2019-03-25 15:44 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (10.35 KB, patch) 2019-03-25 17:23 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (9) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-03-18 18:40:56 PDT

<rdar://problem/49003422>

Saam Barati

Comment 2 2019-03-19 16:19:35 PDT

Created attachment 365252 [details] WIP

Saam Barati

Comment 3 2019-03-19 16:24:05 PDT

Created attachment 365255 [details] WIP

Saam Barati

Comment 4 2019-03-19 16:40:09 PDT

Created attachment 365261 [details] WIP

Saam Barati

Comment 5 2019-03-19 16:51:19 PDT

seems possible it's already found some bugs...

Saam Barati

Comment 6 2019-03-19 17:10:28 PDT

(In reply to Saam Barati from comment #5) > seems possible it's already found some bugs... Perhaps not. It seems like using combined liveness may not work, since AI only tracks live in IR values.

Saam Barati

Comment 7 2019-03-19 17:14:47 PDT

Created attachment 365267 [details] WIP

Saam Barati

Comment 8 2019-03-19 18:12:26 PDT

It found a bug: ``` case ValueBitXor: case ValueBitAnd: case ValueBitOr: if (node->binaryUseKind() == BigIntUse) setTypeForNode(node, SpecBigInt); else { clobberWorld(); setTypeForNode(node, SpecBoolInt32 | SpecBigInt); } break; ``` Should be: ``` case ValueBitXor: case ValueBitAnd: case ValueBitOr: if (node->binaryUseKind() == BigIntUse) setTypeForNode(node, SpecBigInt); else { clobberWorld(); setTypeForNode(node, SpecInt32Only | SpecBigInt); } break; ````

Saam Barati

Comment 9 2019-03-19 18:46:03 PDT

Created attachment 365284 [details] patch WIP

Saam Barati

Comment 10 2019-03-19 19:21:31 PDT

Created attachment 365288 [details] WIP

Saam Barati

Comment 11 2019-03-19 19:38:56 PDT

Created attachment 365293 [details] WIP

Saam Barati

Comment 12 2019-03-20 18:30:47 PDT

Created attachment 365457 [details] WIP

Saam Barati

Comment 13 2019-03-25 15:44:38 PDT

Created attachment 365910 [details] patch

Saam Barati

Comment 14 2019-03-25 16:01:17 PDT

Comment on attachment 365910 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:177 > + live.add(child.node()); I’ll also make this addVoid

EWS Watchlist

Comment 15 2019-03-25 16:02:56 PDT

Attachment 365910 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:12: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.

Saam Barati

Comment 16 2019-03-25 16:57:27 PDT

Comment on attachment 365910 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:597 > + input = boxDouble(lowDouble(Edge(node, DoubleRepUse))); this logic is somewhat wrong for doubles. I think I need to validate them unboxed.

Saam Barati

Comment 17 2019-03-25 17:23:40 PDT

Created attachment 365926 [details] patch

EWS Watchlist

Comment 18 2019-03-25 17:27:49 PDT

Attachment 365926 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:12: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.

WebKit Commit Bot

Comment 19 2019-03-26 17:08:52 PDT

Comment on attachment 365926 [details] patch Clearing flags on attachment: 365926 Committed r243530: <https://trac.webkit.org/changeset/243530>

WebKit Commit Bot

Comment 20 2019-03-26 17:08:54 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Saam Barati

Reported

2019-03-18 18:23 PDT

Modified

2019-03-26 17:08 PDT History

CC List

15 users Show

URL

Keywords InRadar

Depends on

Blocks