209432 – Add Clobberize validator for clobber top.

RESOLVED FIXED 209432

Add Clobberize validator for clobber top.

https://bugs.webkit.org/show_bug.cgi?id=209432

Summary Add Clobberize validator for clobber top.

Keith Miller

Reported 2020-03-23 12:24:05 PDT

We should have a validator that checks for places that DFGClobberize is blatantly wrong. The easiest of these is to check for VM reentry without: Read(World); Write(Heap);

Attachments
Patch (25.93 KB, patch) 2020-03-23 12:26 PDT, Keith Miller	no flags	Details Formatted Diff Diff
Patch (31.42 KB, patch) 2020-03-25 12:34 PDT, Keith Miller	no flags	Details Formatted Diff Diff
Patch (30.87 KB, patch) 2020-03-25 13:22 PDT, Keith Miller	no flags	Details Formatted Diff Diff
Patch for landing (32.59 KB, patch) 2020-05-05 10:35 PDT, Keith Miller	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2020-03-23 12:24:18 PDT

<rdar://problem/60786138>

Keith Miller

Comment 2 2020-03-23 12:26:51 PDT

Created attachment 394286 [details] Patch

Saam Barati

Comment 3 2020-03-23 12:46:21 PDT

Comment on attachment 394286 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394286&action=review > Source/JavaScriptCore/ChangeLog:3 > + Add Clobberize validator I feel like this needs some kind of a qualifier on it. Maybe "basic Clobberize validator" > Source/JavaScriptCore/dfg/DFGClobberize.h:137 > + if constexpr (validateDFGClobberize) > + clobberTopFunctor(); let's make this a runtime option. We can default it to true when !!ASSERT_ENABLED, and can you also make some tests run with it on? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1846 > + m_jit.store8(TrustedImm32(0), reinterpret_cast<char*>(&vm()) + OBJECT_OFFSETOF(VM, didEnterVM)); &vm.didEnterVM > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:5313 > + m_jit.load8(reinterpret_cast<char*>(&vm()) + OBJECT_OFFSETOF(VM, didEnterVM), scratch); &vm().didEnterVM > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:269 > + m_out.store32As8(m_out.int32Zero, m_out.absolute(reinterpret_cast<char*>(vm) + OBJECT_OFFSETOF(VM, didEnterVM))); &vm->didEnterVM > Source/JavaScriptCore/interpreter/Interpreter.cpp:869 > + auto clobberizeValidator = makeScopeExit([&] { > + if constexpr (validateDFGClobberize) > + vm.didEnterVM = true; > + }); do this for other entry points too? > Source/JavaScriptCore/runtime/VM.h:292 > +constexpr bool validateDFGClobberize = ASSERT_ENABLED; let's do a runtime option. I think it's fine to always set "didEnterVM" inside the runtime to true unconditionally, it's unlikely to cost any perf compared to vmEntry

Saam Barati

Comment 4 2020-03-23 13:39:46 PDT

Comment on attachment 394286 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394286&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:1631 > + m_out.store(m_out.int32Zero, m_out.absolute(reinterpret_cast<char*>(&vm()) + OBJECT_OFFSETOF(VM, didEnterVM))); I think you need to set this to zero on each basic block start point

Keith Miller

Comment 5 2020-03-25 12:34:21 PDT

Created attachment 394525 [details] Patch

Saam Barati

Comment 6 2020-03-25 13:19:06 PDT

very red

Keith Miller

Comment 7 2020-03-25 13:22:48 PDT

Created attachment 394536 [details] Patch

Jon Lee

Comment 8 2020-04-17 14:26:32 PDT

Ping; still in review!

Yusuke Suzuki

Comment 9 2020-04-17 17:08:06 PDT

Comment on attachment 394536 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394536&action=review r=me with comments. > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:269 > + m_out.store32As8(m_out.int32Zero, m_out.absolute(reinterpret_cast<char*>(vm) + OBJECT_OFFSETOF(VM, didEnterVM))); Remove this when `!Options::validateDFGClobberize()`. > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:514 > + Remove this line. > Source/JavaScriptCore/jit/JITCodeInlines.h:39 > + vm->didEnterVM = true; Use makeScopeExit? > Source/JavaScriptCore/llint/LLIntThunks.h:45 > + vm->didEnterVM = true; Use makeScopeExit?

Yusuke Suzuki

Comment 10 2020-04-17 17:10:49 PDT

Comment on attachment 394536 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394536&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1863 > + auto scratch = m_jit.scratchRegister(); > + m_jit.load8(&vm().didEnterVM, scratch); > + auto ok = m_jit.branchTest32(MacroAssembler::Zero, scratch); Why not using branchTest8() with AbsoluteAddress? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1906 > + auto scratch = m_jit.scratchRegister(); > + m_jit.load8(&vm().didEnterVM, scratch); > + auto ok = m_jit.branchTest32(MacroAssembler::Zero, scratch); Why not using branchTest8 with AbsoluteAddress?

Mark Lam

Comment 11 2020-04-19 14:44:21 PDT

Is there a reason we're not landing this and closing out the bug?

Keith Miller

Comment 12 2020-05-05 10:20:19 PDT

Comment on attachment 394536 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=394536&action=review >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:269 >> + m_out.store32As8(m_out.int32Zero, m_out.absolute(reinterpret_cast<char*>(vm) + OBJECT_OFFSETOF(VM, didEnterVM))); > > Remove this when `!Options::validateDFGClobberize()`. Done. >> Source/JavaScriptCore/jit/JITCodeInlines.h:39 >> + vm->didEnterVM = true; > > Use makeScopeExit? I didn't because there's only one code path through here but I can change it if you prefer. >> Source/JavaScriptCore/llint/LLIntThunks.h:45 >> + vm->didEnterVM = true; > > Use makeScopeExit? Ditto.

Keith Miller

Comment 13 2020-05-05 10:35:45 PDT

Created attachment 398525 [details] Patch for landing

EWS

Comment 14 2020-05-05 11:17:40 PDT

Committed r261181: <https://trac.webkit.org/changeset/261181> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398525 [details].

Keith Miller

Comment 15 2020-05-05 11:52:09 PDT

(In reply to Yusuke Suzuki from comment #10) > Comment on attachment 394536 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=394536&action=review > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1863 > > + auto scratch = m_jit.scratchRegister(); > > + m_jit.load8(&vm().didEnterVM, scratch); > > + auto ok = m_jit.branchTest32(MacroAssembler::Zero, scratch); > > Why not using branchTest8() with AbsoluteAddress? > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1906 > > + auto scratch = m_jit.scratchRegister(); > > + m_jit.load8(&vm().didEnterVM, scratch); > > + auto ok = m_jit.branchTest32(MacroAssembler::Zero, scratch); > > Why not using branchTest8 with AbsoluteAddress? Whoops missed this comment will add in follow up.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2020-03-23 12:24 PDT

Modified

2020-05-05 11:52 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks