The default bug view has changed. See this FAQ.

add ALIASEDVAR ops

RESOLVED FIXED in mozilla14

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: luke, Assigned: luke)

Tracking

unspecified
mozilla14
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments, 6 obsolete attachments)

(Assignee)

Description

5 years ago
Bug 659577 needs to statically distinguish access to "aliased" variables (args, vars, and let bindings accessed by nested functions or dynamic name operations).  This distinction is made by adding a set of JSOP_*ALIASED* opcodes which replace JSOP_*LOCAL*/JSOP_*ARG* when accessing a arg/var/let that is aliased.  Additionally, these ALIASED opcodes contain immediates that encode the exact location of the aliased var on the scope chain (by number of hops up fp->scopeChain and index of the variable in the scope object).

The two patches in this bug add the frontend analysis and hard assertions that the analysis is correct.  However, at runtime, activation objects still alias the stack frame so the actual runtime behavior isn't really changed (that is for bug 659577).

The first patch adds the "if" invariant:
  - "if a variable is accessed via scope object (Call or Block), it has been statically known to be aliased"
the second patch adds the "only if" invariant:
 - "if a variable is accessed directly (getlocal or getarg), it has been statically known to be unaliased"
(Assignee)

Comment 1

5 years ago
Created attachment 610444 [details] [diff] [review]
if scope then aliased

This patch replaces the "calls eval" flag on TreeContext/JSScript with a new, more general "bindings accessed dynamically" flag (see comment on TCF_BINDINGS_ACCESSED_DYNAMICALLY for meaning).  The patch also fixes an existing bug with group assignment.

The only thing kinda gross about this is function statements.  I tried the simple thing first: if any function statement is used, set the deoptimizing "bindings accessed dynamically" flag.  However, this caused several browser leaks in mochitests where a scope now entrained a pointer.  These are a pain to track down (had to do it 3 times to remove flat closures) and I think people actually use function statements (by accident) so it seemed righteous to not totally deoptimize them.  Instead, I only set any local binding with the same name.  This was actually pretty simple and requires only a few lines of code.  Comment explains in more detail.
Attachment #610444 - Flags: review?(bhackett1024)
(Assignee)

Comment 2

5 years ago
Created attachment 610448 [details] [diff] [review]
if aliased then scope

This patch adds the opcodes, frontend analysis, and interpreter asserts.  Unfortunately, for silly decompiler reasons, I had some ridealongs: inc, dec, and call variations.  I added a hard assert in Emit3 to catch all VAR/ARG ops and force them to funnel through the new EmitVarOp functions.  EmitVarOp then makes the decision for whether to emit an ALIASED op.

Brian, this touches some frontend code that you modified recently.  Also, could you think carefully about the jsanalyze/jsinfer/methodjit changes?  They were simple, but I'm worried I might be missing some angle.
Attachment #610448 - Flags: review?(bhackett1024)
(Assignee)

Comment 3

5 years ago
Created attachment 610449 [details] [diff] [review]
fix let-var noting

This fixes a simple bug where MaybeEmitVarDecl would mistakenly mark let vars as aliased (which would mark some random var whose index matched the let var's stackDepth).
Attachment #610449 - Flags: review?(bhackett1024)
(Assignee)

Comment 4

5 years ago
Created attachment 610452 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd)

Patch passes tests, but, when it comes to the frontend/decompiler, that means nothing.  Gary and Christian, could you apply a dose of fuzz?
Attachment #610452 - Flags: feedback?(gary)
Attachment #610452 - Flags: feedback?(choller)
> Patch passes tests, but, when it comes to the frontend/decompiler, that
> means nothing.  Gary and Christian, could you apply a dose of fuzz?

Early result:

function u([]) {
    with( * ) {}
}
uneval(this)

asserts 32-bit debug js shell on Mac 10.7 at Assertion failure: *pc == JSOP_GETARG,
(Assignee)

Comment 6

5 years ago
Created attachment 610473 [details] [diff] [review]
if aliased then scope (v.2)

How can anyone forget empty destructuring parameters.  Simple fix.
Attachment #610448 - Attachment is obsolete: true
Attachment #610448 - Flags: review?(bhackett1024)
Attachment #610473 - Flags: review?(bhackett1024)
(Assignee)

Comment 7

5 years ago
Created attachment 610475 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)
Attachment #610452 - Attachment is obsolete: true
Attachment #610452 - Flags: feedback?(gary)
Attachment #610452 - Flags: feedback?(choller)
Attachment #610475 - Flags: feedback?(gary)
Attachment #610475 - Flags: feedback?(choller)
(In reply to Luke Wagner [:luke] from comment #7)
> Created attachment 610475 [details] [diff] [review]
> combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

Unfortunately, this seems to be the patch for bug 733793. :(
(Assignee)

Comment 9

5 years ago
Created attachment 610489 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

Oops, sorry
Attachment #610475 - Attachment is obsolete: true
Attachment #610475 - Flags: feedback?(gary)
Attachment #610475 - Flags: feedback?(choller)
Attachment #610489 - Flags: feedback?(gary)
Attachment #610489 - Flags: feedback?(choller)
Depends on: 740442
Depends on: 740443
Depends on: 740445
Depends on: 740446
Comment on attachment 610489 [details] [diff] [review]
combined patch for fuzzing (applies to cset 7ed31daf07bd) (v.2)

I also found bug 740446, but otherwise looks good after a round of overnight fuzzing.
Attachment #610489 - Flags: feedback?(gary) → feedback+
(Assignee)

Comment 11

5 years ago
Comment on attachment 610473 [details] [diff] [review]
if aliased then scope (v.2)

Oops, totally missing some type barriers.  I also think I need to decompose the INC/DEC ops like INCPROP/ELEM.
Attachment #610473 - Flags: review?(bhackett1024)
(Assignee)

Updated

5 years ago
Duplicate of this bug: 740443
(Assignee)

Updated

5 years ago
Duplicate of this bug: 740445
Attachment #610473 - Flags: review+
Attachment #610444 - Flags: review?(bhackett1024) → review+
Attachment #610449 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 14

5 years ago
Created attachment 612731 [details] [diff] [review]
combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)

Phew.  The last round pointed out just how broken 'arguments' was in the frontend, so I split off bug 740446.  This patch rolls it all up so I humbly submit it for another round o' fuzzin'.
Attachment #610489 - Attachment is obsolete: true
Attachment #610489 - Flags: feedback?(choller)
Attachment #612731 - Flags: feedback?(gary)
Attachment #612731 - Flags: feedback?(choller)
(Assignee)

Comment 15

5 years ago
Created attachment 612771 [details] [diff] [review]
combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)

This one even builds on Windows.
Attachment #612731 - Attachment is obsolete: true
Attachment #612731 - Flags: feedback?(gary)
Attachment #612731 - Flags: feedback?(choller)
Attachment #612771 - Flags: feedback?(gary)
Attachment #612771 - Flags: feedback?(choller)
I do have 12 bugs to triage from this patch, but as long as I haven't triaged it's not clear if they are caused by the patch or not. Will likely get to them tomorrow :)
Depends on: 743407
Depends on: 743408
Depends on: 743409
> Created attachment 612771 [details] [diff] [review]
> combined patch for fuzzing (applies to cset d0430a04d92a) (v.3)

function h(f, code) {
  var uf = uneval(f);
  var df = disassemble(f);
  var g = eval(uf);
  var dg = disassemble(g);
  if (df == dg) {
    return;
  }
  print("Original code:");
  print(code);
  print("");
  print("Original function:");
  print(uf);
  print(df);
  print("");
  print("Function from recompiling:");
  print(uf);
  print(dg);
  print("");
  print("Disassembly was not stable through decompilation");
}
h(eval("(function(){arguments});"), "arguments");


With your patch, it prints:

Original code:
arguments

Original function:
(function () {})
flags: LAMBDA
loc     op
-----   --
00000:  arguments
00001:  setlocal 0
00004:  pop
main:
00005:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------


Function from recompiling:
(function () {})
flags: LAMBDA
loc     op
-----   --
main:
00000:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------


Disassembly was not stable through decompilation


on m-c changeset 4721cf101ae6, it does not print anything. Is this related to the patch?
(Assignee)

Comment 18

5 years ago
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #17)
As a side-effect of 'arguments' being treated as a local binding (which it is), the expression 'arguments' is now considered effect-free (which it is), so it gets thrown away (just like (function f() { var x; x; }).  Thus, what you are seeing is expected.

Comment 19

5 years ago
That doesn't seem right to me.  If it's effect-free, it should be thrown away in bytecode generation, not in decompilation.  On mozilla-central, it's thrown away in bytecode generation.
(Assignee)

Comment 20

5 years ago
It is thrown away during bytecode compilation: note that the "main:" label contains only "stop".  The arguments;setlocal;pop is just the prologue that initializes the 'arguments' binding.  When the uneval-ed function is eval-ed, there is no 'arguments' mentioned at all so there is no prologue.
(Assignee)

Updated

5 years ago
Duplicate of this bug: 743409
(Assignee)

Comment 22

5 years ago
Created attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

Last round found corner cases in bug 740446.  Let's try it one more time.

Green on try (not that that matters when it comes to the front-end ;)
Attachment #612771 - Attachment is obsolete: true
Attachment #612771 - Flags: feedback?(gary)
Attachment #612771 - Flags: feedback?(choller)
Attachment #613419 - Flags: feedback?(gary)
Attachment #613419 - Flags: feedback?(choller)
Comment on attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

feedback+ after a few hours' fuzzing.
Attachment #613419 - Flags: feedback?(gary) → feedback+
Comment on attachment 613419 [details] [diff] [review]
combined patch for fuzzing (applies to cset 4e2d0a1a9edd) (v.4)

Review of attachment 613419 [details] [diff] [review]:
-----------------------------------------------------------------

No further patch-specific assertions or crashes found over night :)
Attachment #613419 - Flags: feedback?(choller) → feedback+
(Assignee)

Comment 25

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1664d00a1d24
https://hg.mozilla.org/integration/mozilla-inbound/rev/4c298ca28fa6
https://hg.mozilla.org/integration/mozilla-inbound/rev/3bc6b34d23da
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/3bc6b34d23da
https://hg.mozilla.org/mozilla-central/rev/4c298ca28fa6
https://hg.mozilla.org/mozilla-central/rev/1664d00a1d24
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Depends on: 744501
(Assignee)

Updated

5 years ago
No longer depends on: 744501
(Assignee)

Updated

5 years ago
Duplicate of this bug: 744501
(Assignee)

Updated

5 years ago
Duplicate of this bug: 355480
(Assignee)

Updated

5 years ago
Duplicate of this bug: 530650

Updated

5 years ago
Blocks: 355480
Depends on: 747554

Updated

5 years ago
Depends on: 754503

Updated

5 years ago
No longer depends on: 754503

Updated

5 years ago
Depends on: 754503
You need to log in before you can comment on or make changes to this bug.