Bug 207075 - Audit safe to execute
Summary: Audit safe to execute
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on: 206805 207074 207082
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-31 15:21 PST by Saam Barati
Modified: 2020-06-05 12:32 PDT (History)
13 users (show)

See Also:

Attachments
patch (14.93 KB, patch)
2020-06-03 17:14 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2020-01-31 15:21:40 PST 
For things like:
https://bugs.webkit.org/show_bug.cgi?id=206805

For example, GetButterfly should probably be checking that its base is an object
Comment 1 Radar WebKit Bug Importer 2020-01-31 22:36:43 PST 
<rdar://problem/59085094>
Comment 2 Filip Pizlo 2020-06-03 11:36:14 PDT 
(In reply to Saam Barati from comment #0)
> For things like:
> https://bugs.webkit.org/show_bug.cgi?id=206805
> 
> For example, GetButterfly should probably be checking that its base is an
> object

Isn’t that covered by safeToExecute’s edge processing?
Comment 3 Saam Barati 2020-06-03 11:52:41 PDT 
(In reply to Filip Pizlo from comment #2)
> (In reply to Saam Barati from comment #0)
> > For things like:
> > https://bugs.webkit.org/show_bug.cgi?id=206805
> > 
> > For example, GetButterfly should probably be checking that its base is an
> > object
> 
> Isn’t that covered by safeToExecute’s edge processing?

GetButterfly only speculates Cell on its base.
Comment 4 Saam Barati 2020-06-03 11:52:53 PDT 
(In reply to Saam Barati from comment #3)
> (In reply to Filip Pizlo from comment #2)
> > (In reply to Saam Barati from comment #0)
> > > For things like:
> > > https://bugs.webkit.org/show_bug.cgi?id=206805
> > > 
> > > For example, GetButterfly should probably be checking that its base is an
> > > object
> > 
> > Isn’t that covered by safeToExecute’s edge processing?
> 
> GetButterfly only speculates Cell on its base.

Probably it should speculate Object.
Comment 5 Saam Barati 2020-06-03 17:14:53 PDT 
Created attachment 400984 [details]
patch
Comment 6 Saam Barati 2020-06-04 12:21:17 PDT 
Comment on attachment 400984 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=400984&action=review

> Source/JavaScriptCore/tools/JSDollarVM.cpp:1220
> +static const DOMJIT::Signature DOMJITFunctionObjectSignature(DOMJITFunctionObject::functionWithoutTypeCheck, DOMJITFunctionObject::info(), DOMJIT::Effect::forRead(DOMJIT::HeapRange(DOMJIT::HeapRange::ConstExpr, 0, 1)), SpecInt32Only);

we only had one test using this functionality, and it didn't rely on the old behavior, so I just changed it to this so I didn't have to create a new class.
Comment 7 Yusuke Suzuki 2020-06-04 14:35:03 PDT 
Comment on attachment 400984 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=400984&action=review

r=me

> Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> +        bool isSafe = true;
> +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> +        structures.forEach([&] (RegisteredStructure structure) {
> +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> +        });
> +        return isSafe;
> +    }

What happens if structure set is empty?
Comment 8 Saam Barati 2020-06-04 14:41:27 PDT 
(In reply to Yusuke Suzuki from comment #7)
> Comment on attachment 400984 [details]
> patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> > +        bool isSafe = true;
> > +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> > +        structures.forEach([&] (RegisteredStructure structure) {
> > +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> > +        });
> > +        return isSafe;
> > +    }
> 
> What happens if structure set is empty?

We should never reach such a point in the program, so we can return true or false.
Comment 9 Filip Pizlo 2020-06-04 14:44:26 PDT 
(In reply to Saam Barati from comment #8)
> (In reply to Yusuke Suzuki from comment #7)
> > Comment on attachment 400984 [details]
> > patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> > 
> > r=me
> > 
> > > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> > > +        bool isSafe = true;
> > > +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> > > +        structures.forEach([&] (RegisteredStructure structure) {
> > > +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> > > +        });
> > > +        return isSafe;
> > > +    }
> > 
> > What happens if structure set is empty?
> 
> We should never reach such a point in the program, so we can return true or
> false.

I think empty set means you have to return false.
Comment 10 Filip Pizlo 2020-06-04 14:45:25 PDT 
(In reply to Saam Barati from comment #4)
> (In reply to Saam Barati from comment #3)
> > (In reply to Filip Pizlo from comment #2)
> > > (In reply to Saam Barati from comment #0)
> > > > For things like:
> > > > https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > 
> > > > For example, GetButterfly should probably be checking that its base is an
> > > > object
> > > 
> > > Isn’t that covered by safeToExecute’s edge processing?
> > 
> > GetButterfly only speculates Cell on its base.
> 
> Probably it should speculate Object.

Oh interesting. If we said it speculates object then we would really want it to be like KnownObject - so safe to execute if known object, but never actually checks it.
Comment 11 Saam Barati 2020-06-04 14:50:09 PDT 
(In reply to Filip Pizlo from comment #10)
> (In reply to Saam Barati from comment #4)
> > (In reply to Saam Barati from comment #3)
> > > (In reply to Filip Pizlo from comment #2)
> > > > (In reply to Saam Barati from comment #0)
> > > > > For things like:
> > > > > https://bugs.webkit.org/show_bug.cgi?id=206805
> > > > > 
> > > > > For example, GetButterfly should probably be checking that its base is an
> > > > > object
> > > > 
> > > > Isn’t that covered by safeToExecute’s edge processing?
> > > 
> > > GetButterfly only speculates Cell on its base.
> > 
> > Probably it should speculate Object.
> 
> Oh interesting. If we said it speculates object then we would really want it
> to be like KnownObject - so safe to execute if known object, but never
> actually checks it.

Yeah exactly. I fixed this issue a while ago where we only hoist GetButterfly if we prove the base is an object.

KnownObject probably sounds like the better long-term thing since it's what we really mean anyways
Comment 12 Saam Barati 2020-06-04 15:09:53 PDT 
(In reply to Filip Pizlo from comment #9)
> (In reply to Saam Barati from comment #8)
> > (In reply to Yusuke Suzuki from comment #7)
> > > Comment on attachment 400984 [details]
> > > patch
> > > 
> > > View in context:
> > > https://bugs.webkit.org/attachment.cgi?id=400984&action=review
> > > 
> > > r=me
> > > 
> > > > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:487
> > > > +        bool isSafe = true;
> > > > +        const ClassInfo* classInfo = node->requiredDOMJITClassInfo();
> > > > +        structures.forEach([&] (RegisteredStructure structure) {
> > > > +            isSafe &= structure->classInfo()->isSubClassOf(classInfo);
> > > > +        });
> > > > +        return isSafe;
> > > > +    }
> > > 
> > > What happens if structure set is empty?
> > 
> > We should never reach such a point in the program, so we can return true or
> > false.
> 
> I think empty set means you have to return false.

Doesn't the empty set prove we would have exitted?
Comment 13 EWS 2020-06-05 12:32:21 PDT 
Committed r262642: <https://trac.webkit.org/changeset/262642>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 400984 [details].