Closed Bug 740259 Opened 9 years ago Closed 9 years ago

add ALIASEDVAR ops

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: luke, Assigned: luke)

References

Details

Attachments

(4 files, 6 obsolete files)

if scope then aliased
51.57 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
fix let-var noting
7.38 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
if aliased then scope (v.2)
69.54 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)
276.09 KB, patch
decoder
: feedback+
gkw
: feedback+
Details | Diff | Splinter Review 
Bug 659577 needs to statically distinguish access to "aliased" variables (args, vars, and let bindings accessed by nested functions or dynamic name operations).  This distinction is made by adding a set of JSOP_*ALIASED* opcodes which replace JSOP_*LOCAL*/JSOP_*ARG* when accessing a arg/var/let that is aliased.  Additionally, these ALIASED opcodes contain immediates that encode the exact location of the aliased var on the scope chain (by number of hops up fp->scopeChain and index of the variable in the scope object).

The two patches in this bug add the frontend analysis and hard assertions that the analysis is correct.  However, at runtime, activation objects still alias the stack frame so the actual runtime behavior isn't really changed (that is for bug 659577).

The first patch adds the "if" invariant:
  - "if a variable is accessed via scope object (Call or Block), it has been statically known to be aliased"
the second patch adds the "only if" invariant:
 - "if a variable is accessed directly (getlocal or getarg), it has been statically known to be unaliased"
This patch replaces the "calls eval" flag on TreeContext/JSScript with a new, more general "bindings accessed dynamically" flag (see comment on TCF_BINDINGS_ACCESSED_DYNAMICALLY for meaning).  The patch also fixes an existing bug with group assignment.

The only thing kinda gross about this is function statements.  I tried the simple thing first: if any function statement is used, set the deoptimizing "bindings accessed dynamically" flag.  However, this caused several browser leaks in mochitests where a scope now entrained a pointer.  These are a pain to track down (had to do it 3 times to remove flat closures) and I think people actually use function statements (by accident) so it seemed righteous to not totally deoptimize them.  Instead, I only set any local binding with the same name.  This was actually pretty simple and requires only a few lines of code.  Comment explains in more detail.
Attachment #610444 - Flags: review?(bhackett1024)
Attached patch if aliased then scope (obsolete) — Splinter Review 
This patch adds the opcodes, frontend analysis, and interpreter asserts.  Unfortunately, for silly decompiler reasons, I had some ridealongs: inc, dec, and call variations.  I added a hard assert in Emit3 to catch all VAR/ARG ops and force them to funnel through the new EmitVarOp functions.  EmitVarOp then makes the decision for whether to emit an ALIASED op.

Brian, this touches some frontend code that you modified recently.  Also, could you think carefully about the jsanalyze/jsinfer/methodjit changes?  They were simple, but I'm worried I might be missing some angle.
Attachment #610448 - Flags: review?(bhackett1024)
This fixes a simple bug where MaybeEmitVarDecl would mistakenly mark let vars as aliased (which would mark some random var whose index matched the let var's stackDepth).
Attachment #610449 - Flags: review?(bhackett1024)
Patch passes tests, but, when it comes to the frontend/decompiler, that means nothing.  Gary and Christian, could you apply a dose of fuzz?
Attachment #610452 - Flags: feedback?(gary)
Attachment #610452 - Flags: feedback?(choller)
> Patch passes tests, but, when it comes to the frontend/decompiler, that
> means nothing.  Gary and Christian, could you apply a dose of fuzz?

Early result:

function u([]) {
    with( * ) {}
}
uneval(this)

asserts 32-bit debug js shell on Mac 10.7 at Assertion failure: *pc == JSOP_GETARG,
How can anyone forget empty destructuring parameters.  Simple fix.
Attachment #610448 - Attachment is obsolete: true
Attachment #610448 - Flags: review?(bhackett1024)
Attachment #610473 - Flags: review?(bhackett1024)
Attachment #610452 - Attachment is obsolete: true
Attachment #610452 - Flags: feedback?(gary)
Attachment #610452 - Flags: feedback?(choller)
Attachment #610475 - Flags: feedback?(gary)
Attachment #610475 - Flags: feedback?(choller)
(In reply to Luke Wagner [:luke] from comment #7)
> Created attachment 610475 [details] [diff] [review]
> combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

Unfortunately, this seems to be the patch for bug 733793. :(
Oops, sorry
Attachment #610475 - Attachment is obsolete: true
Attachment #610475 - Flags: feedback?(gary)
Attachment #610475 - Flags: feedback?(choller)
Attachment #610489 - Flags: feedback?(gary)
Attachment #610489 - Flags: feedback?(choller)
Depends on: 740442
Depends on: 740443
Depends on: 740445
Depends on: 740446
Comment on attachment 610489 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

I also found bug 740446, but otherwise looks good after a round of overnight fuzzing.
Attachment #610489 - Flags: feedback?(gary) → feedback+
Comment on attachment 610473 [details] [diff] [review]
if aliased then scope (v.2)

Oops, totally missing some type barriers.  I also think I need to decompose the INC/DEC ops like INCPROP/ELEM.
Attachment #610473 - Flags: review?(bhackett1024)
Duplicate of this bug: 740443
Duplicate of this bug: 740445
Attachment #610473 - Flags: review+
Attachment #610444 - Flags: review?(bhackett1024) → review+
Attachment #610449 - Flags: review?(bhackett1024) → review+
Phew.  The last round pointed out just how broken 'arguments' was in the frontend, so I split off bug 740446.  This patch rolls it all up so I humbly submit it for another round o' fuzzin'.
Attachment #610489 - Attachment is obsolete: true
Attachment #610489 - Flags: feedback?(choller)
Attachment #612731 - Flags: feedback?(gary)
Attachment #612731 - Flags: feedback?(choller)
This one even builds on Windows.
Attachment #612731 - Attachment is obsolete: true
Attachment #612731 - Flags: feedback?(gary)
Attachment #612731 - Flags: feedback?(choller)
Attachment #612771 - Flags: feedback?(gary)
Attachment #612771 - Flags: feedback?(choller)
I do have 12 bugs to triage from this patch, but as long as I haven't triaged it's not clear if they are caused by the patch or not. Will likely get to them tomorrow :)
Depends on: 743407
Depends on: 743408
Depends on: 743409
> Created attachment 612771 [details] [diff] [review]
> combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)

function h(f, code) {
  var uf = uneval(f);
  var df = disassemble(f);
  var g = eval(uf);
  var dg = disassemble(g);
  if (df == dg) {
    return;
  }
  print("Original code:");
  print(code);
  print("");
  print("Original function:");
  print(uf);
  print(df);
  print("");
  print("Function from recompiling:");
  print(uf);
  print(dg);
  print("");
  print("Disassembly was not stable through decompilation");
}
h(eval("(function(){arguments});"), "arguments");


With your patch, it prints:

Original code:
arguments

Original function:
(function () {})
flags: LAMBDA
loc     op
-----   --
00000:  arguments
00001:  setlocal 0
00004:  pop
main:
00005:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------


Function from recompiling:
(function () {})
flags: LAMBDA
loc     op
-----   --
main:
00000:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------


Disassembly was not stable through decompilation


on m-c changeset 4721cf101ae6, it does not print anything. Is this related to the patch?
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #17)
As a side-effect of 'arguments' being treated as a local binding (which it is), the expression 'arguments' is now considered effect-free (which it is), so it gets thrown away (just like (function f() { var x; x; }).  Thus, what you are seeing is expected.
That doesn't seem right to me.  If it's effect-free, it should be thrown away in bytecode generation, not in decompilation.  On mozilla-central, it's thrown away in bytecode generation.
It is thrown away during bytecode compilation: note that the "main:" label contains only "stop".  The arguments;setlocal;pop is just the prologue that initializes the 'arguments' binding.  When the uneval-ed function is eval-ed, there is no 'arguments' mentioned at all so there is no prologue.
Duplicate of this bug: 743409
Last round found corner cases in bug 740446.  Let's try it one more time.

Green on try (not that that matters when it comes to the front-end ;)
Attachment #612771 - Attachment is obsolete: true
Attachment #612771 - Flags: feedback?(gary)
Attachment #612771 - Flags: feedback?(choller)
Attachment #613419 - Flags: feedback?(gary)
Attachment #613419 - Flags: feedback?(choller)
Comment on attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

feedback+ after a few hours' fuzzing.
Attachment #613419 - Flags: feedback?(gary) → feedback+
Comment on attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

Review of attachment 613419 [details] [diff] [review]:
-----------------------------------------------------------------

No further patch-specific assertions or crashes found over night :)
Attachment #613419 - Flags: feedback?(choller) → feedback+
Depends on: 744501
No longer depends on: 744501
Duplicate of this bug: 744501
Duplicate of this bug: 355480
Duplicate of this bug: 530650
Blocks: 355480
Depends on: 754503
No longer depends on: 754503
Depends on: 754503
You need to log in before you can comment on or make changes to this bug.