[interpreter] Fix block resurrection by LoopHeader

Loop headers in the interpreter would start a new basic block, which among other things would reset the liveness of that block. This meant that a loop created after dead code, without a check for whether the code is currently dead or not, would "resurrect" that block's liveness, making the inside of the loop live even though the loop itself is unreachable. This works fine, since the loop is still unreachable, but can breaks DCHECKs in bytecode liveness analysis for cases where a register is supposed to be initialised before the loop, in the dead code, and is then used inside the loop, in the resurrected code. Normally this wouldn't be a problem, since blocks are normally killed on the statement level and we check for deadness during statement iteration, but `foo() = x` introduces an expression-level block killer (being re-written to `foo[throw ReferenceError] = x`) and we don't check for deadness after assignment Lhs preparation. This does mean that we have to fix the InterpreterJumps test, to not try to jump into the middle of a loop (since this could revive the loop). This can only happen when manually creating bytecode, bytecode generated from JavaScript is always reducible. Bug: chromium:1230597 Change-Id: I8403ccdeae7e5450adf629026e2ca8a134c81877 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3275557 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#77846}

[interpreter] Fix block resurrection by LoopHeader
Loop headers in the interpreter would start a new basic block, which among other things would reset the liveness of that block. This meant that a loop created after dead code, without a check for whether the code is currently dead or not, would "resurrect" that block's liveness, making the inside of the loop live even though the loop itself is unreachable. This works fine, since the loop is still unreachable, but can breaks DCHECKs in bytecode liveness analysis for cases where a register is supposed to be initialised before the loop, in the dead code, and is then used inside the loop, in the resurrected code. Normally this wouldn't be a problem, since blocks are normally killed on the statement level and we check for deadness during statement iteration, but `foo() = x` introduces an expression-level block killer (being re-written to `foo[throw ReferenceError] = x`) and we don't check for deadness after assignment Lhs preparation. This does mean that we have to fix the InterpreterJumps test, to not try to jump into the middle of a loop (since this could revive the loop). This can only happen when manually creating bytecode, bytecode generated from JavaScript is always reducible. Bug: chromium:1230597 Change-Id: I8403ccdeae7e5450adf629026e2ca8a134c81877 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3275557 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#77846}
18b63625 · Leszek Swirski · V8 LUCI CQ · 2f98fb28 · 18b63625 · 18b63625
Commit 18b63625 authored Nov 11, 2021 by Leszek Swirski Committed by V8 LUCI CQ Nov 11, 2021
Showing with 41 additions and 7 deletions

bytecode-array-writer.cc src/interpreter/bytecode-array-writer.cc +2 -0

test-interpreter.cc test/cctest/interpreter/test-interpreter.cc +4 -7

regress-1230597.js test/mjsunit/regress/regress-1230597.js +35 -0

No files found.
--- a/src/interpreter/bytecode-array-writer.cc
+++ b/src/interpreter/bytecode-array-writer.cc
@@ -164,6 +164,8 @@ void BytecodeArrayWriter::BindLabel(BytecodeLabel* label) {
 void BytecodeArrayWriter::BindLoopHeader(BytecodeLoopHeader* loop_header) {
  size_t current_offset = bytecodes()->size();
  loop_header->bind_to(current_offset);
+  // Don't start a basic block when the entire loop is dead.
+  if (exit_seen_in_block_) return;
  StartBasicBlock();
 }


--- a/test/cctest/interpreter/test-interpreter.cc
+++ b/test/cctest/interpreter/test-interpreter.cc
@@ -1550,7 +1550,6 @@ TEST(InterpreterJumps) {

  FeedbackSlot slot = feedback_spec.AddBinaryOpICSlot();
  FeedbackSlot slot1 = feedback_spec.AddBinaryOpICSlot();
-  FeedbackSlot slot2 = feedback_spec.AddBinaryOpICSlot();

  Handle<i::FeedbackMetadata> metadata =
      NewFeedbackMetadata(isolate, &feedback_spec);
@@ -1562,13 +1561,11 @@ TEST(InterpreterJumps) {
  builder.LoadLiteral(Smi::zero())
      .StoreAccumulatorInRegister(reg)
      .Jump(&label[0]);
-  SetRegister(&builder, reg, 1024, scratch).Bind(&loop_header);
+  SetRegister(&builder, reg, 1024, scratch).Bind(&label[0]).Bind(&loop_header);
  IncrementRegister(&builder, reg, 1, scratch, GetIndex(slot)).Jump(&label[1]);
-  SetRegister(&builder, reg, 2048, scratch).Bind(&label[0]);
-  IncrementRegister(&builder, reg, 2, scratch, GetIndex(slot1))
-      .JumpLoop(&loop_header, 0, 0);
+  SetRegister(&builder, reg, 2048, scratch).JumpLoop(&loop_header, 0, 0);
  SetRegister(&builder, reg, 4096, scratch).Bind(&label[1]);
-  IncrementRegister(&builder, reg, 4, scratch, GetIndex(slot2))
+  IncrementRegister(&builder, reg, 2, scratch, GetIndex(slot1))
      .LoadAccumulatorWithRegister(reg)
      .Return();

@@ -1576,7 +1573,7 @@ TEST(InterpreterJumps) {
  InterpreterTester tester(isolate, bytecode_array, metadata);
  auto callable = tester.GetCallable<>();
  Handle<Object> return_value = callable().ToHandleChecked();
-  CHECK_EQ(Smi::ToInt(*return_value), 7);
+  CHECK_EQ(Smi::ToInt(*return_value), 3);
 }

 TEST(InterpreterConditionalJumps) {

--- a/test/mjsunit/regress/regress-1230597.js
+++ b/test/mjsunit/regress/regress-1230597.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function main() {
+  // This seems to just be some register setup for the benefit of the optimising
+  // compiler.
+  for(var i=0; i<2; i++) {
+    if(i==1) { }
+    with ({}) {
+      try {
+        var07().foo = 1;
+      } catch { }
+    }
+  }
+
+  // This is where the bug was.
+  try {
+    // The `var10() = ...` is rewritten to `var10[throw ReferenceError] = ...`,
+    // making the value of the assign dead. However, there is a loop inside the
+    // spread that used to accidentally resurrect that block.
+    //
+    // This broke checks in the optimizing compiler since the iterator setup was
+    // dead but the iterator use inside the spread's loop was live.
+    var10() = var08(1, ...foo, 2);
+  } catch { }
+}
+
+
+%PrepareFunctionForOptimization(main);
+main();
+%OptimizeFunctionOnNextCall(main);
+main();