[Webkit-unassigned] [Bug 201281] New: DFG/FTL: We should prefetch structures and do a loadLoadFence before doing PrototypeChainIsSane checks.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 28 20:31:14 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=201281

            Bug ID: 201281
           Summary: DFG/FTL: We should prefetch structures and do a
                    loadLoadFence before doing PrototypeChainIsSane
                    checks.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

This is already the preferred idiom used in most places in our compiler, except for 2: DFG's SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt().  Consider the following:

    bool prototypeChainIsSane = false;
    if (globalObject->stringPrototypeChainIsSane()) {
        // FIXME: This could be captured using a Speculation mode that means
        // "out-of-bounds loads return a trivial value", something like
        // SaneChainOutOfBounds.
        // https://bugs.webkit.org/show_bug.cgi?id=144668

        m_graph.registerAndWatchStructureTransition(globalObject->stringPrototype()->structure(vm()));
        m_graph.registerAndWatchStructureTransition(globalObject->objectPrototype()->structure(vm()));

        prototypeChainIsSane = globalObject->stringPrototypeChainIsSane();
    }

What's essential for correctness here is that the stringPrototype and objectPrototype structures be loaded before the loads in the second stringPrototypeChainIsSane() check.  Without a loadLoadFence before the second stringPrototypeChainIsSane() check, we can't guarantee that.  Elsewhere in the compiler, the preferred idiom for doing this right is to pre-load the structures first, do a loadLoadFence, and then do the IsSane check just once after e.g.

    Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(m_vm);
    Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(m_vm);

    if (arrayPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
        && objectPrototypeStructure->transitionWatchpointSetIsStillValid() // has loadLoadFences.
        && globalObject->arrayPrototypeChainIsSane()) {

        m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
        m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
        ...
    }

We should change DFG's SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt() to follow the same idiom.

<rdar://problem/54028228>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190829/7954689d/attachment-0001.html>

More information about the webkit-unassigned mailing list