Changeset 267726 in webkit

Timestamp:

Sep 28, 2020, 9:54:36 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Add Bounds Check Elimination validation for debugging.
​https://bugs.webkit.org/show_bug.cgi?id=217055
rdar://69122891

Reviewed by Keith Miller.

Source/JavaScriptCore:

Added a JSC_validateBoundsCheckElimination option (with alias
JSC_validateBCE) that adds an AssertInBounds whenever a CheckInBounds
node is elided.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGIntegerCheckCombiningPhase.cpp:

(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):

• dfg/DFGIntegerRangeOptimizationPhase.cpp:
• dfg/DFGNodeType.h:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGValidate.cpp:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::validateAIState):
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
(JSC::FTL::DFG::LowerDFGToB3::compileAssertInBounds):

• ftl/FTLOperations.cpp:

(JSC::FTL::operationReportBoundsCheckEliminationErrorAndCrash):

• ftl/FTLOperations.h:
• runtime/OptionsList.h:

Tools:

Added --validateBCE=true to ftl-no-cjit-validate-sampling-profiler
and ftl-eager-no-cjit.

• Scripts/run-jsc-stress-tests:

Location:

trunk

Files:

• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGIntegerRangeOptimizationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGValidate.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (4 diffs)
• Source/JavaScriptCore/ftl/FTLOperations.cpp (modified) (3 diffs)
• Source/JavaScriptCore/ftl/FTLOperations.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/OptionsList.h (modified) (2 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/Scripts/run-jsc-stress-tests (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-09-28  Mark Lam  <mark.lam@apple.com>
+
+        Add Bounds Check Elimination validation for debugging.
+        https://bugs.webkit.org/show_bug.cgi?id=217055
+        rdar://69122891
+
+        Reviewed by Keith Miller.
+
+        Added a JSC_validateBoundsCheckElimination option (with alias
+        JSC_validateBCE) that adds an AssertInBounds whenever a CheckInBounds
+        node is elided.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGIntegerCheckCombiningPhase.cpp:
+        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+        * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
+        (JSC::FTL::DFG::LowerDFGToB3::compileAssertInBounds):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationReportBoundsCheckEliminationErrorAndCrash):
+        * ftl/FTLOperations.h:
+        * runtime/OptionsList.h:
+
 2020-09-26  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -4015 +4015 @@
     }
 
+    case AssertInBounds:
+        break;
+
     case CheckInBounds: {
         JSValue left = forNode(node->child1()).value();

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -458 +458 @@
         return;
 
+    case AssertInBounds:
     case AssertNotEmpty:
         write(SideState);

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -183 +183 @@
     case InvalidationPoint:
     case NotifyWrite:
+    case AssertInBounds:
     case CheckInBounds:
     case ConstantStoragePointer:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -2119 +2119 @@
         case CheckTierUpAtReturn:
         case CheckTierUpAndOSREnter:
+        case AssertInBounds:
         case CheckInBounds:
         case ConstantStoragePointer:

trunk/Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -283 +283 @@
                 
             case ArrayBounds:
+                ASSERT(node->op() == CheckInBounds);
+                if (UNLIKELY(Options::validateBoundsCheckElimination()))
+                    m_insertionSet.insertNode(nodeIndex, SpecNone, AssertInBounds, node->origin, node->child1(), node->child2());
                 node->convertToIdentityOn(m_map[data.m_key].m_dependency);
                 m_changed = true;

trunk/Source/JavaScriptCore/dfg/DFGIntegerRangeOptimizationPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1336 +1336 @@
                     if (nonNegative && lessThanLength) {
                         executeNode(block->at(nodeIndex));
+                        if (UNLIKELY(Options::validateBoundsCheckElimination()))
+                            m_insertionSet.insertNode(nodeIndex, SpecNone, AssertInBounds, node->origin, node->child1(), node->child2());
                         // We just need to make sure we are a value-producing node.
                         node->convertToIdentityOn(node->child1().node());

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -281 +281 @@
     macro(AssertNotEmpty, NodeMustGenerate) \
     macro(CheckBadValue, NodeMustGenerate) \
+    macro(AssertInBounds, NodeMustGenerate) \
     macro(CheckInBounds, NodeMustGenerate | NodeResultJS) \
     macro(CheckIdent, NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -331 +331 @@
 void JIT_OPERATION operationProcessTypeProfilerLogDFG(VM*) WTF_INTERNAL;
 
-void JIT_OPERATION operationTriggerReoptimizationNow(CodeBlock* baselineCodeBlock, CodeBlock* optiimzedCodeBlock, OSRExitBase*) WTF_INTERNAL;
+void JIT_OPERATION operationTriggerReoptimizationNow(CodeBlock* baselineCodeBlock, CodeBlock* optimizedCodeBlock, OSRExitBase*) WTF_INTERNAL;
 void triggerReoptimizationNow(CodeBlock* baselineCodeBlock, CodeBlock* optiimzedCodeBlock, OSRExitBase*); // This is not JIT_OPERATION.
 

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1316 +1316 @@
         case CheckTierUpAtReturn:
         case CheckTierUpAndOSREnter:
+        case AssertInBounds:
         case CheckInBounds:
         case ValueToInt32:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -282 +282 @@
     case ExtractOSREntryLocal:
     case ExtractCatchLocal:
+    case AssertInBounds:
     case CheckInBounds:
     case ConstantStoragePointer:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4246 +4246 @@
     case FiatInt52:
     case Int52Constant:
+    case AssertInBounds:
     case CheckInBounds:
     case ArithIMul:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -5671 +5671 @@
     case Upsilon:
     case ExtractOSREntryLocal:
+    case AssertInBounds:
     case CheckInBounds:
     case ArithIMul:

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -639 +639 @@
                 case Phi:
                 case Upsilon:
+                case AssertInBounds:
                 case CheckInBounds:
                 case PhantomNewObject:

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -197 +197 @@
     case Branch:
     case LogicalNot:
+    case AssertInBounds:
     case CheckInBounds:
     case ConstantStoragePointer:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -591 +591 @@
                 continue;
 
+            if (node->op() == AssertInBounds)
+                continue;
             if (node->op() == CheckInBounds)
                 continue;
@@ -996 +998 @@
         case GetVectorLength:
             compileGetVectorLength();
+            break;
+        case AssertInBounds:
+            compileAssertInBounds();
             break;
         case CheckInBounds:
@@ -3714 +3719 @@
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
                 AllowMacroScratchRegisterUsage allowScratch(jit);
-                GPRReg input =  params[0].gpr();
+                GPRReg input = params[0].gpr();
                 CCallHelpers::Jump done = jit.branchIfNotEmpty(input);
                 jit.breakpoint();
@@ -4644 +4649 @@
         }
     }
-    
+
+    void compileAssertInBounds()
+    {
+        ASSERT(Options::validateBoundsCheckElimination());
+        LValue index = lowInt32(m_node->child1());
+        LValue bounds = lowInt32(m_node->child2());
+
+        LBasicBlock outOfBoundsCase = m_out.newBlock();
+        LBasicBlock continuation = m_out.newBlock();
+        m_out.branch(m_out.below(index, bounds), usually(continuation), rarely(outOfBoundsCase));
+
+        LBasicBlock lastNext = m_out.appendTo(outOfBoundsCase, continuation);
+        vmCall(Void, operationReportBoundsCheckEliminationErrorAndCrash,
+            m_out.constIntPtr(bitwise_cast<intptr_t>(codeBlock())),
+            m_out.constInt32(m_node->index()),
+            m_out.constInt32(m_node->child1()->index()),
+            m_out.constInt32(m_node->child2()->index()),
+            index, bounds);
+        m_out.unreachable();
+
+        m_out.appendTo(continuation, lastNext);
+    }
+
     void compileCheckInBounds()
     {

trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48 +48 @@
 #include "JSSetIterator.h"
 #include "RegExpObject.h"
+#include <wtf/Assertions.h>
 
 IGNORE_WARNINGS_BEGIN("frame-address")
@@ -742 +743 @@
 }
 
+extern "C" NO_RETURN_DUE_TO_CRASH void JIT_OPERATION operationReportBoundsCheckEliminationErrorAndCrash(intptr_t codeBlockAsIntPtr, int32_t nodeIndex, int32_t child1Index, int32_t child2Index, int32_t checkedIndex, int32_t bounds)
+{
+    CodeBlock* codeBlock = bitwise_cast<CodeBlock*>(codeBlockAsIntPtr);
+    dataLogLn("Bounds Check Eimination error found @ D@", nodeIndex, ": AssertInBounds(index D@", child1Index, ": ", checkedIndex, ", bounds D@", child2Index, " ", bounds, ") in ", codeBlock);
+    CRASH();
+}
+
 } } // namespace JSC::FTL
 

trunk/Source/JavaScriptCore/ftl/FTLOperations.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -46 +46 @@
 int32_t JIT_OPERATION operationTypeOfObjectAsTypeofType(JSGlobalObject*, JSCell*) WTF_INTERNAL;
 
+void JIT_OPERATION operationReportBoundsCheckEliminationErrorAndCrash(intptr_t codeBlockAsIntPtr, int32_t, int32_t, int32_t, int32_t, int32_t);
+
 } // extern "C"
 

trunk/Source/JavaScriptCore/runtime/OptionsList.h

@@ -385 +385 @@
     v(Unsigned, unexpectedExceptionStackTraceLimit, 100, Normal, "Stack trace limit for debugging unexpected exceptions observed in the VM") \
     \
-    v(Bool, validateDFGClobberize, false, Normal, "Emits extra validation code in the DFG/FTL for the Clobberize phase")\
+    v(Bool, validateDFGClobberize, false, Normal, "Emits code in the DFG/FTL to validate the Clobberize phase")\
+    v(Bool, validateBoundsCheckElimination, false, Normal, "Emits code in the DFG/FTL to validate bounds check elimination")\
     \
     v(Bool, useExecutableAllocationFuzz, false, Normal, nullptr) \
@@ -560 +561 @@
     v(maximumFunctionForConstructInlineCandidateInstructionCount, maximumFunctionForConstructInlineCandidateBytecoodeCost, SameOption) \
     v(maximumFTLCandidateInstructionCount, maximumFTLCandidateBytecodeCost, SameOption) \
-    v(maximumInliningCallerSize, maximumInliningCallerBytecodeCost, SameOption)
+    v(maximumInliningCallerSize, maximumInliningCallerBytecodeCost, SameOption) \
+    v(validateBCE, validateBoundsCheckElimination, SameOption)
 
 enum ExperimentalOptionFlags {

trunk/Tools/ChangeLog

@@ +1 @@
+2020-09-28  Mark Lam  <mark.lam@apple.com>
+
+        Add Bounds Check Elimination validation for debugging.
+        https://bugs.webkit.org/show_bug.cgi?id=217055
+        rdar://69122891
+
+        Reviewed by Keith Miller.
+
+        Added --validateBCE=true to ftl-no-cjit-validate-sampling-profiler
+        and ftl-eager-no-cjit.
+
+        * Scripts/run-jsc-stress-tests:
+
 2020-09-28  Matt Lewis  <jlewis3@apple.com>
 

trunk/Tools/Scripts/run-jsc-stress-tests

@@ -1 +1 @@
 #!/usr/bin/env ruby
 
-# Copyright (C) 2013-2016 Apple Inc. All rights reserved.
+# Copyright (C) 2013-2020 Apple Inc. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
@@ -755 +755 @@
 
 def runFTLNoCJITValidate(*optionalTestSpecificOptions)
-    run("ftl-no-cjit-validate-sampling-profiler", "--validateGraph=true", "--useSamplingProfiler=true", "--airForceIRCAllocator=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
+    run("ftl-no-cjit-validate-sampling-profiler", "--validateGraph=true", "--validateBCE=true", "--useSamplingProfiler=true", "--airForceIRCAllocator=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + optionalTestSpecificOptions))
 end
 
@@ -788 +788 @@
 
 def runFTLEagerNoCJITValidate(*optionalTestSpecificOptions)
-    run("ftl-eager-no-cjit", "--validateGraph=true", "--airForceIRCAllocator=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + EAGER_OPTIONS + COLLECT_CONTINUOUSLY_OPTIONS + FORCE_LLINT_EXIT_OPTIONS + optionalTestSpecificOptions))
+    run("ftl-eager-no-cjit", "--validateGraph=true", "--validateBCE=true", "--airForceIRCAllocator=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS + EAGER_OPTIONS + COLLECT_CONTINUOUSLY_OPTIONS + FORCE_LLINT_EXIT_OPTIONS + optionalTestSpecificOptions))
 end