Changeset 244287 in webkit


Ignore:
Timestamp:
Apr 15, 2019 1:44:33 PM (5 years ago)
Author:
sbarati@apple.com
Message:

mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
https://bugs.webkit.org/show_bug.cgi?id=196918

Reviewed by Yusuke Suzuki.

r244238 lead to some debug failures because we were calling checkConsistency()
before doing fixTypeForRepresentation when merging in must handle values in
CFA. This patch fixes that.

However, as I was reading over mergeOSREntryValue, I realized it was wrong. It
was possible it could merge in a value/type outside of the variable's flushed type.
Once the flush format types are locked in, we can't introduce a type out of
that range. This probably never lead to any crashes as our profiling injection
and speculation decision code is solid. However, what we were doing is clearly
wrong, and something a fuzzer could have found if we fuzzed the must handle
values inside prediction injection. We should do that fuzzing:
https://bugs.webkit.org/show_bug.cgi?id=196924

  • dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::mergeOSREntryValue):

  • dfg/DFGAbstractValue.h:
  • dfg/DFGCFAPhase.cpp:

(JSC::DFG::CFAPhase::injectOSR):

Location:
trunk/Source/JavaScriptCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r244286 r244287  
     12019-04-15  Saam barati  <sbarati@apple.com>
     2
     3        mergeOSREntryValue is wrong when the incoming value does not match up with the flush format
     4        https://bugs.webkit.org/show_bug.cgi?id=196918
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        r244238 lead to some debug failures because we were calling checkConsistency()
     9        before doing fixTypeForRepresentation when merging in must handle values in
     10        CFA. This patch fixes that.
     11       
     12        However, as I was reading over mergeOSREntryValue, I realized it was wrong. It
     13        was possible it could merge in a value/type outside of the variable's flushed type.
     14        Once the flush format types are locked in, we can't introduce a type out of
     15        that range. This probably never lead to any crashes as our profiling injection
     16        and speculation decision code is solid. However, what we were doing is clearly
     17        wrong, and something a fuzzer could have found if we fuzzed the must handle
     18        values inside prediction injection. We should do that fuzzing:
     19        https://bugs.webkit.org/show_bug.cgi?id=196924
     20
     21        * dfg/DFGAbstractValue.cpp:
     22        (JSC::DFG::AbstractValue::mergeOSREntryValue):
     23        * dfg/DFGAbstractValue.h:
     24        * dfg/DFGCFAPhase.cpp:
     25        (JSC::DFG::CFAPhase::injectOSR):
     26
    1272019-04-15  Robin Morisset  <rmorisset@apple.com>
    228

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

    r244079 r244287  
    181181}
    182182
    183 bool AbstractValue::mergeOSREntryValue(Graph& graph, JSValue value)
    184 {
     183bool AbstractValue::mergeOSREntryValue(Graph& graph, JSValue value, VariableAccessData* variable, Node* node)
     184{
     185    FlushFormat flushFormat = variable->flushFormat();
     186
     187    {
     188        if (flushFormat == FlushedDouble && value.isNumber())
     189            value = jsDoubleNumber(value.asNumber());
     190        SpeculatedType incomingType = resultFor(flushFormat) == NodeResultInt52 ? int52AwareSpeculationFromValue(value) : speculationFromValue(value);
     191        SpeculatedType requiredType = typeFilterFor(flushFormat);
     192        if (incomingType & ~requiredType)
     193            return false;
     194    }
     195
    185196    AbstractValue oldMe = *this;
    186197   
     
    208219    }
    209220   
    210     checkConsistency();
    211221    assertIsRegistered(graph);
     222
     223    fixTypeForRepresentation(graph, resultFor(flushFormat), node);
     224
     225    checkConsistency();
    212226   
    213227    return oldMe != *this;

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h

    r244185 r244287  
    4949class Graph;
    5050struct Node;
     51class VariableAccessData;
    5152
    5253struct AbstractValue {
     
    304305    }
    305306   
    306     bool mergeOSREntryValue(Graph&, JSValue);
     307    bool mergeOSREntryValue(Graph&, JSValue, VariableAccessData*, Node*);
    307308   
    308309    void merge(SpeculatedType type)

  • trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp

    r244088 r244287  
    189189           
    190190            AbstractValue& target = block->valuesAtHead.operand(operand);
    191             changed |= target.mergeOSREntryValue(m_graph, value.value());
    192             target.fixTypeForRepresentation(
    193                 m_graph, resultFor(node->variableAccessData()->flushFormat()), node);
     191            changed |= target.mergeOSREntryValue(m_graph, value.value(), node->variableAccessData(), node);
    194192        }
    195193       
Note: See TracChangeset for help on using the changeset viewer.