Changeset 178926 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Jan 22, 2015, 11:05:42 AM (10 years ago)

Author:

[email protected]

Message:

BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
<​https://webkit.org/b/140743>

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
op_put_to_scope to an inappropriate value (i.e. 0). As a result, the execution
of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
for which ever captured variable is at local index 0. In practice, this turns
out to be the local for the Arguments object. In this reproduction case in the
bug, the wrong inferred value written there is the boolean true.

Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
a check of the local for the Arguments object. But because that local has a
wrong inferred value, the check always discovers a non-null value and we never
actually create the Arguments object. Immediately after this, an OSR exit
occurs leaving the Arguments object local uninitialized. Later on at arguments
tear off, we run into a boolean true where we had expected to find an Arguments
object, which in turn, leads to the crash.

The fix is to:

1. In the case where the resolveModeType is LocalClosureVar, change the 5th operand of op_put_to_scope to be a boolean. True means that the local var is watchable. False means it is not watchable. We no longer pass the local index (instead of true) and UINT_MAX (instead of false).

This allows us to express more clearer in the code what that value means,
as well as remove the redundant way of getting the local's identifier.
The identifier is always the one passed in the 2nd operand.

2. Previously, though intuitively, we know that the watchable variable identifier should be the same as the one that is passed in operand 2, this relationship was not clear in the code. By code analysis, I confirmed that the callers of BytecodeGenerator::emitPutToScope() always use the same identifier for operand 2 and for filling out the ResolveScopeInfo from which we get the watchable variable identifier later. I've changed the code to make this clear now by always using the identifier passed in operand 2.

3. In the case where the resolveModeType is LocalClosureVar, initializeCapturedVariable() and emitPutToScope() will now query hasWatchableVariable() to determine if the local is watchable or not. Accordingly, we pass the boolean result of hasWatchableVariable() as operand 5 of op_put_to_scope.

Also added some assertions.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::CodeBlock):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::initializeCapturedVariable):
(JSC::BytecodeGenerator::hasConstant):
(JSC::BytecodeGenerator::emitPutToScope):

• bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::hasWatchableVariable):
(JSC::BytecodeGenerator::watchableVariableIdentifier):
(JSC::BytecodeGenerator::watchableVariable): Deleted.

LayoutTests:

• js/dfg-osr-exit-between-create-and-tearoff-arguments-expected.txt: Added.
• js/dfg-osr-exit-between-create-and-tearoff-arguments.html: Added.
• js/script-tests/dfg-osr-exit-between-create-and-tearoff-arguments.js: Added.

(foo):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (3 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-01-22  Mark Lam  <[email protected]>
+
+        BytecodeGenerator::initializeCapturedVariable() sets a misleading value for the 5th operand of op_put_to_scope.
+        <https://webkit.org/b/140743>
+
+        Reviewed by Oliver Hunt.
+
+        BytecodeGenerator::initializeCapturedVariable() was setting the 5th operand to
+        op_put_to_scope to an inappropriate value (i.e. 0).  As a result, the execution
+        of put_to_scope could store a wrong inferred value into the VariableWatchpointSet
+        for which ever captured variable is at local index 0.  In practice, this turns
+        out to be the local for the Arguments object.  In this reproduction case in the
+        bug, the wrong inferred value written there is the boolean true.
+
+        Subsequently, DFG compilation occurs and CreateArguments is emitted to first do
+        a check of the local for the Arguments object.  But because that local has a
+        wrong inferred value, the check always discovers a non-null value and we never
+        actually create the Arguments object.  Immediately after this, an OSR exit
+        occurs leaving the Arguments object local uninitialized.  Later on at arguments
+        tear off, we run into a boolean true where we had expected to find an Arguments
+        object, which in turn, leads to the crash.
+
+        The fix is to:
+        1. In the case where the resolveModeType is LocalClosureVar, change the
+           5th operand of op_put_to_scope to be a boolean.  True means that the
+           local var is watchable.  False means it is not watchable.  We no longer
+           pass the local index (instead of true) and UINT_MAX (instead of false).
+
+           This allows us to express more clearer in the code what that value means,
+           as well as remove the redundant way of getting the local's identifier.
+           The identifier is always the one passed in the 2nd operand. 
+
+        2. Previously, though intuitively, we know that the watchable variable
+           identifier should be the same as the one that is passed in operand 2, this
+           relationship was not clear in the code.  By code analysis, I confirmed that 
+           the callers of BytecodeGenerator::emitPutToScope() always use the same
+           identifier for operand 2 and for filling out the ResolveScopeInfo from
+           which we get the watchable variable identifier later.  I've changed the
+           code to make this clear now by always using the identifier passed in
+           operand 2.
+
+        3. In the case where the resolveModeType is LocalClosureVar,
+           initializeCapturedVariable() and emitPutToScope() will now query
+           hasWatchableVariable() to determine if the local is watchable or not.
+           Accordingly, we pass the boolean result of hasWatchableVariable() as
+           operand 5 of op_put_to_scope.
+
+        Also added some assertions.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::CodeBlock):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::initializeCapturedVariable):
+        (JSC::BytecodeGenerator::hasConstant):
+        (JSC::BytecodeGenerator::emitPutToScope):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::BytecodeGenerator::hasWatchableVariable):
+        (JSC::BytecodeGenerator::watchableVariableIdentifier):
+        (JSC::BytecodeGenerator::watchableVariable): Deleted.
+
 2015-01-22  Ryosuke Niwa  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1999 +1999 @@
             ResolveModeAndType modeAndType = ResolveModeAndType(pc[4].u.operand);
             if (modeAndType.type() == LocalClosureVar) {
-                if (pc[5].u.index == UINT_MAX) {
-                    instructions[i + 5].u.watchpointSet = 0;
+                bool isWatchableVariable = pc[5].u.operand;
+                if (!isWatchableVariable) {
+                    instructions[i + 5].u.watchpointSet = nullptr;
                     break;
                 }
-                StringImpl* uid = identifier(pc[5].u.index).impl();
+                StringImpl* uid = ident.impl();
                 RELEASE_ASSERT(didCloneSymbolTable);
                 if (ident != m_vm->propertyNames->arguments) {

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -518 +518 @@
     instructions().append(value->index());
     instructions().append(ResolveModeAndType(ThrowIfNotFound, LocalClosureVar).operand());
-    instructions().append(0);
+    int operand = registerFor(dst->index()).index();
+    bool isWatchableVariable = hasWatchableVariable(operand);
+    ASSERT(!isWatchableVariable || watchableVariableIdentifier(operand) == propertyName);
+    instructions().append(isWatchableVariable);
     instructions().append(dst->index());
     return dst;
@@ -999 +1002 @@
 }
 
+bool BytecodeGenerator::hasConstant(const Identifier& ident) const
+{
+    StringImpl* rep = ident.impl();
+    return m_identifierMap.contains(rep);
+}
+    
 unsigned BytecodeGenerator::addConstant(const Identifier& ident)
 {
@@ -1397 +1406 @@
     if (info.isLocal()) {
         instructions().append(ResolveModeAndType(resolveMode, LocalClosureVar).operand());
-        instructions().append(watchableVariable(registerFor(info.localIndex()).index()));
+        int operand = registerFor(info.localIndex()).index();
+        bool isWatchableVariable = hasWatchableVariable(operand);
+        ASSERT(!isWatchableVariable || watchableVariableIdentifier(operand) == identifier);
+        instructions().append(isWatchableVariable);
     } else {
+        ASSERT(resolveType() != LocalClosureVar);
         instructions().append(ResolveModeAndType(resolveMode, resolveType()).operand());
-        instructions().append(0);
+        instructions().append(false);
     }
     instructions().append(info.localIndex());

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -653 +653 @@
         }
 
+        bool hasConstant(const Identifier&) const;
         unsigned addConstant(const Identifier&);
         RegisterID* addConstantValue(JSValue);
@@ -727 +728 @@
         RegisterID* createLazyRegisterIfNecessary(RegisterID*);
         
-        unsigned watchableVariable(int operand)
+        bool hasWatchableVariable(int operand) const
         {
             VirtualRegister reg(operand);
             if (!reg.isLocal())
-                return UINT_MAX;
+                return false;
             if (static_cast<size_t>(reg.toLocal()) >= m_watchableVariables.size())
-                return UINT_MAX;
-            Identifier& ident = m_watchableVariables[reg.toLocal()];
+                return false;
+            const Identifier& ident = m_watchableVariables[reg.toLocal()];
             if (ident.isNull())
-                return UINT_MAX;
-            return addConstant(ident);
-        }
-        
-        bool hasWatchableVariable(int operand)
-        {
-            return watchableVariable(operand) != UINT_MAX;
+                return false;
+            ASSERT(hasConstant(ident)); // Should have already been added.
+            return true;
+        }
+        
+        const Identifier& watchableVariableIdentifier(int operand) const
+        {
+            ASSERT(hasWatchableVariable(operand));
+            VirtualRegister reg(operand);
+            return m_watchableVariables[reg.toLocal()];
         }