Changeset 228742 in webkit

Timestamp:

Feb 19, 2018 11:35:00 PM (6 years ago)

Author:

Carlos Garcia Campos

Message:

Merge r228565 - Fix bugs from r228411
​https://bugs.webkit.org/show_bug.cgi?id=182851
<rdar://problem/37577732>

Reviewed by JF Bastien.

JSTests:

• stress/constant-folding-phase-insert-check-handle-varargs.js: Added.

Source/JavaScriptCore:

There was a bug from r228411 where inside the constant folding phase,
we used an insertCheck method that didn't handle varargs. This would
lead to a crash. When thinking about the fix for that function, I realized
a made a couple of mistakes in r228411. One is probably a security bug, and
the other is a performance bug because it'll prevent CSE for certain flavors
of GetByVal nodes. Both blunders are similar in nature.

In r228411, I added code in LICM that inserted a CheckVarargs node with children
of another varargs node. However, to construct this new node's children,
I just copied the AdjacencyList. This does a shallow copy. What we needed
was a deep copy. We needed to create a new vararg AdjacencyList that points
to edges that are deep copies of the original varargs children. This patch
fixes this goof in LICM.

r228411 made it so that PureValue over a varargs node would just compare actual
AdjacencyLists structs. So, if you had two GetByVals that had equal santized
children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
have different firstChild values. Instead, we need to do a deep compare of their
adjacency lists. This patch teaches PureValue how to do that.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::copyVarargChildren):

• dfg/DFGInsertionSet.h:

(JSC::DFG::InsertionSet::insertCheck):

• dfg/DFGLICMPhase.cpp:

(JSC::DFG::LICMPhase::attemptHoist):

• dfg/DFGPureValue.cpp:

(JSC::DFG::PureValue::dump const):

• dfg/DFGPureValue.h:

(JSC::DFG::PureValue::PureValue):
(JSC::DFG::PureValue::op const):
(JSC::DFG::PureValue::hash const):
(JSC::DFG::PureValue::operator== const):
(JSC::DFG::PureValue::isVarargs const):
(JSC::DFG::PureValue::children const): Deleted.

• dfg/DFGStrengthReductionPhase.cpp:

(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):

Location:

releases/WebKitGTK/webkit-2.20

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/constant-folding-phase-insert-check-handle-varargs.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGInsertionSet.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGLICMPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPureValue.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPureValue.h (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (modified) (2 diffs)

releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog

@@ +1 @@
+2018-02-16  Saam Barati  <sbarati@apple.com>
+
+        Fix bugs from r228411
+        https://bugs.webkit.org/show_bug.cgi?id=182851
+        <rdar://problem/37577732>
+
+        Reviewed by JF Bastien.
+
+        * stress/constant-folding-phase-insert-check-handle-varargs.js: Added.
+
 2018-02-12  Saam Barati  <sbarati@apple.com>
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-02-16  Saam Barati  <sbarati@apple.com>
+
+        Fix bugs from r228411
+        https://bugs.webkit.org/show_bug.cgi?id=182851
+        <rdar://problem/37577732>
+
+        Reviewed by JF Bastien.
+
+        There was a bug from r228411 where inside the constant folding phase,
+        we used an insertCheck method that didn't handle varargs. This would
+        lead to a crash. When thinking about the fix for that function, I realized
+        a made a couple of mistakes in r228411. One is probably a security bug, and
+        the other is a performance bug because it'll prevent CSE for certain flavors
+        of GetByVal nodes. Both blunders are similar in nature.
+        
+        In r228411, I added code in LICM that inserted a CheckVarargs node with children
+        of another varargs node. However, to construct this new node's children,
+        I just copied the AdjacencyList. This does a shallow copy. What we needed
+        was a deep copy. We needed to create a new vararg AdjacencyList that points
+        to edges that are deep copies of the original varargs children. This patch
+        fixes this goof in LICM.
+        
+        r228411 made it so that PureValue over a varargs node would just compare actual
+        AdjacencyLists structs. So, if you had two GetByVals that had equal santized
+        children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
+        have different firstChild values. Instead, we need to do a deep compare of their
+        adjacency lists. This patch teaches PureValue how to do that.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::copyVarargChildren):
+        * dfg/DFGInsertionSet.h:
+        (JSC::DFG::InsertionSet::insertCheck):
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGPureValue.cpp:
+        (JSC::DFG::PureValue::dump const):
+        * dfg/DFGPureValue.h:
+        (JSC::DFG::PureValue::PureValue):
+        (JSC::DFG::PureValue::op const):
+        (JSC::DFG::PureValue::hash const):
+        (JSC::DFG::PureValue::operator== const):
+        (JSC::DFG::PureValue::isVarargs const):
+        (JSC::DFG::PureValue::children const): Deleted.
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+        (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
+
 2018-02-13  Saam Barati  <sbarati@apple.com>
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -789 +789 @@
             }
             // This appears to read nothing because it's only reading immutable data.
-            def(PureValue(node, mode.asWord()));
+            def(PureValue(graph, node, mode.asWord()));
             return;
             
@@ -841 +841 @@
 
         case Array::Undecided:
-            def(PureValue(node));
+            def(PureValue(graph, node));
             return;
             

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -805 +805 @@
                 m_graph.dethread();
             } else
-                m_insertionSet.insertCheck(indexInBlock, node->origin, node->children);
+                m_insertionSet.insertCheck(m_graph, indexInBlock, node);
             m_graph.convertToConstant(node, value);
             

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -525 +525 @@
             return varArgNumChildren(node);
         return AdjacencyList::Size;
+    }
+
+    template <typename Function = bool(*)(Edge)>
+    AdjacencyList copyVarargChildren(Node* node, Function filter = [] (Edge) { return true; })
+    {
+        ASSERT(node->flags() & NodeHasVarArgs);
+        unsigned firstChild = m_varArgChildren.size();
+        unsigned numChildren = 0;
+        doToChildren(node, [&] (Edge edge) {
+            if (filter(edge)) {
+                ++numChildren;
+                m_varArgChildren.append(edge);
+            }
+        });
+
+        return AdjacencyList(AdjacencyList::Variable, firstChild, numChildren);
     }
     

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGInsertionSet.h

@@ -117 +117 @@
     }
     
-    Node* insertCheck(size_t index, Node* node)
+    Node* insertCheck(Graph& graph, size_t index, Node* node)
     {
-        return insertCheck(index, node->origin, node->children);
+        if (!(node->flags() & NodeHasVarArgs))
+            return insertCheck(index, node->origin, node->children);
+
+        AdjacencyList children = graph.copyVarargChildren(node, [] (Edge edge) { return edge.willHaveCheck(); });
+        if (!children.numChildren())
+            return nullptr;
+        return insertNode(index, SpecNone, CheckVarargs, node->origin, children);
     }
     

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp

@@ -344 +344 @@
         }
 
-        nodeRef = m_graph.addNode((node->flags() & NodeHasVarArgs) ? CheckVarargs : Check, originalOrigin, node->children);
+        if (node->flags() & NodeHasVarArgs)
+            nodeRef = m_graph.addNode(CheckVarargs, originalOrigin, m_graph.copyVarargChildren(node));
+        else
+            nodeRef = m_graph.addNode(Check, originalOrigin, node->children);
         
         return true;

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGPureValue.cpp

@@ -38 +38 @@
     out.print("(");
     CommaPrinter comma;
-    if (defaultFlags(m_op) & NodeHasVarArgs)
-        out.print(comma, " VarArgs: firstChild=", m_children.firstChild(), " numChildren=", m_children.numChildren());
-    else {
+    if (isVarargs()) {
+        for (unsigned i = 0; i < m_children.numChildren(); ++i)
+            out.print(comma, m_graph->m_varArgChildren[m_children.firstChild() + i].sanitized());
+    } else {
         for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
-            if (children().child(i))
-                out.print(comma, children().child(i));
+            if (m_children.child(i))
+                out.print(comma, m_children.child(i));
         }
     }

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGPureValue.h

@@ -42 +42 @@
     PureValue(NodeType op, const AdjacencyList& children, uintptr_t info)
         : m_op(op)
-        , m_children(defaultFlags(op) & NodeHasVarArgs ? children : children.sanitized())
+        , m_children(children.sanitized())
         , m_info(info)
     {
+        ASSERT(!(defaultFlags(op) & NodeHasVarArgs));
     }
     
@@ -71 +72 @@
     {
     }
-    
+
+    PureValue(Graph& graph, Node* node, uintptr_t info)
+        : m_op(node->op())
+        , m_children(node->children)
+        , m_info(info)
+        , m_graph(&graph)
+    {
+        ASSERT(node->flags() & NodeHasVarArgs);
+        ASSERT(isVarargs());
+    }
+
+    PureValue(Graph& graph, Node* node)
+        : PureValue(graph, node, static_cast<uintptr_t>(0))
+    {
+    }
+
     PureValue(WTF::HashTableDeletedValueType)
         : m_op(LastNodeType)
@@ -81 +97 @@
     
     NodeType op() const { return m_op; }
-    const AdjacencyList& children() const { return m_children; }
     uintptr_t info() const { return m_info; }
 
     unsigned hash() const
     {
-        return WTF::IntHash<int>::hash(static_cast<int>(m_op)) + m_children.hash() + m_info;
+        unsigned hash = WTF::IntHash<int>::hash(static_cast<int>(m_op)) + m_info;
+        if (!isVarargs())
+            return hash ^ m_children.hash();
+        for (unsigned i = 0; i < m_children.numChildren(); ++i)
+            hash ^= m_graph->m_varArgChildren[m_children.firstChild() + i].sanitized().hash();
+        return hash;
     }
     
     bool operator==(const PureValue& other) const
     {
-        return m_op == other.m_op
-            && m_children == other.m_children
-            && m_info == other.m_info;
+        if (isVarargs() != other.isVarargs() || m_op != other.m_op || m_info != other.m_info)
+            return false;
+        if (!isVarargs())
+            return m_children == other.m_children;
+        if (m_children.numChildren() != other.m_children.numChildren())
+            return false;
+        for (unsigned i = 0; i < m_children.numChildren(); ++i) {
+            Edge a = m_graph->m_varArgChildren[m_children.firstChild() + i].sanitized();
+            Edge b = m_graph->m_varArgChildren[other.m_children.firstChild() + i].sanitized();
+            if (a != b)
+                return false;
+        }
+        return true;
     }
     
@@ -104 +134 @@
     
 private:
+    bool isVarargs() const { return !!m_graph; }
+
     NodeType m_op;
     AdjacencyList m_children;
     uintptr_t m_info;
+    Graph* m_graph { nullptr };
 };
 

releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp

@@ -232 +232 @@
                 if (canonicalResultRepresentation(node->result()) ==
                     canonicalResultRepresentation(m_node->result())) {
-                    m_insertionSet.insertCheck(m_nodeIndex, m_node);
+                    m_insertionSet.insertCheck(m_graph, m_nodeIndex, m_node);
                     if (hadInt32Check) {
                         // FIXME: Consider adding Int52RepInt32Use or even DoubleRepInt32Use,
@@ -913 +913 @@
     void convertToIdentityOverChild(unsigned childIndex)
     {
-        m_insertionSet.insertCheck(m_nodeIndex, m_node);
+        ASSERT(!(m_node->flags() & NodeHasVarArgs));
+        m_insertionSet.insertCheck(m_graph, m_nodeIndex, m_node);
         m_node->children.removeEdge(childIndex ^ 1);
         m_node->convertToIdentity();