|
51.57 KB,
patch
|
bhackett
:
review+
|
Details | Diff | Splinter Review |
|
7.38 KB,
patch
|
bhackett
:
review+
|
Details | Diff | Splinter Review |
|
69.54 KB,
patch
|
bhackett
:
review+
|
Details | Diff | Splinter Review |
|
276.09 KB,
patch
|
decoder
:
feedback+
gkw
:
feedback+
|
Details | Diff | Splinter Review |
Bug 659577 needs to statically distinguish access to "aliased" variables (args, vars, and let bindings accessed by nested functions or dynamic name operations). This distinction is made by adding a set of JSOP_*ALIASED* opcodes which replace JSOP_*LOCAL*/JSOP_*ARG* when accessing a arg/var/let that is aliased. Additionally, these ALIASED opcodes contain immediates that encode the exact location of the aliased var on the scope chain (by number of hops up fp->scopeChain and index of the variable in the scope object). The two patches in this bug add the frontend analysis and hard assertions that the analysis is correct. However, at runtime, activation objects still alias the stack frame so the actual runtime behavior isn't really changed (that is for bug 659577). The first patch adds the "if" invariant: - "if a variable is accessed via scope object (Call or Block), it has been statically known to be aliased" the second patch adds the "only if" invariant: - "if a variable is accessed directly (getlocal or getarg), it has been statically known to be unaliased"
|
(Assignee) | |
Comment 1•6 years ago
|
||
Created attachment 610444 [details] [diff] [review] if scope then aliased This patch replaces the "calls eval" flag on TreeContext/JSScript with a new, more general "bindings accessed dynamically" flag (see comment on TCF_BINDINGS_ACCESSED_DYNAMICALLY for meaning). The patch also fixes an existing bug with group assignment. The only thing kinda gross about this is function statements. I tried the simple thing first: if any function statement is used, set the deoptimizing "bindings accessed dynamically" flag. However, this caused several browser leaks in mochitests where a scope now entrained a pointer. These are a pain to track down (had to do it 3 times to remove flat closures) and I think people actually use function statements (by accident) so it seemed righteous to not totally deoptimize them. Instead, I only set any local binding with the same name. This was actually pretty simple and requires only a few lines of code. Comment explains in more detail.
|
|
(Assignee) | |
Comment 2•6 years ago
|
||
Created attachment 610448 [details] [diff] [review] if aliased then scope This patch adds the opcodes, frontend analysis, and interpreter asserts. Unfortunately, for silly decompiler reasons, I had some ridealongs: inc, dec, and call variations. I added a hard assert in Emit3 to catch all VAR/ARG ops and force them to funnel through the new EmitVarOp functions. EmitVarOp then makes the decision for whether to emit an ALIASED op. Brian, this touches some frontend code that you modified recently. Also, could you think carefully about the jsanalyze/jsinfer/methodjit changes? They were simple, but I'm worried I might be missing some angle.
|
|
(Assignee) | |
Comment 3•6 years ago
|
||
Created attachment 610449 [details] [diff] [review] fix let-var noting This fixes a simple bug where MaybeEmitVarDecl would mistakenly mark let vars as aliased (which would mark some random var whose index matched the let var's stackDepth).
|
|
(Assignee) | |
Comment 4•6 years ago
|
||
Created attachment 610452 [details] [diff] [review] combined patch for fuzzing (applies to cset 7ed31daf07bd) Patch passes tests, but, when it comes to the frontend/decompiler, that means nothing. Gary and Christian, could you apply a dose of fuzz?
|
|
||
Comment 5•6 years ago
|
||
> Patch passes tests, but, when it comes to the frontend/decompiler, that
> means nothing. Gary and Christian, could you apply a dose of fuzz?
Early result:
function u([]) {
with( * ) {}
}
uneval(this)
asserts 32-bit debug js shell on Mac 10.7 at Assertion failure: *pc == JSOP_GETARG,|
|
(Assignee) | |
Comment 6•6 years ago
|
||
Created attachment 610473 [details] [diff] [review] if aliased then scope (v.2) How can anyone forget empty destructuring parameters. Simple fix.
|
|
(Assignee) | |
Comment 7•6 years ago
|
||
Created attachment 610475 [details] [diff] [review] combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)
|
|
||
Comment 8•6 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #7) > Created attachment 610475 [details] [diff] [review] > combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2) Unfortunately, this seems to be the patch for bug 733793. :(
|
|
(Assignee) | |
Comment 9•6 years ago
|
||
Created attachment 610489 [details] [diff] [review] combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2) Oops, sorry
|
|
||
Comment 10•6 years ago
|
||
Comment on attachment 610489 [details] [diff] [review] combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2) I also found bug 740446, but otherwise looks good after a round of overnight fuzzing.
|
|
(Assignee) | |
Comment 11•6 years ago
|
||
Comment on attachment 610473 [details] [diff] [review] if aliased then scope (v.2) Oops, totally missing some type barriers. I also think I need to decompose the INC/DEC ops like INCPROP/ELEM.
|
||
Updated•5 years ago
|
||
|
|
||
Updated•5 years ago
|
||
|
|
||
Updated•5 years ago
|
||
|
|
(Assignee) | |
Comment 14•5 years ago
|
||
Created attachment 612731 [details] [diff] [review] combined patch for fuzzing (applies to cset d0430a04d92a) (v.3) Phew. The last round pointed out just how broken 'arguments' was in the frontend, so I split off bug 740446. This patch rolls it all up so I humbly submit it for another round o' fuzzin'.
|
|
(Assignee) | |
Comment 15•5 years ago
|
||
Created attachment 612771 [details] [diff] [review] combined patch for fuzzing (applies to cset d0430a04d92a) (v.3) This one even builds on Windows.
|
||
Comment 16•5 years ago
|
||
I do have 12 bugs to triage from this patch, but as long as I haven't triaged it's not clear if they are caused by the patch or not. Will likely get to them tomorrow :)
|
|
||
Comment 17•5 years ago
|
||
> Created attachment 612771 [details] [diff] [review]
> combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)
function h(f, code) {
var uf = uneval(f);
var df = disassemble(f);
var g = eval(uf);
var dg = disassemble(g);
if (df == dg) {
return;
}
print("Original code:");
print(code);
print("");
print("Original function:");
print(uf);
print(df);
print("");
print("Function from recompiling:");
print(uf);
print(dg);
print("");
print("Disassembly was not stable through decompilation");
}
h(eval("(function(){arguments});"), "arguments");
With your patch, it prints:
Original code:
arguments
Original function:
(function () {})
flags: LAMBDA
loc op
----- --
00000: arguments
00001: setlocal 0
00004: pop
main:
00005: stop
Source notes:
ofs line pc delta desc args
---- ---- ----- ------ -------- ------
Function from recompiling:
(function () {})
flags: LAMBDA
loc op
----- --
main:
00000: stop
Source notes:
ofs line pc delta desc args
---- ---- ----- ------ -------- ------
Disassembly was not stable through decompilation
on m-c changeset 4721cf101ae6, it does not print anything. Is this related to the patch?|
|
(Assignee) | |
Comment 18•5 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #17) As a side-effect of 'arguments' being treated as a local binding (which it is), the expression 'arguments' is now considered effect-free (which it is), so it gets thrown away (just like (function f() { var x; x; }). Thus, what you are seeing is expected.
|
||
Comment 19•5 years ago
|
||
That doesn't seem right to me. If it's effect-free, it should be thrown away in bytecode generation, not in decompilation. On mozilla-central, it's thrown away in bytecode generation.
|
|
(Assignee) | |
Comment 20•5 years ago
|
||
It is thrown away during bytecode compilation: note that the "main:" label contains only "stop". The arguments;setlocal;pop is just the prologue that initializes the 'arguments' binding. When the uneval-ed function is eval-ed, there is no 'arguments' mentioned at all so there is no prologue.
|
|
(Assignee) | |
Comment 22•5 years ago
|
||
Created attachment 613419 [details] [diff] [review] combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4) Last round found corner cases in bug 740446. Let's try it one more time. Green on try (not that that matters when it comes to the front-end ;)
|
|
||
Comment 23•5 years ago
|
||
Comment on attachment 613419 [details] [diff] [review] combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4) feedback+ after a few hours' fuzzing.
|
|
||
Comment 24•5 years ago
|
||
Comment on attachment 613419 [details] [diff] [review] combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4) Review of attachment 613419 [details] [diff] [review]: ----------------------------------------------------------------- No further patch-specific assertions or crashes found over night :)
|
|
(Assignee) | |
Comment 25•5 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1664d00a1d24 https://hg.mozilla.org/integration/mozilla-inbound/rev/4c298ca28fa6 https://hg.mozilla.org/integration/mozilla-inbound/rev/3bc6b34d23da
|
||
Comment 26•5 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3bc6b34d23da https://hg.mozilla.org/mozilla-central/rev/4c298ca28fa6 https://hg.mozilla.org/mozilla-central/rev/1664d00a1d24
Description
•