233822 – [JSC] Port EXTRA_CTI_THUNKS to all platforms

Bug 233822 - [JSC] Port EXTRA_CTI_THUNKS to all platforms

Summary: [JSC] Port EXTRA_CTI_THUNKS to all platforms

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-12-03 09:57 PST by Geza Lore
Modified:	2022-03-01 07:44 PST (History)
CC List:	16 users (show)

See Also:

Attachments
WIP - EWS sanity check (181.99 KB, patch) 2021-12-03 10:15 PST, Geza Lore	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
WIP - remove unused arguments (183.72 KB, patch) 2021-12-03 10:26 PST, Geza Lore	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
WIP - build fix (184.16 KB, patch) 2021-12-03 11:01 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
WIP (183.36 KB, patch) 2021-12-14 04:52 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
WIP (183.80 KB, patch) 2022-01-04 06:59 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
Windows fix 1 (185.16 KB, patch) 2022-01-04 09:23 PST, Geza Lore	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Windows fix 2 (185.16 KB, patch) 2022-01-04 09:39 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
Windows fix 3 (186.43 KB, patch) 2022-01-04 11:28 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
cleanup 1 (257.31 KB, patch) 2022-01-05 07:09 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
cleanup 2 (272.55 KB, patch) 2022-01-05 10:20 PST, Geza Lore	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Xcode build fix [hopefully] (272.59 KB, patch) 2022-01-05 10:43 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
For review (272.00 KB, patch) 2022-01-06 03:01 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
minor style fix (274.25 KB, patch) 2022-01-06 07:37 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
fix PACs in thunks (275.13 KB, patch) 2022-01-11 04:35 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
fix PACs in thunks - v2 (1.68 MB, patch) 2022-01-18 07:52 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
fix PACs in thunks - v2 (274.70 KB, patch) 2022-01-18 10:00 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
rebase (274.58 KB, patch) 2022-01-31 10:53 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
fix double tagging of return address in resolve_scope and get_from_scope (274.97 KB, patch) 2022-02-02 11:22 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
Patch (275.08 KB, patch) 2022-03-01 03:53 PST, Geza Lore	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (18) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Geza Lore 2021-12-03 09:57:56 PST

[JSC] Port EXTRA_CTI_THUNKS to all platforms

Comment 1 Geza Lore 2021-12-03 10:15:45 PST

Created attachment 445869 [details]
WIP - EWS sanity check

Comment 2 Geza Lore 2021-12-03 10:26:26 PST

Created attachment 445870 [details]
WIP - remove unused arguments

Comment 3 Geza Lore 2021-12-03 11:01:07 PST

Created attachment 445873 [details]
WIP - build fix

Comment 4 Radar WebKit Bug Importer 2021-12-10 09:58:19 PST

<rdar://problem/86326948>

Comment 5 Geza Lore 2021-12-14 04:52:12 PST

Created attachment 447123 [details]
WIP

Comment 6 Geza Lore 2022-01-04 06:59:42 PST

Created attachment 448291 [details]
WIP

Comment 7 Geza Lore 2022-01-04 09:23:36 PST

Created attachment 448301 [details]
Windows fix 1

Comment 8 Geza Lore 2022-01-04 09:39:47 PST

Created attachment 448303 [details]
Windows fix 2

Comment 9 Geza Lore 2022-01-04 11:28:49 PST

Created attachment 448312 [details]
Windows fix 3

Comment 10 Geza Lore 2022-01-05 07:09:38 PST

Created attachment 448385 [details]
cleanup 1

Comment 11 Geza Lore 2022-01-05 10:20:47 PST

Created attachment 448400 [details]
cleanup 2

Comment 12 Geza Lore 2022-01-05 10:43:26 PST

Created attachment 448407 [details]
Xcode build fix [hopefully]

Comment 13 Geza Lore 2022-01-06 03:01:48 PST

Created attachment 448482 [details]
For review

Comment 14 Geza Lore 2022-01-06 07:37:23 PST

Created attachment 448500 [details]
minor style fix

Comment 15 Yusuke Suzuki 2022-01-11 02:24:05 PST

Comment on attachment 448500 [details]
minor style fix

View in context: https://bugs.webkit.org/attachment.cgi?id=448500&action=review

Nice. But found several bugs.
In ARM64E, we need to tag return address register in the prologue. And we should not tag it when doing a tail call. It seems that this patch broke these things.
Please check this is met by comparing old code and new code.

> Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:44
> +    static inline constexpr RegisterID dataTempRegister = ARMRegisters::ip;
> +    static inline constexpr RegisterID addressTempRegister = ARMRegisters::r6;
>  
> -    static constexpr ARMRegisters::FPDoubleRegisterID fpTempRegister = ARMRegisters::d7;
> +    static inline constexpr ARMRegisters::FPDoubleRegisterID fpTempRegister = ARMRegisters::d7;

When constexpr is specified, static member variable is implicitly inline. So this is not necessary.
http://eel.is/c++draft/dcl.constexpr#1.sentence-3

> Source/JavaScriptCore/jit/CCallHelpers.cpp:98
> +static_assert(!((maxFrameExtentForSlowPathCall + 2*sizeof(CPURegister)) % 16), "Stack must be aligned after CTI thunk entry");

We should add space between 2 and * and sizeof.

> Source/JavaScriptCore/jit/CCallHelpers.cpp:100
> +void CCallHelpers::emitCTIThunkPrologue()

This is not correct. It is removing tagging from the original code.
Please ensure that these code is exactly the same to the original sequence of generated code.

> Source/JavaScriptCore/jit/JITOpcodes.cpp:-1286
> -    jit.tagReturnAddress();

This is missing.

> Source/JavaScriptCore/jit/JITPropertyAccess.cpp:-2625
> -    jit.tagReturnAddress();

This is removed.

Comment 16 Geza Lore 2022-01-11 04:35:26 PST

Created attachment 448839 [details]
fix PACs in thunks

Comment 17 Geza Lore 2022-01-18 07:52:55 PST

Created attachment 449389 [details]
fix PACs in thunks - v2

Comment 18 Geza Lore 2022-01-18 10:00:58 PST

Created attachment 449400 [details]
fix PACs in thunks - v2

Comment 19 Yusuke Suzuki 2022-01-21 20:04:30 PST

I tried applying it and found that all tests are crashing, probably, PAC is broken with this change.
Can we split this patch into two?

1. Enabling EXTRA_CTI_THUNKS for Windows etc. part
2. Enhancing the existing thunks part

(1) should not change the existing thunk so that it will not break PAC.

Comment 20 Geza Lore 2022-01-31 10:53:59 PST

Created attachment 450418 [details]
rebase

Comment 21 Saam Barati 2022-02-01 10:54:14 PST

I think I know what your arm64e issues are. Take resolve_scope:

On the fast path, we call:
jit.tagReturnAddress()

Then, if we go to the slow path, inside slow_op_resolve_scopeGenerator, we call:
jit.emitCTIThunkPrologue()

which does:
void CCallHelpers::emitCTIThunkPrologue()
{
    tagReturnAddress();


This leads us to tagging an already tagged value. So you'll want to audit all fast path to slow paths. Maybe we can just call untag? Or maybe we don't need to tag at all if all fast paths already tag? Otherwise, we could pass in a boolean to this function if it needs to tag. It probably depends on the context of the opcode. resolve_scope is just jumping to its slow paths. Maybe other opcodes call it?

Anyways, I think this should be enough info to go in and audit the code with this in mind.

Comment 22 Geza Lore 2022-02-02 11:22:41 PST

Created attachment 450677 [details]
fix double tagging of return address in resolve_scope and get_from_scope

Comment 23 Geza Lore 2022-02-02 11:48:27 PST

The issue indeed seems to have been double tagging in resolve_scope and get_from_scope. Thanks again for the assistance tracking this down. 

FWIW I managed to get a mostly functional arm64e build on an M1 device (still fails some 6% of tests, most having to do with i18l), and I confirmed that with the latest version of this patch there are no new test failures, so I'm now fairly confident this is correct.

Comment 24 Saam Barati 2022-02-28 09:41:06 PST

Comment on attachment 450677 [details]
fix double tagging of return address in resolve_scope and get_from_scope

View in context: https://bugs.webkit.org/attachment.cgi?id=450677&action=review

r=me

> Source/JavaScriptCore/ChangeLog:31
> +        Enabling the extra CTI thunks on ARMv7/Thumb-2 saves about 25%

Nice!

Comment 25 EWS 2022-02-28 11:22:15 PST

Tools/Scripts/svn-apply failed to apply attachment 450677 [details] to trunk.
Please resolve the conflicts and upload a new patch.

Comment 26 Geza Lore 2022-03-01 03:53:10 PST

Created attachment 453486 [details]
Patch

Comment 27 EWS 2022-03-01 07:44:09 PST

Committed r290647 (247920@main): <https://commits.webkit.org/247920@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 453486 [details].