RESOLVED FIXED70854
Tiered compilation may introduce dangling pointers in constant buffers 
https://bugs.webkit.org/show_bug.cgi?id=70854
Summary Tiered compilation may introduce dangling pointers in constant buffers
Filip Pizlo
Reported 2011-10-25 14:39:38 PDT
Constant buffers may contain heap pointers. This works because all pointers in constant buffers are also placed into the constants array. Tiered compilation always copies the constants array from the old code block to the new optimized one. But it does not do the same thing for constant buffers. Hence the optimized code's constant buffers may contain pointers not pinned by the constants array.
Attachments
the patch (4.49 KB, patch)
2011-10-25 14:42 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
the patch (4.48 KB, patch)
2011-10-25 14:53 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2011-10-25 14:42:51 PDT
Created attachment 112407 [details] the patch
WebKit Review Bot
Comment 2 2011-10-25 14:44:20 PDT
Attachment 112407 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/bytecode/CodeBlock.h:394: The parameter name "opcodeID" adds no information, so it should be removed. [readability/parameter_name] [5] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Oliver Hunt
Comment 3 2011-10-25 14:48:32 PDT
Comment on attachment 112407 [details] the patch Fix t he style error
Filip Pizlo
Comment 4 2011-10-25 14:52:28 PDT
This is performance neutral. Benchmark report for SunSpider, V8, and Kraken. VMs tested: "TipOfTree" at /Volumes/Data/pizlo/tertiary/OpenSource/WebKitBuild/Release/jsc "FixConstBuf" at /Volumes/Data/pizlo/secondary/OpenSource/WebKitBuild/Release/jsc Collected 12 samples per benchmark/VM, with 4 VM invocations per benchmark. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. TipOfTree FixConstBuf SunSpider: 3d-cube 8.0505+-0.0685 7.9359+-0.0667 might be 1.0144x faster 3d-morph 8.6633+-0.1600 8.5361+-0.1439 might be 1.0149x faster 3d-raytrace 8.2059+-0.0931 ? 8.2331+-0.1166 ? access-binary-trees 1.6886+-0.0054 ? 1.6909+-0.0066 ? access-fannkuch 7.7687+-0.0229 7.7430+-0.0173 access-nbody 4.5287+-0.0058 4.5236+-0.0081 access-nsieve 3.1825+-0.0146 ? 3.1851+-0.0263 ? bitops-3bit-bits-in-byte 1.3168+-0.0088 1.3083+-0.0029 bitops-bits-in-byte 5.2742+-0.0120 ? 5.2809+-0.0378 ? bitops-bitwise-and 3.4759+-0.0796 ? 3.4883+-0.0287 ? bitops-nsieve-bits 5.6505+-0.0393 5.6337+-0.0351 controlflow-recursive 2.3464+-0.0207 2.3335+-0.0041 crypto-aes 7.6420+-0.0582 7.6371+-0.0855 crypto-md5 2.8606+-0.0154 ? 2.8754+-0.0269 ? crypto-sha1 2.6375+-0.0088 2.6337+-0.0110 date-format-tofte 10.6854+-0.0953 ? 10.7042+-0.2139 ? date-format-xparb 10.6916+-0.3089 ^ 9.9594+-0.0866 ^ definitely 1.0735x faster math-cordic 7.6859+-0.2778 7.6530+-0.2304 math-partial-sums 10.5895+-0.0441 ? 10.6246+-0.0526 ? math-spectral-norm 2.8830+-0.0048 2.8799+-0.0074 regexp-dna 13.4970+-0.2367 13.4127+-0.2123 string-base64 4.4485+-0.0206 4.4311+-0.0340 string-fasta 7.1101+-0.0349 ? 7.1318+-0.0478 ? string-tagcloud 13.1894+-0.1249 13.1489+-0.1403 string-unpack-code 22.7091+-0.1914 ? 22.9071+-0.2137 ? string-validate-input 5.5622+-0.0575 ? 5.5778+-0.0409 ? <arithmetic> * 7.0132+-0.0274 6.9796+-0.0320 <geometric> 5.6627+-0.0183 5.6401+-0.0180 <harmonic> 4.4705+-0.0137 4.4587+-0.0100 TipOfTree FixConstBuf V8: crypto 81.3316+-0.2960 81.2628+-0.2383 deltablue 199.5470+-0.5958 ^ 198.4363+-0.1800 ^ definitely 1.0056x faster earley-boyer 112.2752+-0.5393 112.1956+-0.7270 raytrace 69.8685+-0.2929 ^ 69.0072+-0.5303 ^ definitely 1.0125x faster regexp 124.6409+-0.4324 ^ 123.7003+-0.3378 ^ definitely 1.0076x faster richards 145.2131+-0.8211 ! 146.2276+-0.1030 ! definitely 1.0070x slower splay 126.0377+-0.3933 ? 126.9318+-0.9943 ? <arithmetic> 122.7020+-0.1650 122.5374+-0.1746 <geometric> * 116.4504+-0.1692 116.2318+-0.2034 <harmonic> 110.4595+-0.1673 110.1428+-0.2489 TipOfTree FixConstBuf Kraken: ai-astar 825.2143+-10.5640 ? 825.3995+-10.4404 ? audio-beat-detection 214.5992+-1.0426 213.8940+-1.8930 audio-dft 262.4195+-2.9936 261.3936+-2.7625 audio-fft 133.1768+-0.8196 ? 133.2133+-0.6252 ? audio-oscillator 291.2722+-1.0563 291.2201+-1.0960 imaging-darkroom 452.7566+-6.8243 ? 469.5159+-10.2028 ? might be 1.0370x slower imaging-desaturate 245.1950+-0.0779 ? 245.2536+-0.0819 ? imaging-gaussian-blur 621.4870+-0.3604 ? 621.5398+-0.7945 ? json-parse-financial 71.2894+-0.2024 ^ 70.4558+-0.1478 ^ definitely 1.0118x faster json-stringify-tinderbox 80.1929+-0.7263 79.4164+-0.3215 stanford-crypto-aes 153.9564+-1.7819 ? 154.6274+-1.2732 ? stanford-crypto-ccm 118.4293+-1.5540 ^ 115.9632+-0.5710 ^ definitely 1.0213x faster stanford-crypto-pbkdf2 243.6601+-3.8261 ^ 237.1275+-2.2955 ^ definitely 1.0275x faster stanford-crypto-sha256-iterative 85.7246+-0.2278 85.2612+-0.2401 <arithmetic> * 271.3838+-1.3983 ? 271.7344+-0.8194 ? <geometric> 207.2901+-0.7034 206.6849+-0.4216 <harmonic> 163.2860+-0.3995 ^ 162.2276+-0.2552 ^ definitely 1.0065x faster TipOfTree FixConstBuf All benchmarks: <arithmetic> 102.9921+-0.4253 ? 103.0534+-0.2680 ? <geometric> 25.9617+-0.0675 25.8746+-0.0564 <harmonic> 7.8792+-0.0238 7.8581+-0.0173 TipOfTree FixConstBuf Geomean of preferred means: <scaled-result> 60.5170+-0.1693 60.4084+-0.1491
Filip Pizlo
Comment 5 2011-10-25 14:53:06 PDT
Created attachment 112409 [details] the patch Fixed the style.
Filip Pizlo
Comment 6 2011-10-25 14:55:49 PDT
Landed in http://trac.webkit.org/changeset/98398
Note You need to log in before you can comment on or make changes to this bug.