Closed Bug 1322320 Opened 8 years ago Closed 8 years ago

CacheIR: ensure we don't attach duplicate Baseline stubs

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox53 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Patch
7.65 KB, patch
h4writer
: review+
Details | Diff | Splinter Review 
Baseline ICs currently have some ad-hoc checks to avoid attaching duplicate stubs (this can happen for example when we fail a bounds check and then attach a similar stub). We don't check this everywhere though.

With CacheIR we can implement this in one place by checking (right before we attach a new stub) if there's already a stub with the same CacheIRStubInfo* (which means same IR) and same stub fields.
Priority: -- → P1
Attached patch PatchSplinter Review 
I added some logging and ran the sunspider/v8 jit-tests. Apparently we had a case where this happens with the dense element stub: when the index is in-bounds but the element is the hole value, we attached duplicate stubs.

With the patch we no longer do this. I also changed the initialized-length check to use containsDenseElement (it does both bounds checking and checking for holes), as it's a little faster than relying on the duplicate-stub-detection code.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8817710 - Flags: review?(hv1989)
Comment on attachment 8817710 [details] [diff] [review]
Patch

Review of attachment 8817710 [details] [diff] [review]:
-----------------------------------------------------------------

Just a general question. Should we make it a debug failure when adding a stub that has been added already?
That way we cannot add multiple similar stubs anymore and we don't have to iterate the list on release builds?

::: js/src/jit/BaselineCacheIR.cpp
@@ +1916,5 @@
>  CacheIRWriter::copyStubData(uint8_t* dest) const
>  {
>      uintptr_t* destWords = reinterpret_cast<uintptr_t*>(dest);
>  
> +    for (const StubField& field : stubFields_) {

We can do that now. Cool!

@@ +2099,5 @@
> +
> +        ICCacheIR_Monitored* otherStub = iter->toCacheIR_Monitored();
> +        if (otherStub->stubInfo() != stubInfo)
> +            continue;
> +        if (!writer.stubDataEquals((uint8_t*)otherStub + stubInfo->stubDataOffset()))

can we create a method for:
(uint8_t*)otherStub + stubInfo->stubDataOffset()

stubDataStart() or something?

::: js/src/jit/CacheIR.cpp
@@ +901,1 @@
>          return false;

Nice find!
Attachment #8817710 - Flags: review?(hv1989) → review+
(In reply to Hannes Verschore [:h4writer] from comment #2)
> Just a general question. Should we make it a debug failure when adding a
> stub that has been added already?
> That way we cannot add multiple similar stubs anymore and we don't have to
> iterate the list on release builds?

Good question. I know there are some edge cases the ICs check but that we currently don't check when emitting IR. I can file a follow-up bug to fix all these cases and then we can add a MOZ_ASSERT.

I first want to convert more IC code before spending time on this (and potential fuzz bugs from it), but I agree it might make sense to start enforcing this at some point. We will have to see how hard it is, but it's probably not that bad.
See Also: → 1322783
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f456cfc23c5d
Ensure we don't attach duplicate Baseline stubs. r=h4writer
https://hg.mozilla.org/mozilla-central/rev/f456cfc23c5d
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox53: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: