Changeset 260512 in webkit

Timestamp:

Apr 22, 2020 8:40:06 AM (4 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
​https://bugs.webkit.org/show_bug.cgi?id=210839

Reviewed by Saam Barati.

JSTests:

• stress/v8-bigint32-add.js: Added.

(main):

• stress/v8-bigint32-and.js: Added.

(main):

• stress/v8-bigint32-dec.js: Added.

(main):

• stress/v8-bigint32-div.js: Added.

(main):

• stress/v8-bigint32-inc.js: Added.

(main):

• stress/v8-bigint32-mod.js: Added.

(main):

• stress/v8-bigint32-mul.js: Added.

(main):

• stress/v8-bigint32-neg.js: Added.

(main):

• stress/v8-bigint32-not.js: Added.

(main):

• stress/v8-bigint32-or.js: Added.

(main):

• stress/v8-bigint32-sar.js: Added.

(main):

• stress/v8-bigint32-shl.js: Added.

(main):

• stress/v8-bigint32-sub.js: Added.

(main):

• stress/v8-bigint32-xor.js: Added.

(main):

Source/JavaScriptCore:

While runtime function of bitwise ops with BigInt32 sometimes returns HeapBigInt, DFG AI is setting SpecBigInt32
as a result value. This leads to miscompilation particularly in FTL since FTL uses this information to remove
a lot of branches.

And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too.

Added test case found this (v8-bigint32-sar.js).

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
(JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
(JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
(JSC::FTL::DFG::LowerDFGToB3::boolify):
(JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
(JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
(JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell):
(JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber):
(JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber):
(JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber):
(JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell):
(JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
(JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
(JSC::FTL::DFG::LowerDFGToB3::isBigInt32): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): Deleted.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/v8-bigint32-add.js (added)
• JSTests/stress/v8-bigint32-and.js (added)
• JSTests/stress/v8-bigint32-dec.js (added)
• JSTests/stress/v8-bigint32-div.js (added)
• JSTests/stress/v8-bigint32-inc.js (added)
• JSTests/stress/v8-bigint32-mod.js (added)
• JSTests/stress/v8-bigint32-mul.js (added)
• JSTests/stress/v8-bigint32-neg.js (added)
• JSTests/stress/v8-bigint32-not.js (added)
• JSTests/stress/v8-bigint32-or.js (added)
• JSTests/stress/v8-bigint32-sar.js (added)
• JSTests/stress/v8-bigint32-shl.js (added)
• JSTests/stress/v8-bigint32-sub.js (added)
• JSTests/stress/v8-bigint32-xor.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (14 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
+        https://bugs.webkit.org/show_bug.cgi?id=210839
+
+        Reviewed by Saam Barati.
+
+        * stress/v8-bigint32-add.js: Added.
+        (main):
+        * stress/v8-bigint32-and.js: Added.
+        (main):
+        * stress/v8-bigint32-dec.js: Added.
+        (main):
+        * stress/v8-bigint32-div.js: Added.
+        (main):
+        * stress/v8-bigint32-inc.js: Added.
+        (main):
+        * stress/v8-bigint32-mod.js: Added.
+        (main):
+        * stress/v8-bigint32-mul.js: Added.
+        (main):
+        * stress/v8-bigint32-neg.js: Added.
+        (main):
+        * stress/v8-bigint32-not.js: Added.
+        (main):
+        * stress/v8-bigint32-or.js: Added.
+        (main):
+        * stress/v8-bigint32-sar.js: Added.
+        (main):
+        * stress/v8-bigint32-shl.js: Added.
+        (main):
+        * stress/v8-bigint32-sub.js: Added.
+        (main):
+        * stress/v8-bigint32-xor.js: Added.
+        (main):
+
 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-22  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
+        https://bugs.webkit.org/show_bug.cgi?id=210839
+
+        Reviewed by Saam Barati.
+
+        While runtime function of bitwise ops with BigInt32 sometimes returns HeapBigInt, DFG AI is setting SpecBigInt32
+        as a result value. This leads to miscompilation particularly in FTL since FTL uses this information to remove
+        a lot of branches.
+
+        And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too.
+
+        Added test case found this (v8-bigint32-sar.js).
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileValueBitRShift):
+        (JSC::FTL::DFG::LowerDFGToB3::compileToNumeric):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsBigInt):
+        (JSC::FTL::DFG::LowerDFGToB3::boolify):
+        (JSC::FTL::DFG::LowerDFGToB3::buildTypeOf):
+        (JSC::FTL::DFG::LowerDFGToB3::lowBigInt32):
+        (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotCell):
+        (JSC::FTL::DFG::LowerDFGToB3::isBigInt32KnownNotNumber):
+        (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32KnownNotNumber):
+        (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigIntKnownNotNumber):
+        (JSC::FTL::DFG::LowerDFGToB3::isNotHeapBigIntUnknownWhetherCell):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateBigInt32):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateAnyBigInt):
+        (JSC::FTL::DFG::LowerDFGToB3::isBigInt32): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::isNotBigInt32): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::isNotAnyBigInt): Deleted.
+
 2020-04-21  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -544 +544 @@
         if (node->binaryUseKind() == BigInt32Use) {
 #if USE(BIGINT32)
-            setTypeForNode(node, SpecBigInt32);
+            // FIXME: We should have inlined implementation that always returns BigInt32.
+            // https://bugs.webkit.org/show_bug.cgi?id=210847
+            setTypeForNode(node, SpecBigInt);
 #else
             RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -3417 +3417 @@
             // Things are a bit tricky because a right-shift by a negative number is a left-shift for BigInts.
             // So even a right shift can overflow.
+            // https://bugs.webkit.org/show_bug.cgi?id=210847
 
             LValue left = lowJSValue(m_node->child1(), ManualOperandSpeculation);
@@ -7552 +7553 @@
             LBasicBlock lastNext = m_out.appendTo(notNumber, continuation);
 #if USE(BIGINT32)
-            m_out.branch(isBigInt32(value, provenType(m_node->child1())), unsure(continuation), unsure(notBigInt32));
+            m_out.branch(isBigInt32KnownNotNumber(value, provenType(m_node->child1())), unsure(continuation), unsure(notBigInt32));
             m_out.appendTo(notBigInt32);
 #endif
@@ -8717 +8718 @@
             LBasicBlock continuation = m_out.newBlock();
 
+            FTL_TYPE_CHECK(jsValueValue(left), m_node->child1(), ~SpecFullNumber, isNumber(left));
+            FTL_TYPE_CHECK(jsValueValue(right), m_node->child2(), ~SpecFullNumber, isNumber(right));
+
             // Inserts a check that a value is a HeapBigInt, assuming only that we know it is not a BigInt32
             auto checkIsHeapBigInt = [&](LValue lowValue, Edge highValue) {
                 if (m_interpreter.needsTypeCheck(highValue, SpecHeapBigInt)) {
                     ASSERT(mayHaveTypeCheck(highValue.useKind()));
-                    LValue checkFailed = isNotHeapBigIntUnknownWhetherCell(lowValue, ~SpecBigInt32);
+                    LValue checkFailed = isNotHeapBigIntUnknownWhetherCell(lowValue, provenType(highValue) & ~SpecBigInt32);
                     appendOSRExit(BadType, jsValueValue(lowValue), highValue.node(), checkFailed, m_origin);
                 }
             };
 
-            m_out.branch(isBigInt32(left, provenType(m_node->child1())), unsure(leftIsBigInt32), unsure(leftIsNotBigInt32));
+            m_out.branch(isBigInt32KnownNotNumber(left, provenType(m_node->child1())), unsure(leftIsBigInt32), unsure(leftIsNotBigInt32));
 
             LBasicBlock lastNext = m_out.appendTo(leftIsBigInt32, bothAreBigInt32);
-            m_out.branch(isBigInt32(right, provenType(m_node->child2())), unsure(bothAreBigInt32), unsure(onlyLeftIsBigInt32));
+            m_out.branch(isBigInt32KnownNotNumber(right, provenType(m_node->child2())), unsure(bothAreBigInt32), unsure(onlyLeftIsBigInt32));
 
             m_out.appendTo(bothAreBigInt32, onlyLeftIsBigInt32);
@@ -8750 +8754 @@
 
             m_out.appendTo(leftIsHeapBigInt, rightIsBigInt32);
-            m_out.branch(isBigInt32(right, provenType(m_node->child2())), unsure(rightIsBigInt32), unsure(rightIsNotBigInt32));
+            m_out.branch(isBigInt32KnownNotNumber(right, provenType(m_node->child2())), unsure(rightIsBigInt32), unsure(rightIsNotBigInt32));
 
             m_out.appendTo(rightIsBigInt32, rightIsNotBigInt32);
@@ -10923 +10927 @@
         LBasicBlock lastNext = m_out.appendTo(isNotCellCase, isCellCase);
         // FIXME: we should filter the provenType to include the fact that we know we are not dealing with a cell
-        ValueFromBlock notCellResult = m_out.anchor(isBigInt32(value, provenType(m_node->child1())));
+        ValueFromBlock notCellResult = m_out.anchor(isBigInt32KnownNotCell(value, provenType(m_node->child1())));
         m_out.jump(continuation);
 
@@ -15466 +15470 @@
             m_out.appendTo(notDoubleCase, bigInt32Case);
             m_out.branch(
-                isBigInt32(value, provenType(edge) & ~SpecCell),
+                isBigInt32KnownNotNumber(value, provenType(edge) & ~SpecCell),
                 unsure(bigInt32Case), unsure(notBigInt32Case));
 
@@ -16192 +16196 @@
 #if USE(BIGINT32)
         m_out.appendTo(notNumberCase, notBigInt32Case);
-        m_out.branch(isBigInt32(value, provenType(child) & ~SpecCell), unsure(bigIntCase), unsure(notBigInt32Case));
+        m_out.branch(isBigInt32KnownNotNumber(value, provenType(child) & ~SpecCell), unsure(bigIntCase), unsure(notBigInt32Case));
 
         m_out.appendTo(notBigInt32Case, notNullCase);
@@ -16912 +16916 @@
         if (isValid(value)) {
             LValue result = value.value();
-            FTL_TYPE_CHECK(jsValueValue(result), edge, SpecBigInt32, isNotBigInt32(result));
+            FTL_TYPE_CHECK(jsValueValue(result), edge, ~SpecFullNumber, isNumber(result));
+            FTL_TYPE_CHECK(jsValueValue(result), edge, SpecBigInt32, isNotBigInt32KnownNotNumber(result));
             return result;
         }
@@ -17109 +17114 @@
 
 #if USE(BIGINT32)
-    LValue isBigInt32(LValue jsValue, SpeculatedType type = SpecFullTop)
+    LValue isBigInt32KnownNotCell(LValue jsValue, SpeculatedType type = SpecFullTop)
     {
         if (LValue proven = isProvenValue(type, SpecBigInt32))
             return proven;
-        return m_out.equal(
-            m_out.bitAnd(jsValue, m_out.constInt64(JSValue::BigInt32Mask)),
-            m_out.constInt64(JSValue::BigInt32Tag));
-    }
-    LValue isNotBigInt32(LValue jsValue, SpeculatedType type = SpecFullTop)
+        return m_out.equal(m_out.bitAnd(jsValue, m_out.constInt64(JSValue::BigInt32Mask)), m_out.constInt64(JSValue::BigInt32Tag));
+    }
+    LValue isBigInt32KnownNotNumber(LValue jsValue, SpeculatedType type = SpecFullTop)
+    {
+        if (LValue proven = isProvenValue(type, SpecBigInt32))
+            return proven;
+        return m_out.equal(m_out.bitAnd(jsValue, m_out.constInt64(JSValue::BigInt32Tag)), m_out.constInt64(JSValue::BigInt32Tag));
+    }
+    LValue isNotBigInt32KnownNotNumber(LValue jsValue, SpeculatedType type = SpecFullTop)
     {
         if (LValue proven = isProvenValue(type, ~SpecBigInt32))
             return proven;
-        return m_out.notEqual(
-            m_out.bitAnd(jsValue, m_out.constInt64(JSValue::BigInt32Mask)),
-            m_out.constInt64(JSValue::BigInt32Tag));
+        return m_out.notEqual(m_out.bitAnd(jsValue, m_out.constInt64(JSValue::BigInt32Tag)), m_out.constInt64(JSValue::BigInt32Tag));
     }
     LValue unboxBigInt32(LValue jsValue)
@@ -17135 +17142 @@
             m_out.constInt64(JSValue::BigInt32Tag));
     }
-    LValue isNotAnyBigInt(LValue jsValue, SpeculatedType type = SpecFullTop)
+    LValue isNotAnyBigIntKnownNotNumber(LValue jsValue, SpeculatedType type = SpecFullTop)
     {
         if (LValue proven = isProvenValue(type, ~SpecBigInt))
@@ -17151 +17158 @@
         LBasicBlock continuation = m_out.newBlock();
 
-        m_out.branch(isBigInt32(jsValue, type), unsure(isBigInt32Case), unsure(isNotBigInt32Case));
+        m_out.branch(isBigInt32KnownNotNumber(jsValue, type), unsure(isBigInt32Case), unsure(isNotBigInt32Case));
 
         LBasicBlock lastNext = m_out.appendTo(isBigInt32Case, isNotBigInt32Case);
@@ -17688 +17695 @@
         LBasicBlock continuation = m_out.newBlock();
 
-        ValueFromBlock defaultToFalse = m_out.anchor(m_out.booleanFalse);
+        ValueFromBlock defaultToTrue = m_out.anchor(m_out.booleanTrue);
         m_out.branch(isCell(value, type), unsure(isCellCase), unsure(continuation));
 
         LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation);
-        ValueFromBlock returnForCell = m_out.anchor(isHeapBigInt(value, type));
+        ValueFromBlock returnForCell = m_out.anchor(isNotHeapBigInt(value, type));
         m_out.jump(continuation);
 
         m_out.appendTo(continuation, lastNext);
-        LValue result = m_out.phi(Int32, defaultToFalse, returnForCell);
+        LValue result = m_out.phi(Int32, defaultToTrue, returnForCell);
         return result;
     }
@@ -18182 +18189 @@
     {
         LValue value = lowJSValue(edge, ManualOperandSpeculation);
-        FTL_TYPE_CHECK(jsValueValue(value), edge, SpecBigInt32, isNotBigInt32(value));
+        FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecFullNumber, isNumber(value));
+        FTL_TYPE_CHECK(jsValueValue(value), edge, SpecBigInt32, isNotBigInt32KnownNotNumber(value));
     }
 
@@ -18188 +18196 @@
     {
         LValue value = lowJSValue(edge, ManualOperandSpeculation);
-        FTL_TYPE_CHECK(jsValueValue(value), edge, SpecBigInt, isNotAnyBigInt(value));
+        FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecFullNumber, isNumber(value));
+        FTL_TYPE_CHECK(jsValueValue(value), edge, SpecBigInt, isNotAnyBigIntKnownNotNumber(value));
     }
 #endif