740259 - add ALIASEDVAR ops

Status: RESOLVED FIXED

Description

[Luke Wagner [:luke]]

Bug 659577 needs to statically distinguish access to "aliased" variables (args, vars, and let bindings accessed by nested functions or dynamic name operations).  This distinction is made by adding a set of JSOP_*ALIASED* opcodes which replace JSOP_*LOCAL*/JSOP_*ARG* when accessing a arg/var/let that is aliased.  Additionally, these ALIASED opcodes contain immediates that encode the exact location of the aliased var on the scope chain (by number of hops up fp->scopeChain and index of the variable in the scope object).

The two patches in this bug add the frontend analysis and hard assertions that the analysis is correct.  However, at runtime, activation objects still alias the stack frame so the actual runtime behavior isn't really changed (that is for bug 659577).

The first patch adds the "if" invariant:
  - "if a variable is accessed via scope object (Call or Block), it has been statically known to be aliased"
the second patch adds the "only if" invariant:
 - "if a variable is accessed directly (getlocal or getarg), it has been statically known to be unaliased"

Comment 1

[Luke Wagner [:luke]]

Created attachment 610444 [details] [diff] [review]
if scope then aliased

This patch replaces the "calls eval" flag on TreeContext/JSScript with a new, more general "bindings accessed dynamically" flag (see comment on TCF_BINDINGS_ACCESSED_DYNAMICALLY for meaning).  The patch also fixes an existing bug with group assignment.

The only thing kinda gross about this is function statements.  I tried the simple thing first: if any function statement is used, set the deoptimizing "bindings accessed dynamically" flag.  However, this caused several browser leaks in mochitests where a scope now entrained a pointer.  These are a pain to track down (had to do it 3 times to remove flat closures) and I think people actually use function statements (by accident) so it seemed righteous to not totally deoptimize them.  Instead, I only set any local binding with the same name.  This was actually pretty simple and requires only a few lines of code.  Comment explains in more detail.

Comment 2

[Luke Wagner [:luke]]

Created attachment 610448 [details] [diff] [review]
if aliased then scope

This patch adds the opcodes, frontend analysis, and interpreter asserts.  Unfortunately, for silly decompiler reasons, I had some ridealongs: inc, dec, and call variations.  I added a hard assert in Emit3 to catch all VAR/ARG ops and force them to funnel through the new EmitVarOp functions.  EmitVarOp then makes the decision for whether to emit an ALIASED op.

Brian, this touches some frontend code that you modified recently.  Also, could you think carefully about the jsanalyze/jsinfer/methodjit changes?  They were simple, but I'm worried I might be missing some angle.

Comment 3

[Luke Wagner [:luke]]

Created attachment 610449 [details] [diff] [review]
fix let-var noting

This fixes a simple bug where MaybeEmitVarDecl would mistakenly mark let vars as aliased (which would mark some random var whose index matched the let var's stackDepth).

Comment 4

[Luke Wagner [:luke]]

Created attachment 610452 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd)

Patch passes tests, but, when it comes to the frontend/decompiler, that means nothing.  Gary and Christian, could you apply a dose of fuzz?

Comment 5

[Gary Kwong [:gkw] [:nth10sd]]

> Patch passes tests, but, when it comes to the frontend/decompiler, that
> means nothing.  Gary and Christian, could you apply a dose of fuzz?

Early result:

function u([]) {
    with( * ) {}
}
uneval(this)

asserts 32-bit debug js shell on Mac 10.7 at Assertion failure: *pc == JSOP_GETARG,

Comment 6

[Luke Wagner [:luke]]

Created attachment 610473 [details] [diff] [review]
if aliased then scope (v.2)

How can anyone forget empty destructuring parameters.  Simple fix.

Comment 7

[Luke Wagner [:luke]]

Created attachment 610475 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

Comment 8

[Gary Kwong [:gkw] [:nth10sd]]

(In reply to Luke Wagner [:luke] from comment #7)
> Created attachment 610475 [details] [diff] [review]
> combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

Unfortunately, this seems to be the patch for bug 733793. :(

Comment 9

[Luke Wagner [:luke]]

Created attachment 610489 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

Oops, sorry

Comment 10

[Gary Kwong [:gkw] [:nth10sd]]

Comment on attachment 610489 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

I also found bug 740446, but otherwise looks good after a round of overnight fuzzing.

Comment 11

[Luke Wagner [:luke]]

Comment on attachment 610473 [details] [diff] [review]
if aliased then scope (v.2)

Oops, totally missing some type barriers.  I also think I need to decompose the INC/DEC ops like INCPROP/ELEM.

Comment 14

[Luke Wagner [:luke]]

Created attachment 612731 [details] [diff] [review]
combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)

Phew.  The last round pointed out just how broken 'arguments' was in the frontend, so I split off bug 740446.  This patch rolls it all up so I humbly submit it for another round o' fuzzin'.

Comment 15

[Luke Wagner [:luke]]

Created attachment 612771 [details] [diff] [review]
combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)

This one even builds on Windows.

Comment 16

[Christian Holler (:decoder)]

I do have 12 bugs to triage from this patch, but as long as I haven't triaged it's not clear if they are caused by the patch or not. Will likely get to them tomorrow :)

Comment 17

[Gary Kwong [:gkw] [:nth10sd]]

> Created attachment 612771 [details] [diff] [review]
> combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)

function h(f, code) {
  var uf = uneval(f);
  var df = disassemble(f);
  var g = eval(uf);
  var dg = disassemble(g);
  if (df == dg) {
    return;
  }
  print("Original code:");
  print(code);
  print("");
  print("Original function:");
  print(uf);
  print(df);
  print("");
  print("Function from recompiling:");
  print(uf);
  print(dg);
  print("");
  print("Disassembly was not stable through decompilation");
}
h(eval("(function(){arguments});"), "arguments");


With your patch, it prints:

Original code:
arguments

Original function:
(function () {})
flags: LAMBDA
loc     op
-----   --
00000:  arguments
00001:  setlocal 0
00004:  pop
main:
00005:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------


Function from recompiling:
(function () {})
flags: LAMBDA
loc     op
-----   --
main:
00000:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------


Disassembly was not stable through decompilation


on m-c changeset 4721cf101ae6, it does not print anything. Is this related to the patch?

Comment 18

[Luke Wagner [:luke]]

(In reply to Gary Kwong [:gkw, :nth10sd] from comment #17)
As a side-effect of 'arguments' being treated as a local binding (which it is), the expression 'arguments' is now considered effect-free (which it is), so it gets thrown away (just like (function f() { var x; x; }).  Thus, what you are seeing is expected.

Comment 19

[Jesse Ruderman]

That doesn't seem right to me.  If it's effect-free, it should be thrown away in bytecode generation, not in decompilation.  On mozilla-central, it's thrown away in bytecode generation.

Comment 20

[Luke Wagner [:luke]]

It is thrown away during bytecode compilation: note that the "main:" label contains only "stop".  The arguments;setlocal;pop is just the prologue that initializes the 'arguments' binding.  When the uneval-ed function is eval-ed, there is no 'arguments' mentioned at all so there is no prologue.

Comment 22

[Luke Wagner [:luke]]

Created attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

Last round found corner cases in bug 740446.  Let's try it one more time.

Green on try (not that that matters when it comes to the front-end ;)

Comment 23

[Gary Kwong [:gkw] [:nth10sd]]

Comment on attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

feedback+ after a few hours' fuzzing.

Comment 24

[Christian Holler (:decoder)]

Comment on attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

Review of attachment 613419 [details] [diff] [review]:
-----------------------------------------------------------------

No further patch-specific assertions or crashes found over night :)

Comment 25

[Luke Wagner [:luke]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/1664d00a1d24
https://hg.mozilla.org/integration/mozilla-inbound/rev/4c298ca28fa6
https://hg.mozilla.org/integration/mozilla-inbound/rev/3bc6b34d23da

Comment 26

[Matt Brubeck (:mbrubeck)]

https://hg.mozilla.org/mozilla-central/rev/3bc6b34d23da
https://hg.mozilla.org/mozilla-central/rev/4c298ca28fa6
https://hg.mozilla.org/mozilla-central/rev/1664d00a1d24