RESOLVED FIXED Bug 215487
Have an OOB+SaneChain Array::Speculation 
https://bugs.webkit.org/show_bug.cgi?id=215487
Summary Have an OOB+SaneChain Array::Speculation
Saam Barati
Reported 2020-08-13 19:11:53 PDT
So we can return undefined when we're OOB.
Attachments
WIP (12.37 KB, patch)
2020-08-13 19:16 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (38.64 KB, patch)
2020-08-14 18:36 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (38.42 KB, patch)
2020-08-14 18:38 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (40.94 KB, patch)
2020-08-14 19:50 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (40.85 KB, patch)
2020-08-14 19:53 PDT, Saam Barati 		ysuzuki: review+
DetailsFormatted DiffDiff
patch for landing (44.91 KB, patch)
2020-08-17 12:32 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch for landing (45.89 KB, patch)
2020-08-17 12:49 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch for landing (45.93 KB, patch)
2020-08-17 13:28 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2020-08-13 19:16:38 PDT
Created attachment 406565 [details] WIP
Saam Barati
Comment 2 2020-08-13 19:16:55 PDT
This at least helps crypto-md5-SP
Saam Barati
Comment 3 2020-08-14 18:36:46 PDT
Created attachment 406645 [details] patch
Saam Barati
Comment 4 2020-08-14 18:38:06 PDT
Created attachment 406646 [details] patch
Saam Barati
Comment 5 2020-08-14 19:50:20 PDT
Created attachment 406650 [details] patch
Saam Barati
Comment 6 2020-08-14 19:51:16 PDT
Comment on attachment 406650 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=406650&action=review > Source/JavaScriptCore/dfg/DFGValidate.cpp:386 > + // We rely on being an original array structure so we can return undefined for negative indices. > + // We could do better in the future, and have and have an feedback based profiling mechanism > + // where we speculate against the index being >= 0. Will update this comment to reflect new reason we need to be original
Saam Barati
Comment 7 2020-08-14 19:53:13 PDT
Created attachment 406651 [details] patch
Yusuke Suzuki
Comment 8 2020-08-14 20:36:00 PDT
Comment on attachment 406651 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=406651&action=review r=me with one comment. > Source/JavaScriptCore/dfg/DFGClobberize.h:945 > + LocationKind kind = mode.isInBoundsSaneChain() ? IndexedPropertyDoubleSaneChainLoc : IndexedPropertyDoubleLoc; This means that we will use IndexedPropertyDoubleLoc for OutOfBoundsSaneChain, is it correct?
Saam Barati
Comment 9 2020-08-15 17:52:49 PDT
(In reply to Yusuke Suzuki from comment #8) > Comment on attachment 406651 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=406651&action=review > > r=me with one comment. > > > Source/JavaScriptCore/dfg/DFGClobberize.h:945 > > + LocationKind kind = mode.isInBoundsSaneChain() ? IndexedPropertyDoubleSaneChainLoc : IndexedPropertyDoubleLoc; > > This means that we will use IndexedPropertyDoubleLoc for > OutOfBoundsSaneChain, is it correct? Yeah. Maybe we should introduce a new heap just out of paranoia that’s for OOBSaneChain
Saam Barati
Comment 10 2020-08-17 12:24:57 PDT
(In reply to Saam Barati from comment #9) > (In reply to Yusuke Suzuki from comment #8) > > Comment on attachment 406651 [details] > > patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=406651&action=review > > > > r=me with one comment. > > > > > Source/JavaScriptCore/dfg/DFGClobberize.h:945 > > > + LocationKind kind = mode.isInBoundsSaneChain() ? IndexedPropertyDoubleSaneChainLoc : IndexedPropertyDoubleLoc; > > > > This means that we will use IndexedPropertyDoubleLoc for > > OutOfBoundsSaneChain, is it correct? > > Yeah. Maybe we should introduce a new heap just out of paranoia that’s for > OOBSaneChain I did some more reading. What's going on here is SaneChain may return NaN, where InBounds-non-sane-chain won't ever return NaN. So that's why we have two heap locations. The change I'm making that I discussed with Yusuke is: - OOB+SaneChain+NoUsesAsOther, we'll now return unboxed double value, to behave like in bounds SaneChain. Then, we can use the same heap location - OOB+SaneChain+UsesAsOther => return JSValue, and new heap location
Saam Barati
Comment 11 2020-08-17 12:32:26 PDT
Created attachment 406730 [details] patch for landing
Saam Barati
Comment 12 2020-08-17 12:33:41 PDT
Comment on attachment 406730 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=406730&action=review > Source/JavaScriptCore/dfg/DFGClobberize.h:932 > + if (mode.isInBounds() || mode.isOutOfBoundsSaneChain()) { I need a new heap location for this.
Saam Barati
Comment 13 2020-08-17 12:46:36 PDT
Comment on attachment 406730 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=406730&action=review >> Source/JavaScriptCore/dfg/DFGClobberize.h:932 >> + if (mode.isInBounds() || mode.isOutOfBoundsSaneChain()) { > > I need a new heap location for this. The issue is, AI might say we only return Int32 for a node. If we CSE it with something that says "Int32 | Other", we've broken an AI invariant by growing the type.
Saam Barati
Comment 14 2020-08-17 12:49:06 PDT
Created attachment 406733 [details] patch for landing
Saam Barati
Comment 15 2020-08-17 13:28:31 PDT
Created attachment 406741 [details] patch for landing Turn off OOBSaneChain for 32-bit
EWS
Comment 16 2020-08-17 15:10:18 PDT
Committed r265775: <https://trac.webkit.org/changeset/265775> All reviewed patches have been landed. Closing bug and clearing flags on attachment 406741 [details].
Radar WebKit Bug Importer
Comment 17 2020-08-17 15:11:59 PDT
<rdar://problem/67274231>
Note You need to log in before you can comment on or make changes to this bug.