Changeset 215777 in webkit

Timestamp:

Apr 25, 2017 5:52:35 PM (7 years ago)

Author:

sbarati@apple.com

Message:

JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
​https://bugs.webkit.org/show_bug.cgi?id=171150
<rdar://problem/31771880>

Reviewed by Sam Weinig.

JSTests:

• stress/spread-optimized-properly.js: Added.

(assert):
(test):
(shallowEq):
(makeArrayIterator):
(test.bar):
(test.callback):
(test.arr.proto.Symbol.iterator):
(test.arr.Symbol.iterator):
(test.get bar):
(test.hackedNext):
(test.test):
(test.):

Source/JavaScriptCore:

This patch fixes a huge oversight from the patch that introduced
op_spread/Spread. The original patch did not account for the
base object having Symbol.iterator or getters that could
change the iterator protocol. This patch fixes the oversight both
in the C code, as well as the DFG/FTL backends. We only perform
the memcpy version of spread if we've proven that it's guaranteed
to be side-effect free (no indexed getters), and if the iterator
protocol is guaranteed to be the original protocol. To do this, we
must prove that:

1. The protocol on Array.prototype hasn't changed (this is the same as the

introductory patch for op_spread).

2. The base object's proto is Array.prototype
3. The base object does not have indexed getters
4. The base object does not have Symbol.iterator property.

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::canDoFastSpread):

• dfg/DFGGraph.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileSpread):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileSpread):

• runtime/JSArray.cpp:

(JSC::JSArray::isIteratorProtocolFastAndNonObservable):

• runtime/JSArray.h:
• runtime/JSArrayInlines.h:

(JSC::JSArray::isIteratorProtocolFastAndNonObservable): Deleted.

• runtime/JSGlobalObject.h:
• runtime/JSGlobalObjectInlines.h:

(JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
(JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable): Deleted.

Source/WebCore:

This patch moves the sequence converters to use the now fixed
JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable test
inside JSC.

This patch also fixes a few bugs:

1. Converting to a sequence of numbers must prove that the JSArray

is filled only with Int32/Double. If there is a chance the array
contains objects, the conversion to a numeric IDLType can be observable
(via valueOf()), and can change the iterator protocol.

2. There are other conversions that can have side effects a-la valueOf().

This patch introduces a new static constant in the various Converter
classes that tell the sequence converter if the conversion operation
can have JS side effects. If it does have side effects, we fall back to
the generic conversion that uses the iterator protocol. If not, we can
do a faster version that iterates over each element of the array,
reading it directly, and converting it.

Tests: js/sequence-iterator-protocol-2.html

js/sequence-iterator-protocol.html

• bindings/js/JSDOMConvertAny.h: Does not have side effects.
• bindings/js/JSDOMConvertBase.h: We pessimistically assume inside DefaultConverter that converions have side effects.
• bindings/js/JSDOMConvertBoolean.h: Does not have side effects.
• bindings/js/JSDOMConvertCallbacks.h: Does not have side effects.
• bindings/js/JSDOMConvertObject.h: Does not have side effects.
• bindings/js/JSDOMConvertSequences.h:

(WebCore::Detail::NumericSequenceConverter::convert):
(WebCore::Detail::SequenceConverter::convert):

LayoutTests:

• js/sequence-iterator-protocol-2-expected.txt: Added.
• js/sequence-iterator-protocol-2.html: Added.
• js/sequence-iterator-protocol-expected.txt: Added.
• js/sequence-iterator-protocol.html: Added.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/spread-optimized-properly.js (added)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/sequence-iterator-protocol-2-expected.txt (added)
• LayoutTests/js/sequence-iterator-protocol-2.html (added)
• LayoutTests/js/sequence-iterator-protocol-expected.txt (added)
• LayoutTests/js/sequence-iterator-protocol.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGraph.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArray.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArray.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMConvertAny.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMConvertBase.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMConvertBoolean.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMConvertCallbacks.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMConvertObject.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMConvertSequences.h (modified) (5 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-04-25  Saam Barati  <sbarati@apple.com>
+
+        JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
+        https://bugs.webkit.org/show_bug.cgi?id=171150
+        <rdar://problem/31771880>
+
+        Reviewed by Sam Weinig.
+
+        * stress/spread-optimized-properly.js: Added.
+        (assert):
+        (test):
+        (shallowEq):
+        (makeArrayIterator):
+        (test.bar):
+        (test.callback):
+        (test.arr.__proto__.Symbol.iterator):
+        (test.arr.Symbol.iterator):
+        (test.get bar):
+        (test.hackedNext):
+        (test.test):
+        (test.):
+
 2017-04-25  Mark Lam  <mark.lam@apple.com>
 

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-04-25  Saam Barati  <sbarati@apple.com>
+
+        JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
+        https://bugs.webkit.org/show_bug.cgi?id=171150
+        <rdar://problem/31771880>
+
+        Reviewed by Sam Weinig.
+
+        * js/sequence-iterator-protocol-2-expected.txt: Added.
+        * js/sequence-iterator-protocol-2.html: Added.
+        * js/sequence-iterator-protocol-expected.txt: Added.
+        * js/sequence-iterator-protocol.html: Added.
+
 2017-04-25  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-04-25  Saam Barati  <sbarati@apple.com>
+
+        JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
+        https://bugs.webkit.org/show_bug.cgi?id=171150
+        <rdar://problem/31771880>
+
+        Reviewed by Sam Weinig.
+
+        This patch fixes a huge oversight from the patch that introduced
+        op_spread/Spread. The original patch did not account for the
+        base object having Symbol.iterator or getters that could
+        change the iterator protocol. This patch fixes the oversight both
+        in the C code, as well as the DFG/FTL backends. We only perform
+        the memcpy version of spread if we've proven that it's guaranteed
+        to be side-effect free (no indexed getters), and if the iterator
+        protocol is guaranteed to be the original protocol. To do this, we
+        must prove that:
+        1. The protocol on Array.prototype hasn't changed (this is the same as the
+        introductory patch for op_spread).
+        2. The base object's __proto__ is Array.prototype
+        3. The base object does not have indexed getters
+        4. The base object does not have Symbol.iterator property.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::canDoFastSpread):
+        * dfg/DFGGraph.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileSpread):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
+        * runtime/JSArray.h:
+        * runtime/JSArrayInlines.h:
+        (JSC::JSArray::isIteratorProtocolFastAndNonObservable): Deleted.
+        * runtime/JSGlobalObject.h:
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable):
+        (JSC::JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable): Deleted.
+
 2017-04-25  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -1724 +1724 @@
 }
 
+bool Graph::canDoFastSpread(Node* node, const AbstractValue& value)
+{
+    // The parameter 'value' is the AbstractValue for child1 (the thing being spread).
+    ASSERT(node->op() == Spread);
+
+    if (node->child1().useKind() != ArrayUse) {
+        // Note: we only speculate on ArrayUse when we've set up the necessary watchpoints
+        // to prove that the iteration protocol is non-observable starting from ArrayPrototype.
+        return false;
+    }
+
+    // FIXME: We should add profiling of the incoming operand to Spread
+    // so we can speculate in such a way that we guarantee that this
+    // function would return true:
+    // https://bugs.webkit.org/show_bug.cgi?id=171198
+
+    if (!value.m_structure.isFinite())
+        return false;
+
+    ArrayPrototype* arrayPrototype = globalObjectFor(node->child1()->origin.semantic)->arrayPrototype();
+    bool allGood = true;
+    value.m_structure.forEach([&] (RegisteredStructure structure) {
+        allGood &= structure->storedPrototype() == arrayPrototype
+            && !structure->isDictionary()
+            && structure->getConcurrently(m_vm.propertyNames->iteratorSymbol.impl()) == invalidOffset
+            && !structure->mayInterceptIndexedAccesses();
+    });
+
+    return allGood;
+}
+
 } } // namespace JSC::DFG
 

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -885 +885 @@
     JSArrayBufferView* tryGetFoldableView(JSValue);
     JSArrayBufferView* tryGetFoldableView(JSValue, ArrayMode arrayMode);
+
+    bool canDoFastSpread(Node*, const AbstractValue&);
     
     void registerFrozenValues();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -7034 +7034 @@
     GPRReg argument = operand.gpr();
 
-    if (node->child1().useKind() == ArrayUse) {
-        // Note: we only speculate on ArrayUse when we've set up the necessary watchpoints
-        // to prove that the iteration protocol is non-observable.
+    if (node->child1().useKind() == ArrayUse)
         speculateArray(node->child1(), argument);
 
+    if (m_jit.graph().canDoFastSpread(node, m_state.forNode(node->child1()))) {
 #if USE(JSVALUE64)
         GPRTemporary result(this);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -4677 +4677 @@
 
         LValue result;
-        if (m_node->child1().useKind() == ArrayUse) {
+
+        if (m_node->child1().useKind() == ArrayUse)
             speculateArray(m_node->child1());
 
+        if (m_graph.canDoFastSpread(m_node, m_state.forNode(m_node->child1()))) {
             LBasicBlock preLoop = m_out.newBlock();
             LBasicBlock loopSelection = m_out.newBlock();

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -1404 +1404 @@
 }
 
+bool JSArray::isIteratorProtocolFastAndNonObservable()
+{
+    JSGlobalObject* globalObject = this->globalObject();
+    if (!globalObject->isArrayPrototypeIteratorProtocolFastAndNonObservable())
+        return false;
+
+    Structure* structure = this->structure();
+    // This is the fast case. Many arrays will be an original array.
+    if (globalObject->isOriginalArrayStructure(structure))
+        return true;
+
+    if (structure->mayInterceptIndexedAccesses())
+        return false;
+
+    if (structure->storedPrototype() != globalObject->arrayPrototype())
+        return false;
+
+    if (getDirectOffset(globalObject->vm(), globalObject->vm().propertyNames->iteratorSymbol) != invalidOffset)
+        return false;
+
+    return true;
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -151 +151 @@
     JS_EXPORT_PRIVATE void copyToArguments(ExecState*, VirtualRegister firstElementDest, unsigned offset, unsigned length);
 
-    bool isIteratorProtocolFastAndNonObservable();
+    JS_EXPORT_PRIVATE bool isIteratorProtocolFastAndNonObservable();
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, IndexingType indexingType)

trunk/Source/JavaScriptCore/runtime/JSArrayInlines.h

@@ -94 +94 @@
 }
 
-ALWAYS_INLINE bool JSArray::isIteratorProtocolFastAndNonObservable()
-{
-    return globalObject()->isArrayIteratorProtocolFastAndNonObservable();
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -413 +413 @@
     std::unique_ptr<ArrayIteratorAdaptiveWatchpoint> m_arrayIteratorPrototypeNext;
 
-    bool isArrayIteratorProtocolFastAndNonObservable();
+    bool isArrayPrototypeIteratorProtocolFastAndNonObservable();
 
     TemplateRegistry m_templateRegistry;

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h

@@ -54 +54 @@
 
 
-ALWAYS_INLINE bool JSGlobalObject::isArrayIteratorProtocolFastAndNonObservable()
+ALWAYS_INLINE bool JSGlobalObject::isArrayPrototypeIteratorProtocolFastAndNonObservable()
 {
     // We're fast if we don't have any indexed properties on the prototype.

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-04-25  Saam Barati  <sbarati@apple.com>
+
+        JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable is wrong because it does not do the necessary checks on the base object
+        https://bugs.webkit.org/show_bug.cgi?id=171150
+        <rdar://problem/31771880>
+
+        Reviewed by Sam Weinig.
+
+        This patch moves the sequence converters to use the now fixed
+        JSArray::isArrayPrototypeIteratorProtocolFastAndNonObservable test
+        inside JSC.
+        
+        This patch also fixes a few bugs:
+        1. Converting to a sequence of numbers must prove that the JSArray
+        is filled only with Int32/Double. If there is a chance the array
+        contains objects, the conversion to a numeric IDLType can be observable
+        (via valueOf()), and can change the iterator protocol.
+        2. There are other conversions that can have side effects a-la valueOf().
+        This patch introduces a new static constant in the various Converter
+        classes that tell the sequence converter if the conversion operation
+        can have JS side effects. If it does have side effects, we fall back to
+        the generic conversion that uses the iterator protocol. If not, we can
+        do a faster version that iterates over each element of the array,
+        reading it directly, and converting it.
+
+        Tests: js/sequence-iterator-protocol-2.html
+               js/sequence-iterator-protocol.html
+
+        * bindings/js/JSDOMConvertAny.h: Does not have side effects.
+        * bindings/js/JSDOMConvertBase.h: We pessimistically assume inside DefaultConverter that converions have side effects.
+        * bindings/js/JSDOMConvertBoolean.h: Does not have side effects.
+        * bindings/js/JSDOMConvertCallbacks.h: Does not have side effects.
+        * bindings/js/JSDOMConvertObject.h: Does not have side effects.
+        * bindings/js/JSDOMConvertSequences.h:
+        (WebCore::Detail::NumericSequenceConverter::convert):
+        (WebCore::Detail::SequenceConverter::convert):
+
 2017-04-25  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMConvertAny.h

@@ -33 +33 @@
 template<> struct Converter<IDLAny> : DefaultConverter<IDLAny> {
     using ReturnType = JSC::JSValue;
-    
+
+    static constexpr bool conversionHasSideEffects = false;
+
     static JSC::JSValue convert(JSC::ExecState&, JSC::JSValue value)
     {

trunk/Source/WebCore/bindings/js/JSDOMConvertBase.h

@@ -179 +179 @@
 template<typename T> struct DefaultConverter {
     using ReturnType = typename T::ImplementationType;
+
+    // We assume the worst, subtypes can override to be less pessimistic.
+    // An example of something that can have side effects
+    // is having a converter that does JSC::JSValue::toNumber.
+    // toNumber() in JavaScript can call arbitrary JS functions.
+    //
+    // An example of something that does not have side effects
+    // is something having a converter that does JSC::JSValue::toBoolean.
+    // toBoolean() in JS can't call arbitrary functions.
+    static constexpr bool conversionHasSideEffects = true;
 };
 

trunk/Source/WebCore/bindings/js/JSDOMConvertBoolean.h

@@ -32 +32 @@
 
 template<> struct Converter<IDLBoolean> : DefaultConverter<IDLBoolean> {
+
+    static constexpr bool conversionHasSideEffects = false;
+
     static bool convert(JSC::ExecState& state, JSC::JSValue value)
     {

trunk/Source/WebCore/bindings/js/JSDOMConvertCallbacks.h

@@ -32 +32 @@
 
 template<typename T> struct Converter<IDLCallbackFunction<T>> : DefaultConverter<IDLCallbackFunction<T>> {
+
+    static constexpr bool conversionHasSideEffects = false;
+
     template<typename ExceptionThrower = DefaultExceptionThrower>
     static RefPtr<T> convert(JSC::ExecState& state, JSC::JSValue value, JSDOMGlobalObject& globalObject, ExceptionThrower&& exceptionThrower = ExceptionThrower())

trunk/Source/WebCore/bindings/js/JSDOMConvertObject.h

@@ -32 +32 @@
 
 template<> struct Converter<IDLObject> : DefaultConverter<IDLObject> {
+
+    static constexpr bool conversionHasSideEffects = false;
+
     template<typename ExceptionThrower = DefaultExceptionThrower>
     static JSC::Strong<JSC::JSObject> convert(JSC::ExecState& state, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())

trunk/Source/WebCore/bindings/js/JSDOMConvertSequences.h

@@ -42 +42 @@
     static ReturnType convert(JSC::ExecState& state, JSC::JSObject* jsObject)
     {
-        ReturnType result;
+        return convert(state, jsObject, ReturnType());
+    }
+
+    static ReturnType convert(JSC::ExecState& state, JSC::JSObject* jsObject, ReturnType&& result)
+    {
         forEachInIterable(&state, jsObject, [&result](JSC::VM& vm, JSC::ExecState* state, JSC::JSValue jsValue) {
             auto scope = DECLARE_THROW_SCOPE(vm);
@@ -79 +83 @@
 
         JSC::JSArray* array = JSC::asArray(object);
-        if (!array->globalObject()->isArrayIteratorProtocolFastAndNonObservable())
+        if (!array->isIteratorProtocolFastAndNonObservable())
             return GenericConverter::convert(state, object);
 
         unsigned length = array->length();
-
         ReturnType result;
+        // If we're not an int32/double array, it's possible that converting a
+        // JSValue to a number could cause the iterator protocol to change, hence,
+        // we may need more capacity, or less. In such cases, we use the length
+        // as a proxy for the capacity we will most likely need (it's unlikely that 
+        // a program is written with a valueOf that will augment the iterator protocol).
+        // If we are an int32/double array, then length is precisely the capacity we need.
         if (!result.tryReserveCapacity(length)) {
             // FIXME: Is the right exception to throw?
@@ -90 +99 @@
             return { };
         }
-
+        
         JSC::IndexingType indexingType = array->indexingType() & JSC::IndexingShapeMask;
-
-        if (indexingType == JSC::ContiguousShape) {
-            for (unsigned i = 0; i < length; i++) {
-                auto indexValue = array->butterfly()->contiguous()[i].get();
-                if (!indexValue)
-                    result.uncheckedAppend(0);
-                else {
-                    auto convertedValue = Converter<IDLType>::convert(state, indexValue);
-                    RETURN_IF_EXCEPTION(scope, { });
-
-                    result.uncheckedAppend(convertedValue);
-                }
-            }
-            return result;
-        }
-        
+        if (indexingType != JSC::Int32Shape && indexingType != JSC::DoubleShape)
+            return GenericConverter::convert(state, object, WTFMove(result));
+
         if (indexingType == JSC::Int32Shape) {
             for (unsigned i = 0; i < length; i++) {
@@ -120 +116 @@
         }
 
-        if (indexingType == JSC::DoubleShape) {
-            for (unsigned i = 0; i < length; i++) {
-                auto doubleValue = array->butterfly()->contiguousDouble()[i];
-                if (std::isnan(doubleValue))
-                    result.uncheckedAppend(0);
-                else {
-                    auto convertedValue = Converter<IDLType>::convert(state, scope, doubleValue);
-                    RETURN_IF_EXCEPTION(scope, { });
-
-                    result.uncheckedAppend(convertedValue);
-                }
-            }
-            return result;
-        }
-
+        ASSERT(indexingType == JSC::DoubleShape);
         for (unsigned i = 0; i < length; i++) {
-            auto indexValue = array->getDirectIndex(&state, i);
-            RETURN_IF_EXCEPTION(scope, { });
-            
-            if (!indexValue)
+            auto doubleValue = array->butterfly()->contiguousDouble()[i];
+            if (std::isnan(doubleValue))
                 result.uncheckedAppend(0);
             else {
-                auto convertedValue = Converter<IDLType>::convert(state, indexValue);
+                auto convertedValue = Converter<IDLType>::convert(state, scope, doubleValue);
                 RETURN_IF_EXCEPTION(scope, { });
-                
+
                 result.uncheckedAppend(convertedValue);
             }
@@ -168 +148 @@
 
         JSC::JSObject* object = JSC::asObject(value);
+        if (Converter<IDLType>::conversionHasSideEffects)
+            return GenericConverter::convert(state, object);
+
         if (!JSC::isJSArray(object))
             return GenericConverter::convert(state, object);
 
         JSC::JSArray* array = JSC::asArray(object);
-        if (!array->globalObject()->isArrayIteratorProtocolFastAndNonObservable())
+        if (!array->isIteratorProtocolFastAndNonObservable())
             return GenericConverter::convert(state, object);