Changeset 207434 in webkit

Timestamp:

Oct 17, 2016 2:45:56 PM (8 years ago)

Author:

fpizlo@apple.com

Message:

Air::IRC doesn't need to have a special-case for uncolored Tmps since they all get colored
​https://bugs.webkit.org/show_bug.cgi?id=163548
<rdar://problem/28804381>

Reviewed by Geoffrey Garen.

Before r207408, IRC had a mode where it would silently assign the first assignable register (so
%rax, %xmm0, etc) to any tmp that was not colorable due to a pathological interference fencepost.
We reason about interference at instruction boundaries. This means that if you have, for example,
an instruction that clobbers all registers late followed by an instruction that has an early def
in the same register file, then the early def will not be colorable because it interferes with
all registers. This already happens in our tests, but IRC silently returns the first assignable
register to such tmps. For some reason the resulting code works OK - probably because this tends
to only be hit by fuzzing, which may not then stress that code enough to shake out the register
corruption. Also, this can only happen for floating point registers, so it's hard to get an
exciting crash. The worst case is that your numbers get all messed up.

This change fixes the issue:

• IRC will now crash if it can't color a tmp.

• IRC doesn't crash on our tests anymore because I added a padInterference() utility that works around the interference problem by inserting Nops to pad between those instructions where conflating their early and late actions into one interference fencepost could create an uncolorable graph.

See ​https://bugs.webkit.org/show_bug.cgi?id=163548#c2 for a detailed discussion of how the
problem can arise.

This problem almost made me want to abandon our use of interference at instruction boundaries,
and introduce something more comprehensive, like interference at various stages of an
instruction's execution. The reason why I didn't do this is that this problem only arises in well
confined corner cases: you need an instruction that does a late use or def followed by an
instruction that does an early def. Register clobbers count as defs for this equation.
Fortunately, early defs are rare, and even when they do happen, you still need the previous
instruction to have a late something. Late uses are rare and many instructions don't have defs at
all, which means that it's actually pretty common for an instruction to not have anything late.
This means that the padInterference() strategy is ideal: our algorithms stay simple because they
only have to worry about interference at boundaries, and we rarely insert any Nops in
padInterference() so the IR stays nice and compact. Those Nops get removed by any phase that does
DCE, which includes eliminateDeadCode(), allocateStack(), and reportUsedRegisters(). In practice
allocateStack() kills them.

This also finally refactors our passing of RegisterSet to pass it by value, since it's small
enough that we're not gaining anything by using references. On x86, RegisterSet ought to be
smaller than a pointer.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• b3/B3StackmapSpecial.cpp:

(JSC::B3::StackmapSpecial::extraClobberedRegs):
(JSC::B3::StackmapSpecial::extraEarlyClobberedRegs):

• b3/B3StackmapSpecial.h:
• b3/air/AirCCallSpecial.cpp:

(JSC::B3::Air::CCallSpecial::extraEarlyClobberedRegs):
(JSC::B3::Air::CCallSpecial::extraClobberedRegs):

• b3/air/AirCCallSpecial.h:
• b3/air/AirInst.h:
• b3/air/AirInstInlines.h:

(JSC::B3::Air::Inst::extraClobberedRegs):
(JSC::B3::Air::Inst::extraEarlyClobberedRegs):

• b3/air/AirIteratedRegisterCoalescing.cpp:

(JSC::B3::Air::iteratedRegisterCoalescing):

• b3/air/AirPadInterference.cpp: Added.

(JSC::B3::Air::padInterference):

• b3/air/AirPadInterference.h: Added.
• b3/air/AirSpecial.h:
• b3/air/AirSpillEverything.cpp:

(JSC::B3::Air::spillEverything):

• jit/RegisterSet.h:

(JSC::RegisterSet::isEmpty):

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (5 diffs)
• b3/B3StackmapSpecial.cpp (modified) (2 diffs)
• b3/B3StackmapSpecial.h (modified) (1 diff)
• b3/air/AirCCallSpecial.cpp (modified) (1 diff)
• b3/air/AirCCallSpecial.h (modified) (1 diff)
• b3/air/AirInst.h (modified) (1 diff)
• b3/air/AirInstInlines.h (modified) (2 diffs)
• b3/air/AirIteratedRegisterCoalescing.cpp (modified) (8 diffs)
• b3/air/AirPadInterference.cpp (added)
• b3/air/AirPadInterference.h (added)
• b3/air/AirSpecial.h (modified) (1 diff)
• b3/air/AirSpillEverything.cpp (modified) (2 diffs)
• jit/RegisterSet.h (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -96 +96 @@
     b3/air/AirLowerMacros.cpp
     b3/air/AirOptimizeBlockOrder.cpp
+    b3/air/AirPadInterference.cpp
     b3/air/AirPhaseScope.cpp
     b3/air/AirReportUsedRegisters.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-10-17  Filip Pizlo  <fpizlo@apple.com>
+
+        Air::IRC doesn't need to have a special-case for uncolored Tmps since they all get colored
+        https://bugs.webkit.org/show_bug.cgi?id=163548
+        <rdar://problem/28804381>
+
+        Reviewed by Geoffrey Garen.
+        
+        Before r207408, IRC had a mode where it would silently assign the first assignable register (so
+        %rax, %xmm0, etc) to any tmp that was not colorable due to a pathological interference fencepost.
+        We reason about interference at instruction boundaries. This means that if you have, for example,
+        an instruction that clobbers all registers late followed by an instruction that has an early def
+        in the same register file, then the early def will not be colorable because it interferes with
+        all registers. This already happens in our tests, but IRC silently returns the first assignable
+        register to such tmps. For some reason the resulting code works OK - probably because this tends
+        to only be hit by fuzzing, which may not then stress that code enough to shake out the register
+        corruption. Also, this can only happen for floating point registers, so it's hard to get an
+        exciting crash. The worst case is that your numbers get all messed up.
+        
+        This change fixes the issue:
+        
+        - IRC will now crash if it can't color a tmp.
+        
+        - IRC doesn't crash on our tests anymore because I added a padInterference() utility that works
+          around the interference problem by inserting Nops to pad between those instructions where
+          conflating their early and late actions into one interference fencepost could create an
+          uncolorable graph.
+        
+        See https://bugs.webkit.org/show_bug.cgi?id=163548#c2 for a detailed discussion of how the
+        problem can arise.
+        
+        This problem almost made me want to abandon our use of interference at instruction boundaries,
+        and introduce something more comprehensive, like interference at various stages of an
+        instruction's execution. The reason why I didn't do this is that this problem only arises in well
+        confined corner cases: you need an instruction that does a late use or def followed by an
+        instruction that does an early def. Register clobbers count as defs for this equation.
+        Fortunately, early defs are rare, and even when they do happen, you still need the previous
+        instruction to have a late something. Late uses are rare and many instructions don't have defs at
+        all, which means that it's actually pretty common for an instruction to not have anything late.
+        This means that the padInterference() strategy is ideal: our algorithms stay simple because they
+        only have to worry about interference at boundaries, and we rarely insert any Nops in
+        padInterference() so the IR stays nice and compact. Those Nops get removed by any phase that does
+        DCE, which includes eliminateDeadCode(), allocateStack(), and reportUsedRegisters(). In practice
+        allocateStack() kills them.
+        
+        This also finally refactors our passing of RegisterSet to pass it by value, since it's small
+        enough that we're not gaining anything by using references. On x86, RegisterSet ought to be
+        smaller than a pointer.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::extraClobberedRegs):
+        (JSC::B3::StackmapSpecial::extraEarlyClobberedRegs):
+        * b3/B3StackmapSpecial.h:
+        * b3/air/AirCCallSpecial.cpp:
+        (JSC::B3::Air::CCallSpecial::extraEarlyClobberedRegs):
+        (JSC::B3::Air::CCallSpecial::extraClobberedRegs):
+        * b3/air/AirCCallSpecial.h:
+        * b3/air/AirInst.h:
+        * b3/air/AirInstInlines.h:
+        (JSC::B3::Air::Inst::extraClobberedRegs):
+        (JSC::B3::Air::Inst::extraEarlyClobberedRegs):
+        * b3/air/AirIteratedRegisterCoalescing.cpp:
+        (JSC::B3::Air::iteratedRegisterCoalescing):
+        * b3/air/AirPadInterference.cpp: Added.
+        (JSC::B3::Air::padInterference):
+        * b3/air/AirPadInterference.h: Added.
+        * b3/air/AirSpecial.h:
+        * b3/air/AirSpillEverything.cpp:
+        (JSC::B3::Air::spillEverything):
+        * jit/RegisterSet.h:
+        (JSC::RegisterSet::isEmpty):
+
 2016-10-17  JF Bastien  <jfbastien@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -571 +571 @@
                 0F9B1DB71C0E42BD00E5BFD2 /* FTLOSRExitHandle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F9B1DB51C0E42BD00E5BFD2 /* FTLOSRExitHandle.cpp */; };
                 0F9B1DB81C0E42BD00E5BFD2 /* FTLOSRExitHandle.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F9B1DB61C0E42BD00E5BFD2 /* FTLOSRExitHandle.h */; };
+                0F9CABC81DB54A780008E83B /* AirPadInterference.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F9CABC61DB54A760008E83B /* AirPadInterference.cpp */; };
+                0F9CABC91DB54A7A0008E83B /* AirPadInterference.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F9CABC71DB54A760008E83B /* AirPadInterference.h */; };
                 0F9D3370165DBB90005AD387 /* Disassembler.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F9D336E165DBB8D005AD387 /* Disassembler.cpp */; };
                 0F9D339617FFC4E60073C2BC /* DFGFlushedAt.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F9D339417FFC4E60073C2BC /* DFGFlushedAt.cpp */; };
@@ -2841 +2843 @@
                 0F9B1DB51C0E42BD00E5BFD2 /* FTLOSRExitHandle.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLOSRExitHandle.cpp; path = ftl/FTLOSRExitHandle.cpp; sourceTree = "<group>"; };
                 0F9B1DB61C0E42BD00E5BFD2 /* FTLOSRExitHandle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLOSRExitHandle.h; path = ftl/FTLOSRExitHandle.h; sourceTree = "<group>"; };
+                0F9CABC61DB54A760008E83B /* AirPadInterference.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = AirPadInterference.cpp; path = b3/air/AirPadInterference.cpp; sourceTree = "<group>"; };
+                0F9CABC71DB54A760008E83B /* AirPadInterference.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AirPadInterference.h; path = b3/air/AirPadInterference.h; sourceTree = "<group>"; };
                 0F9D336E165DBB8D005AD387 /* Disassembler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = Disassembler.cpp; path = disassembler/Disassembler.cpp; sourceTree = "<group>"; };
                 0F9D339417FFC4E60073C2BC /* DFGFlushedAt.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGFlushedAt.cpp; path = dfg/DFGFlushedAt.cpp; sourceTree = "<group>"; };
@@ -5082 +5086 @@
                                 0FB3878C1BFBC44D00E3AB1E /* AirOptimizeBlockOrder.cpp */,
                                 0FB3878D1BFBC44D00E3AB1E /* AirOptimizeBlockOrder.h */,
+                                0F9CABC61DB54A760008E83B /* AirPadInterference.cpp */,
+                                0F9CABC71DB54A760008E83B /* AirPadInterference.h */,
                                 0FEC855E1BDACDC70080FF74 /* AirPhaseScope.cpp */,
                                 0FEC855F1BDACDC70080FF74 /* AirPhaseScope.h */,
@@ -7630 +7636 @@
                                 A737810E1799EA2E00817533 /* DFGNaturalLoops.h in Headers */,
                                 86ECA3EA132DEF1C002B2AD7 /* DFGNode.h in Headers */,
+                                0F9CABC91DB54A7A0008E83B /* AirPadInterference.h in Headers */,
                                 0FFB921B16D02F010055A5DB /* DFGNodeAllocator.h in Headers */,
                                 0FA581BB150E953000B9A2D9 /* DFGNodeFlags.h in Headers */,
@@ -9547 +9554 @@
                                 E3D239C81B829C1C00BBEF67 /* JSModuleEnvironment.cpp in Sources */,
                                 E318CBC01B8AEF5100A2929D /* JSModuleNamespaceObject.cpp in Sources */,
+                                0F9CABC81DB54A780008E83B /* AirPadInterference.cpp in Sources */,
                                 E39DA4A61B7E8B7C0084F33A /* JSModuleRecord.cpp in Sources */,
                                 0FB387921BFD31A100E3AB1E /* FTLCompile.cpp in Sources */,

trunk/Source/JavaScriptCore/b3/B3StackmapSpecial.cpp

@@ -56 +56 @@
 }
 
-const RegisterSet& StackmapSpecial::extraClobberedRegs(Inst& inst)
+RegisterSet StackmapSpecial::extraClobberedRegs(Inst& inst)
 {
     StackmapValue* value = inst.origin->as<StackmapValue>();
@@ -64 +64 @@
 }
 
-const RegisterSet& StackmapSpecial::extraEarlyClobberedRegs(Inst& inst)
+RegisterSet StackmapSpecial::extraEarlyClobberedRegs(Inst& inst)
 {
     StackmapValue* value = inst.origin->as<StackmapValue>();

trunk/Source/JavaScriptCore/b3/B3StackmapSpecial.h

@@ -53 +53 @@
 protected:
     void reportUsedRegisters(Air::Inst&, const RegisterSet&) override;
-    const RegisterSet& extraEarlyClobberedRegs(Air::Inst&) override;
-    const RegisterSet& extraClobberedRegs(Air::Inst&) override;
+    RegisterSet extraEarlyClobberedRegs(Air::Inst&) override;
+    RegisterSet extraClobberedRegs(Air::Inst&) override;
 
     // Note that this does not override generate() or dumpImpl()/deepDumpImpl(). We have many some

trunk/Source/JavaScriptCore/b3/air/AirCCallSpecial.cpp

@@ -143 +143 @@
 }
 
-const RegisterSet& CCallSpecial::extraEarlyClobberedRegs(Inst&)
+RegisterSet CCallSpecial::extraEarlyClobberedRegs(Inst&)
 {
     return m_emptyRegs;
 }
 
-const RegisterSet& CCallSpecial::extraClobberedRegs(Inst&)
+RegisterSet CCallSpecial::extraClobberedRegs(Inst&)
 {
     return m_clobberedRegs;

trunk/Source/JavaScriptCore/b3/air/AirCCallSpecial.h

@@ -58 +58 @@
     void reportUsedRegisters(Inst&, const RegisterSet&) override;
     CCallHelpers::Jump generate(Inst&, CCallHelpers&, GenerationContext&) override;
-    const RegisterSet& extraEarlyClobberedRegs(Inst&) override;
-    const RegisterSet& extraClobberedRegs(Inst&) override;
+    RegisterSet extraEarlyClobberedRegs(Inst&) override;
+    RegisterSet extraClobberedRegs(Inst&) override;
 
     void dumpImpl(PrintStream&) const override;

trunk/Source/JavaScriptCore/b3/air/AirInst.h

@@ -129 +129 @@
     // Reports any additional registers clobbered by this operation. Note that for efficiency,
     // extraClobberedRegs() only works for the Patch opcode.
-    const RegisterSet& extraClobberedRegs();
-    const RegisterSet& extraEarlyClobberedRegs();
+    RegisterSet extraClobberedRegs();
+    RegisterSet extraEarlyClobberedRegs();
 
     // Iterate over all Def's that happen at the end of an instruction. You supply a pair

trunk/Source/JavaScriptCore/b3/air/AirInstInlines.h

@@ -45 +45 @@
 }
 
-inline const RegisterSet& Inst::extraClobberedRegs()
+inline RegisterSet Inst::extraClobberedRegs()
 {
     ASSERT(kind.opcode == Patch);
@@ -51 +51 @@
 }
 
-inline const RegisterSet& Inst::extraEarlyClobberedRegs()
+inline RegisterSet Inst::extraEarlyClobberedRegs()
 {
     ASSERT(kind.opcode == Patch);

trunk/Source/JavaScriptCore/b3/air/AirIteratedRegisterCoalescing.cpp

@@ -33 +33 @@
 #include "AirInstInlines.h"
 #include "AirLiveness.h"
+#include "AirPadInterference.h"
 #include "AirPhaseScope.h"
 #include "AirTmpInlines.h"
@@ -845 +846 @@
         Reg reg = m_coloredTmp[AbsoluteTmpMapper<type>::absoluteIndex(tmp)];
         if (!reg) {
-            // We only care about Tmps that interfere. A Tmp that never interfere with anything
-            // can take any register.
-            reg = m_code.regsInPriorityOrder(type).first();
+            dataLog("FATAL: No color for ", tmp, "\n");
+            dataLog("Code:\n");
+            dataLog(m_code);
+            RELEASE_ASSERT_NOT_REACHED();
         }
         return reg;
@@ -929 +931 @@
     void build(Inst* prevInst, Inst* nextInst, const typename TmpLiveness<type>::LocalCalc& localCalc)
     {
+        if (traceDebug)
+            dataLog("Building between ", pointerDump(prevInst), " and ", pointerDump(nextInst), ":\n");
         Inst::forEachDefWithExtraClobberedRegs<Tmp>(
             prevInst, nextInst,
@@ -944 +948 @@
                             return;
                         
+                        if (traceDebug)
+                            dataLog("    Adding def-def edge: ", arg, ", ", otherArg, "\n");
                         this->addEdge(arg, otherArg);
                     });
@@ -980 +986 @@
 
             for (const Tmp& liveTmp : localCalc.live()) {
-                if (liveTmp != useTmp)
+                if (liveTmp != useTmp) {
+                    if (traceDebug)
+                        dataLog("    Adding def-live for coalescable: ", defTmp, ", ", liveTmp, "\n");
                     addEdge(defTmp, liveTmp);
+                }
             }
 
@@ -1027 +1036 @@
                 for (const Tmp& liveTmp : liveTmps) {
                     ASSERT(liveTmp.isGP() == (type == Arg::GP));
+                    
+                    if (traceDebug)
+                        dataLog("    Adding def-live edge: ", arg, ", ", liveTmp, "\n");
+                    
                     addEdge(arg, liveTmp);
                 }
@@ -1257 +1270 @@
     void run()
     {
+        padInterference(m_code);
+        
         iteratedRegisterCoalescingOnType<Arg::GP>();
         iteratedRegisterCoalescingOnType<Arg::FP>();
@@ -1570 +1585 @@
 {
     PhaseScope phaseScope(code, "iteratedRegisterCoalescing");
-
+    
     IteratedRegisterCoalescing iteratedRegisterCoalescing(code);
     iteratedRegisterCoalescing.run();

trunk/Source/JavaScriptCore/b3/air/AirSpecial.h

@@ -85 +85 @@
     virtual CCallHelpers::Jump generate(Inst&, CCallHelpers&, GenerationContext&) = 0;
 
-    virtual const RegisterSet& extraEarlyClobberedRegs(Inst&) = 0;
-    virtual const RegisterSet& extraClobberedRegs(Inst&) = 0;
+    virtual RegisterSet extraEarlyClobberedRegs(Inst&) = 0;
+    virtual RegisterSet extraClobberedRegs(Inst&) = 0;
     
     // By default, this returns false.

trunk/Source/JavaScriptCore/b3/air/AirSpillEverything.cpp

@@ -34 +34 @@
 #include "AirInstInlines.h"
 #include "AirLiveness.h"
+#include "AirPadInterference.h"
 #include "AirPhaseScope.h"
 #include <wtf/IndexMap.h>
@@ -42 +43 @@
 {
     PhaseScope phaseScope(code, "spillEverything");
+    
+    padInterference(code);
 
     // We want to know the set of registers used at every point in every basic block.

trunk/Source/JavaScriptCore/jit/RegisterSet.h

@@ -108 +108 @@
     size_t numberOfSetRegisters() const { return m_bits.count(); }
     
+    bool isEmpty() const { return m_bits.isEmpty(); }
+    
     JS_EXPORT_PRIVATE void dump(PrintStream&) const;