Bug 195924 - FTL: Emit code to validate AI's state when running the compiled code
Summary: FTL: Emit code to validate AI's state when running the compiled code
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-03-18 18:23 PDT by Saam Barati
Modified: 2019-03-26 17:08 PDT (History)
15 users (show)

See Also:


Attachments
WIP (5.10 KB, patch)
2019-03-19 16:19 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
WIP (5.56 KB, patch)
2019-03-19 16:24 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
WIP (6.13 KB, patch)
2019-03-19 16:40 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
WIP (7.08 KB, patch)
2019-03-19 17:14 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
patch (8.47 KB, patch)
2019-03-19 18:46 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
WIP (10.24 KB, patch)
2019-03-19 19:21 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
WIP (10.88 KB, patch)
2019-03-19 19:38 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
WIP (13.35 KB, patch)
2019-03-20 18:30 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
patch (9.25 KB, patch)
2019-03-25 15:44 PDT, Saam Barati
no flags Details | Formatted Diff | Diff
patch (10.35 KB, patch)
2019-03-25 17:23 PDT, Saam Barati
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2019-03-18 18:23:52 PDT
...
Comment 1 Radar WebKit Bug Importer 2019-03-18 18:40:56 PDT
<rdar://problem/49003422>
Comment 2 Saam Barati 2019-03-19 16:19:35 PDT
Created attachment 365252 [details]
WIP
Comment 3 Saam Barati 2019-03-19 16:24:05 PDT
Created attachment 365255 [details]
WIP
Comment 4 Saam Barati 2019-03-19 16:40:09 PDT
Created attachment 365261 [details]
WIP
Comment 5 Saam Barati 2019-03-19 16:51:19 PDT
seems possible it's already found some bugs...
Comment 6 Saam Barati 2019-03-19 17:10:28 PDT
(In reply to Saam Barati from comment #5)
> seems possible it's already found some bugs...

Perhaps not. It seems like using combined liveness may not work, since AI only tracks live in IR values.
Comment 7 Saam Barati 2019-03-19 17:14:47 PDT
Created attachment 365267 [details]
WIP
Comment 8 Saam Barati 2019-03-19 18:12:26 PDT
It found a bug:

```
    case ValueBitXor:
    case ValueBitAnd:
    case ValueBitOr:
        if (node->binaryUseKind() == BigIntUse)
            setTypeForNode(node, SpecBigInt);
        else {
            clobberWorld();
            setTypeForNode(node, SpecBoolInt32 | SpecBigInt);
        }
        break;

```

Should be:
```
    case ValueBitXor:
    case ValueBitAnd:
    case ValueBitOr:
        if (node->binaryUseKind() == BigIntUse)
            setTypeForNode(node, SpecBigInt);
        else {
            clobberWorld();
            setTypeForNode(node, SpecInt32Only | SpecBigInt);
        }
        break;
````
Comment 9 Saam Barati 2019-03-19 18:46:03 PDT
Created attachment 365284 [details]
patch

WIP
Comment 10 Saam Barati 2019-03-19 19:21:31 PDT
Created attachment 365288 [details]
WIP
Comment 11 Saam Barati 2019-03-19 19:38:56 PDT
Created attachment 365293 [details]
WIP
Comment 12 Saam Barati 2019-03-20 18:30:47 PDT
Created attachment 365457 [details]
WIP
Comment 13 Saam Barati 2019-03-25 15:44:38 PDT
Created attachment 365910 [details]
patch
Comment 14 Saam Barati 2019-03-25 16:01:17 PDT
Comment on attachment 365910 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:177
> +                        live.add(child.node());

I’ll also make this addVoid
Comment 15 Build Bot 2019-03-25 16:02:56 PDT
Attachment 365910 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:12:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 16 Saam Barati 2019-03-25 16:57:27 PDT
Comment on attachment 365910 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=365910&action=review

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:597
> +                input = boxDouble(lowDouble(Edge(node, DoubleRepUse)));

this logic is somewhat wrong for doubles. I think I need to validate them unboxed.
Comment 17 Saam Barati 2019-03-25 17:23:40 PDT
Created attachment 365926 [details]
patch
Comment 18 Build Bot 2019-03-25 17:27:49 PDT
Attachment 365926 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:12:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: fuzzer  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 19 WebKit Commit Bot 2019-03-26 17:08:52 PDT
Comment on attachment 365926 [details]
patch

Clearing flags on attachment: 365926

Committed r243530: <https://trac.webkit.org/changeset/243530>
Comment 20 WebKit Commit Bot 2019-03-26 17:08:54 PDT
All reviewed patches have been landed.  Closing bug.