Changeset 249586 in webkit for trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp

Timestamp:

Sep 6, 2019, 12:11:20 PM (6 years ago)

Author:

Joseph Pecoraro

Message:

Tail Deleted Frames shown in Web Inspector are sometimes incorrect (Shadow Chicken)
​https://bugs.webkit.org/show_bug.cgi?id=201366

Reviewed by Saam Barati.

Source/JavaScriptCore:

It is possible for the log buffer to be full right as someone is trying to
log a function prologue. In such a case the machine stack has already been
updated to include the new JavaScript call frame, but the prologue packet
cannot be included in the update because the log is full. This would mean
that the update fails to rationalize the machine stack with the shadow
log / stack. Namely, the current JavaScript call frame is unable to
find a matching prologue (the one we are holding to include after the update)
and inserts a questionable value into the stack; and in the process
missing and removing real potential tail calls.

For example:

"use strict";
function third() { return 1; }
function second() { return third(); }
function first() { return second(); }
function start() { return first(); }

If the the log fills up just as we are entering b then we may have a list
full log of packets looking like:

Shadow Log:

...
{ prologue-packet: entering start ... }
{ prologue-packet: entering first ... }
{ tail-packet: leaving first with a tail call }

Incoming Packet:

{ prologue-packet: entering second ... }

Current JS Stack:

second
start

Since the Current JavaScript stack already has second, if we process the
log without the prologue for second then we push a confused entry on the
shadow stack and clear the log such that we eventually lose the tail-call
information for first to second.

This patch solves this issue by providing enough extra space in the log
to always process the incoming packet when that forces an update. This way
clients can continue to behave exactly as they are.

--

We also document a corner case in some circumstances where the shadow
log may currently be insufficient to know how to reconcile:

For example:

"use strict";
function third() { return 1; }
function second() { return third(); }
function first() { return second(); }
function doNothingTail() { return Math.random() }
function start() {

for (i=0;i<1000;++i) doNothingTail();
return first();

}

In this case the ShadowChicken log may be processed multiple times due
to the many calls to doNothingTail / Math.random(). When calling the
Native function no prologue packet is emitted, so it is unclear that we
temporarly go deeper and come back out on the stack, so the log appears
to have lots of doNothingTail calls reusing the same frame:

Shadow Log:

...
, [123] {callee = 0x72a21aee0, frame = 0x7ffeef897270, callerFrame = 0x7ffeef8972e0, name = start}
, [124] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
, [125] tail-packet:{frame = 0x7ffeef8971f0}
, [126] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
, [127] tail-packet:{frame = 0x7ffeef8971f0}
...
, [140] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
, [141] tail-packet:{frame = 0x7ffeef8971f0}
, [142] {callee = 0x72a21af10, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = doNothingTail}
, [143] tail-packet:{frame = 0x7ffeef8971f0}
, [144] {callee = 0x72a21aeb0, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = first}
, [145] tail-packet:{frame = 0x7ffeef8971f0}
, [146] {callee = 0x72a21ae80, frame = 0x7ffeef8971f0, callerFrame = 0x7ffeef897270, name = second}
...

This log would seem to be indistinguishable from real tail recursion, such as:

"use strict";
function third() { return 1; }
function second() { return third(); }
function first() { return second(); }
function doNothingTail(n) {

return n ? doNothingTail(n-1) : first();

}
function start() {

return doNothingTail(1000);

}

Likewise there are more cases where the shadow log appears to be ambiguous with determining
the appropriate parent call frame with intermediate function calls. In practice this may
not be too problematic, as this is a best effort reconstruction of tail deleted frames.
It seems likely we would only show additional frames that did in fact happen serially
between JavaScript call frames, but may not actually be the proper parent frames
heirachy in the stack.

• interpreter/ShadowChicken.cpp:

(JSC::ShadowChicken::Packet::dump const):
(JSC::ShadowChicken::Frame::dump const):
(JSC::ShadowChicken::dump const):
Improved debugging output. Especially for functions.

(JSC::ShadowChicken::ShadowChicken):
Make space in the log for 1 additional packet to process when we slow log.

(JSC::ShadowChicken::log):
Include this packet in our update.

(JSC::ShadowChicken::update):
Address an edge case where we can eliminate tail-deleted frames that don't make sense.

LayoutTests:

• inspector/debugger/tail-deleted-frames-expected.txt: Removed.
• inspector/debugger/tail-deleted-frames-from-vm-entry-expected.txt: Removed.
• inspector/debugger/tail-deleted-frames-from-vm-entry.html: Removed.
• inspector/debugger/tail-deleted-frames-this-value-expected.txt: Removed.
• inspector/debugger/tail-deleted-frames-this-value.html: Removed.
• inspector/debugger/tail-deleted-frames.html: Removed.

Remove legacy tests that are difficult to read.

• inspector/debugger/tail-deleted-frames/resources/stack-trace-utilities.js: Added.

(TestPage.registerInitializer.window.getAsyncStackTrace):
(TestPage.registerInitializer.async.logThisObject):
(TestPage.registerInitializer.async.logScope):
(TestPage.registerInitializer.async.logCallFrame):
(TestPage.registerInitializer):

• inspector/debugger/tail-deleted-frames/resources/tail-deleted-frames-intermediate-frames.js: Added.
• inspector/debugger/tail-deleted-frames/resources/tail-deleted-frames-intermediate-native-tail-deleted-calls.js: Added.
• inspector/debugger/tail-deleted-frames/resources/tail-deleted-frames-intermediate-tail-deleted-frames.js: Added.
• inspector/debugger/tail-deleted-frames/resources/tail-deleted-frames-scopes.js: Added.
• inspector/debugger/tail-deleted-frames/resources/tail-deleted-frames-this-value.js: Added.
• inspector/debugger/tail-deleted-frames/resources/tail-deleted-frames-vm-entry.js: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-intermediate-frames-expected.txt: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-intermediate-frames.html: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-intermediate-tail-deleted-frames-expected.txt: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-intermediate-tail-deleted-frames.html: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-scopes-expected.txt: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-scopes.html: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-this-value-expected.txt: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-this-value.html: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-vm-entry-expected.txt: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-vm-entry.html: Added.

Include modern tests that are easier to read.

• inspector/debugger/tail-deleted-frames/tail-deleted-frames-intermediate-native-tail-deleted-calls-expected.txt: Added.
• inspector/debugger/tail-deleted-frames/tail-deleted-frames-intermediate-native-tail-deleted-calls.html: Added.

Include a test that is known to produce bad output, since we have reproductive steps.

• platform/mac/TestExpectations:

Updated pathes.

File:

• trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp (modified) (10 diffs)

trunk/Source/JavaScriptCore/interpreter/ShadowChicken.cpp

@@ -46 +46 @@
     
     if (isPrologue()) {
+        String name = "?"_s;
+        if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee)) {
+            name = function->name(callee->vm());
+            if (name.isEmpty())
+                name = "?"_s;
+        }
+
         out.print(
             "{callee = ", RawPointer(callee), ", frame = ", RawPointer(frame), ", callerFrame = ",
-            RawPointer(callerFrame), "}");
+            RawPointer(callerFrame), ", name = ", name, "}");
         return;
     }
@@ -63 +70 @@
 void ShadowChicken::Frame::dump(PrintStream& out) const
 {
+    String name = "?"_s;
+    if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee)) {
+        name = function->name(callee->vm());
+        if (name.isEmpty())
+            name = "?"_s;
+    }
+
     out.print(
-        "{callee = ", RawPointer(callee), ", frame = ", RawPointer(frame), ", isTailDeleted = ",
-        isTailDeleted, "}");
+        "{callee = ", *callee, ", frame = ", RawPointer(frame), ", isTailDeleted = ",
+        isTailDeleted, ", name = ", name, "}");
 }
 
@@ -71 +85 @@
     : m_logSize(Options::shadowChickenLogSize())
 {
-    m_log = static_cast<Packet*>(fastZeroedMalloc(sizeof(Packet) * m_logSize));
+    // Allow one additional packet beyond m_logEnd. This is useful for the moment we
+    // log a packet when the log is full and force an update. At that moment the packet
+    // that is being logged should be included in the update because it may be
+    // a critical prologue needed to rationalize the current machine stack with the
+    // shadow stack.
+    m_log = static_cast<Packet*>(fastZeroedMalloc(sizeof(Packet) * (m_logSize + 1)));
     m_logCursor = m_log;
     m_logEnd = m_log + m_logSize;
@@ -83 +102 @@
 void ShadowChicken::log(VM& vm, ExecState* exec, const Packet& packet)
 {
+    // This write is allowed because we construct the log with space for 1 additional packet.
+    *m_logCursor++ = packet;
     update(vm, exec);
-    *m_logCursor++ = packet;
 }
 
@@ -143 +163 @@
     }
 
-    
     if (ShadowChickenInternal::verbose)
         dataLog("    Revised stack: ", listDump(m_stack), "\n");
@@ -289 +308 @@
 
             CallFrame* callFrame = visitor->callFrame();
-            if (ShadowChickenInternal::verbose)
-                dataLog("    Examining ", RawPointer(callFrame), "\n");
+            if (ShadowChickenInternal::verbose) {
+                dataLog("    Examining callFrame:", RawPointer(callFrame), ", callee:", RawPointer(callFrame->jsCallee()), ", callerFrame:", RawPointer(callFrame->callerFrame()), "\n");
+                JSObject* callee = callFrame->jsCallee();
+                if (auto* function = jsDynamicCast<JSFunction*>(callee->vm(), callee))
+                    dataLog("      Function = ", function->name(callee->vm()), "\n");
+            }
+
             if (callFrame == highestPointSinceLastTime) {
                 if (ShadowChickenInternal::verbose)
-                    dataLog("    Bailing at ", RawPointer(callFrame), " because it's the highest point since last time.\n");
+                    dataLog("    Bailing at ", RawPointer(callFrame), " because it's the highest point since last time\n");
+
+                // FIXME: At this point the shadow stack may still have tail deleted frames
+                // that do not run into the current call frame but are left in the shadow stack.
+                // Those tail deleted frames should be validated somehow.
+
                 return StackVisitor::Done;
             }
@@ -319 +348 @@
                 && m_log[indexInLog].frame == toPush.last().frame) {
                 if (ShadowChickenInternal::verbose)
-                    dataLog("    Going to loop through to find tail deleted frames with indexInLog = ", indexInLog, " and push-stack top = ", toPush.last(), "\n");
+                    dataLog("    Going to loop through to find tail deleted frames using ", RawPointer(callFrame), " with indexInLog = ", indexInLog, " and push-stack top = ", toPush.last(), "\n");
                 for (;;) {
                     ASSERT(m_log[indexInLog].frame == toPush.last().frame);
@@ -341 +370 @@
                     }
                     indexInLog--; // Skip over the tail packet.
+
+                    // FIXME: After a few iterations the tail packet referenced frame may not be the
+                    // same as the original callFrame for the real stack frame we started with.
+                    // It is unclear when we should break.
                     
                     if (!advanceIndexInLogTo(tailPacket.frame, nullptr, nullptr)) {
@@ -380 +413 @@
 
     if (ShadowChickenInternal::verbose)
-        dataLog("    After pushing: ", *this, "\n");
+        dataLog("    After pushing: ", listDump(m_stack), "\n");
 
     // Remove tail frames until the number of tail deleted frames is small enough.
@@ -448 +481 @@
     out.print("\n");
     for (unsigned i = 0; i < limit; ++i)
-        out.print("\t", comma, m_log[i], "\n");
+        out.print("\t", comma, "[", i, "] ", m_log[i], "\n");
     out.print("]}");
 }