Closed Bug 1476500 Opened 7 years ago Closed 7 years ago

Harden code generator against changed types elsewhere

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: pbone, Assigned: pbone)

References

Details

Attachments

(4 files)

Bug 1476500 - Fix some prose in the MacroAssembler class comment
2.42 KB, patch
tcampbell
: review+
nbp
: review+
Details | Diff | Splinter Review
Bug 1476500 - Add extra assignments and make some types more specific
10.60 KB, patch
nbp
: review+
Details | Diff | Splinter Review
Bug 1476500 - Add a comment explaining why we need this value
977 bytes, patch
Details | Diff | Splinter Review
Bug 1476500 - Make the JIT's use of the XorShift128PlusRNG is type-correct
5.33 KB, patch
Details | Diff | Splinter Review
There are a number of places in the JIT where a void * or even a const void * is passed in, and then the JITed code treats it as a more specific type such as a uint32_t*. I have a patch to add extra assignments to the JIT to ensure that these types are correct before performing the implicit void* coersion in the Address and AbsoluteAddress constructors. The types of these things are updated elsewhere in the engine. Now if one of these types changes, it will create a compilation error in the JIT code drawing a developer's attention there.
Assignee: nobody → pbone
Status: NEW → ASSIGNED
One reason for returning const void* from CompileWrappers, for instance addressOfRandomNumberGenerator, is that this code can be called off-thread so we want to give the caller as little as possible to work with (read: to introduce races etc).
(In reply to Jan de Mooij [:jandem] from comment #4) > One reason for returning const void* from CompileWrappers, for instance > addressOfRandomNumberGenerator, is that this code can be called off-thread > so we want to give the caller as little as possible to work with (read: to > introduce races etc). (That said, better type safety may be worth it; I just wanted to mention this as a trade-off to keep in mind. I guess ideally we'd wrap these pointers in a C++ template that wouldn't let you dereference them, but that might be overkill.)
Comment on attachment 8992852 [details] [diff] [review] Bug 1476500 - Fix some prose in the MacroAssembler class comment Review of attachment 8992852 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for fixing my typos :/
Attachment #8992852 - Flags: review+
Comment on attachment 8992853 [details] [diff] [review] Bug 1476500 - Add extra assignments and make some types more specific Review of attachment 8992853 [details] [diff] [review]: ----------------------------------------------------------------- Adding more type is a good thing. However, I am not sure about having assignments versus having a templated AbsoluteAddress constructor. I guess this is a first step towards having a (phantom-)typed MacroAssembler, starting with AbsoluteAddress / Address / ImmPtr.
Attachment #8992853 - Flags: review?(nicolas.b.pierron) → review+
(In reply to Jan de Mooij [:jandem] from comment #5) > (In reply to Jan de Mooij [:jandem] from comment #4) > > One reason for returning const void* from CompileWrappers, for instance > > addressOfRandomNumberGenerator, is that this code can be called off-thread > > so we want to give the caller as little as possible to work with (read: to > > introduce races etc). > > (That said, better type safety may be worth it; I just wanted to mention > this as a trade-off to keep in mind. I guess ideally we'd wrap these > pointers in a C++ template that wouldn't let you dereference them, but that > might be overkill.) I figured there would be such trade-offs, but I didn't know exactly which types they would apply to. Alternatively I can create a parent class of the random number generator class that contains only the parts required to do code generation and return a pointer to that for addressOfRandomNumberGenerator.
(In reply to Nicolas B. Pierron [:nbp] {backlog: 39} from comment #7) > Comment on attachment 8992853 [details] [diff] [review] > Bug 1476500 - Add extra assignments and make some types more specific > > Review of attachment 8992853 [details] [diff] [review]: > ----------------------------------------------------------------- > > Adding more type is a good thing. However, I am not sure about having > assignments versus having a templated AbsoluteAddress constructor. > I guess this is a first step towards having a (phantom-)typed > MacroAssembler, starting with AbsoluteAddress / Address / ImmPtr. Here's where my C++ is a little weak. WOuld the type be visible in the constructor call? Eg: movPtr(AbsoluteAddress<uint32_t*>(addressOfX()), temp);
Comment on attachment 8992852 [details] [diff] [review] Bug 1476500 - Fix some prose in the MacroAssembler class comment Review of attachment 8992852 [details] [diff] [review]: ----------------------------------------------------------------- There's a pre-existing stale comment here that you can help fix :) ::: js/src/jit/MacroAssembler.h @@ +60,4 @@ > // - If the declaration is "inline", then the method definition(s) would be in > // the "-inl.h" variant of the same file(s). > // > +// The script check_macroassembler_style.py (check-masm target of the |check-masm| target was removed in https://searchfox.org/mozilla-central/commit/d04734856692be4604a15e5ae2363f058b006927 and runs on every build now. > (run on every build)
Attachment #8992852 - Flags: review?(tcampbell) → review+
Comment on attachment 8993212 [details] [diff] [review] Bug 1476500 - Make the JIT's use of the XorShift128PlusRNG is type-correct Review of attachment 8993212 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for writing the patch! However this makes the XorShift128PlusRNG code in MFBT harder to read and I don't expect the Ion RNG JIT code to change much over time, so IMO it's fine to just use the XorShift128PlusRNG* pointer. If we're worried we could add an IonOffThreadPtr<XorShift128PlusRNG*> template that only let's you get the raw pointer out of it as void* or uint8_t*, but that's probably not worth it for this bug.
Attachment #8993212 - Flags: review?(jdemooij)
(In reply to Jan de Mooij [:jandem] from comment #12) > Comment on attachment 8993212 [details] [diff] [review] > Bug 1476500 - Make the JIT's use of the XorShift128PlusRNG is type-correct > > Review of attachment 8993212 [details] [diff] [review]: > ----------------------------------------------------------------- > > Thanks for writing the patch! > > However this makes the XorShift128PlusRNG code in MFBT harder to read and I > don't expect the Ion RNG JIT code to change much over time, so IMO it's fine > to just use the XorShift128PlusRNG* pointer. If we're worried we could add > an IonOffThreadPtr<XorShift128PlusRNG*> template that only let's you get the > raw pointer out of it as void* or uint8_t*, but that's probably not worth it > for this bug. Okay, I'll do it the simple way. However it's not to protect against the Ion RNG JIT code from changing, but from the underlying representation of the RNG from changing.
Comment on attachment 8992854 [details] [diff] [review] Bug 1476500 - Add a comment explaining why we need this value Review of attachment 8992854 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/CompileWrappers.cpp @@ +206,5 @@ > CompileZone::addressOfStringNurseryCurrentEnd() > { > + // Unlike addressOfStringNurseryPosition() this is defined. Because unlike > + // addressOfNurseryCurrentEnd() this will be null if nursery strings are > + // disabled. The wording is a little confusing. What does "defined" mean here? And is the return value of this function null (no) or the value pointed to (yes)? Oh! I guess the point here is that this is the address of a pointer that is usually the same as that pointed to by addressOfNurseryCurrentEnd(), and justifying that it exists because it can be nullptr if strings are disabled. Ok, that's valuable, but I think it needs to be rephrased to be less confusing. Though the real reason why this exists is because I started but did not finish creating a separate nursery for strings, so the (eventual) intent is for this to point to somewhere entirely different than the other one. I don't know if that's worth describing before it exists, or not. You are right that this function desperately needs a comment!
Attachment #8992854 - Flags: review?(sphink)
sfink and I discussed this on IRC just now. he said I can write a suitable comment and land that last patch with r=sfink.
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6db05e2cc96f Fix some prose in the MacroAssembler class comment r=tcampbell,nbp https://hg.mozilla.org/integration/mozilla-inbound/rev/47be709bc6ca Add extra assignments and make some types more specific r=nbp https://hg.mozilla.org/integration/mozilla-inbound/rev/77027e772894 Add a comment explaining why we need this value r=sfink
(In reply to Paul Bone [:pbone] from comment #15) > sfink and I discussed this on IRC just now. he said I can write a suitable > comment and land that last patch with r=sfink. I really like the comment you ended up with. Thanks! (It's much more clear than anything I was coming up with.)
(In reply to Steve Fink [:sfink] [:s:] from comment #18) > (In reply to Paul Bone [:pbone] from comment #15) > > sfink and I discussed this on IRC just now. he said I can write a suitable > > comment and land that last patch with r=sfink. > > I really like the comment you ended up with. Thanks! (It's much more clear > than anything I was coming up with.) Thanks.
Blocks: 1478902
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: