Bug 238302 - CSE should be more careful with values that have WritesPinned, ExitsSideways, or are of different sizes
Summary: CSE should be more careful with values that have WritesPinned, ExitsSideways,...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Safari 15
Hardware: Unspecified Unspecified
: P1 Normal
Assignee: Justin Michaud
URL:
Keywords: InRadar
Depends on:
Blocks: 237180
  Show dependency treegraph
 
Reported: 2022-03-23 18:29 PDT by Justin Michaud
Modified: 2022-05-26 14:41 PDT (History)
13 users (show)

See Also:

Attachments
Crashing unity project (6.42 MB, application/zip)
2022-03-23 18:31 PDT, Justin Michaud 		no flags Details
Working unity project (6.42 MB, application/zip)
2022-03-23 18:32 PDT, Justin Michaud 		no flags Details
Patch (7.73 KB, patch)
2022-03-29 16:08 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Patch (24.38 KB, patch)
2022-04-01 11:45 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Patch (24.38 KB, patch)
2022-04-01 11:47 PDT, Justin Michaud 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (22.22 KB, patch)
2022-04-01 13:03 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Patch (22.09 KB, patch)
2022-04-01 13:09 PDT, Justin Michaud 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (24.65 KB, patch)
2022-04-01 16:11 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Patch (24.23 KB, patch)
2022-04-04 13:12 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Patch (24.58 KB, patch)
2022-04-05 15:14 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
TestCaseRepro (404.67 KB, application/x-zip-compressed)
2022-04-07 07:56 PDT, ajn35 		no flags Details
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Michaud 2022-03-23 18:29:47 PDT 
processWasmAddressValue is not looking at the full set of basic blocks between use and def before concluding it can CSE a WasmAddressValue
Comment 1 Justin Michaud 2022-03-23 18:31:48 PDT 
Created attachment 455592 [details]
Crashing unity project
Comment 2 Justin Michaud 2022-03-23 18:32:15 PDT 
Created attachment 455593 [details]
Working unity project
Comment 3 Justin Michaud 2022-03-23 18:34:16 PDT 
Ruffle.rs test case repro:
1. Load https://ruffle.rs/demo/
2. Select Sample SWF "Bites of Brackenwood"
3. Click play button
4. See if we throw an out of bounds exception or not using web inspector (web inspector may need to be open for duration of the above steps).

Test case summary:

iOS 15.4 safari-613.1.17.0-branch:
- Crashing unity project crashes with OOM
- Working unity project works
- Ruffle.rs crashes

With this pass disabled:
- All 3 work
Comment 4 Justin Michaud 2022-03-29 16:08:48 PDT 
Created attachment 456073 [details]
Patch
Comment 5 Saam Barati 2022-03-29 16:24:47 PDT 
Comment on attachment 456073 [details]
Patch

r=me
Comment 6 Radar WebKit Bug Importer 2022-03-30 18:30:24 PDT 
<rdar://problem/91078546>
Comment 7 Justin Michaud 2022-04-01 11:45:28 PDT 
Created attachment 456379 [details]
Patch
Comment 8 Justin Michaud 2022-04-01 11:47:07 PDT 
Created attachment 456381 [details]
Patch
Comment 9 Saam Barati 2022-04-01 11:52:13 PDT 
Comment on attachment 456381 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456381&action=review

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:2631
> +    result->effects.reads = B3::HeapRange::top();

by default this watchpoint is Effects::forCall(). Why do we need this?
Comment 10 Keith Miller 2022-04-01 12:46:46 PDT 
I think your missing a file.
Comment 11 Keith Miller 2022-04-01 12:47:01 PDT 
(In reply to Keith Miller from comment #10)
> I think your missing a file.

ugh, you are*
Comment 12 Justin Michaud 2022-04-01 13:03:38 PDT 
Created attachment 456392 [details]
Patch
Comment 13 Justin Michaud 2022-04-01 13:09:56 PDT 
Created attachment 456394 [details]
Patch
Comment 14 Yusuke Suzuki 2022-04-01 14:40:36 PDT 
Comment on attachment 456394 [details]
Patch

r=me
Comment 15 Justin Michaud 2022-04-01 16:11:13 PDT 
Created attachment 456414 [details]
Patch
Comment 16 Saam Barati 2022-04-01 17:15:40 PDT 
Comment on attachment 456414 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456414&action=review

I think my comment about filter not doing the right thing is legit. But otherwise, LGTM

> Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp:542
> +                if (memoryValue->lastChild() == ptr && filter(memoryValue) 
> +                    && memoryValue->accessWidth() >= m_value->as<MemoryValue>()->accessWidth())

Why is the filter function not handling this?

> Source/JavaScriptCore/b3/B3EliminateCommonSubexpressions.cpp:561
> +            if (match && match != m_value && match->accessWidth() >= m_value->as<MemoryValue>()->accessWidth())

ditto

> Source/JavaScriptCore/b3/B3Validate.cpp:573
> +            // Conceptually, if you exit sideways, you should read Top or (AbstractHeapRepository) root. 
> +            // Since we can't easily find out what root is, we settle for this, to make sure things aren't
> +            // horribly wrong at least.

Might be worth making note that this is a pretty strict validation rule, and philosophically isn't actually necessary. But it's serving a practical use case. Like, theoretically, you can sideExit and never read anything. But practically speaking, we never use sideExit like this. So it helps us find bugs.
Comment 17 ajn35 2022-04-04 02:59:06 PDT 
Hi,
We are affected as well.
Thanks for the patch.
Comment 18 Saam Barati 2022-04-04 11:04:47 PDT 
(In reply to ajn35 from comment #17)
> Hi,
> We are affected as well.
> Thanks for the patch.

Do you have a test case you can share?
Comment 19 Justin Michaud 2022-04-04 13:12:09 PDT 
Created attachment 456612 [details]
Patch
Comment 20 Saam Barati 2022-04-04 18:44:02 PDT 
Comment on attachment 456612 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=456612&action=review

r=me

> Source/JavaScriptCore/ChangeLog:17
> +

you're missing some blurb here about WasmBoundCheck needed to read top
Comment 21 Justin Michaud 2022-04-05 15:14:52 PDT 
Created attachment 456759 [details]
Patch
Comment 22 EWS 2022-04-06 10:06:24 PDT 
Committed r292475 (249326@main): <https://commits.webkit.org/249326@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 456759 [details].
Comment 23 ajn35 2022-04-07 07:56:24 PDT 
Created attachment 456925 [details]
TestCaseRepro

Sorry for the delay, please find enclosed a test case that reproduces the bug on Safari iOS 15.4.
Instructions for repro are in README file.
Comment 24 ajn35 2022-04-07 07:58:00 PDT 
(In reply to Saam Barati from comment #18)
> (In reply to ajn35 from comment #17)
> > Hi,
> > We are affected as well.
> > Thanks for the patch.
> 
> Do you have a test case you can share?

Yes, please see attachment 456925 [details]
Comment 25 Justin Michaud 2022-04-08 17:19:46 PDT 
I have confirmed that your test case is fixed! Thanks for including it.
Comment 26 Saam Barati 2022-05-04 11:08:26 PDT 
The fix for this is in iOS 15.5 Beta 4. Can folks confirm it resolves issues, and if not, report back to us?

Thanks
Comment 27 Justin Michaud 2022-05-04 11:39:45 PDT 
The parent https://bugs.webkit.org/show_bug.cgi?id=237180 has some reports that the issue is resolved by beta 4.
Comment 28 ajn35 2022-05-06 02:13:10 PDT 
(In reply to Saam Barati from comment #26)
> The fix for this is in iOS 15.5 Beta 4. Can folks confirm it resolves
> issues, and if not, report back to us?
> 
> Thanks

Hi, I confirm it solves our issue.

Thanks
Comment 29 Brent Fulgham 2022-05-26 14:41:59 PDT 
This fix shipped with Safari 15.5 (all platforms).