[maglev] Fix ResumeGenerator reviving a dead SuspendGenerator

ResumeGenerator is semantically a successor of SuspendGenerator (for reasoning about liveness), but operationally it's a successor of SwitchOnGeneratorState. This means that the jump to ResumeGenerator will always create a new basic block, even if the SuspendGenerator was dead. This causes problems if we made other assumptions on liveness based on the semantics; in particular, we assume that JumpLoop is dead if the loop header is dead (thanks to loop irreducibility). SwitchOnGeneratorState breaks irreducibility, and this manifests as the JumpLoop being alive and trying to jump to a dead header. Since this is a special case, and loops are otherwise irreducible, we can also fix it with a special case; namely, MarkBytecodeDead now has a special case for SuspendGenerator which manually advances the iterator and kills the ResumeGenerator. Bug: v8:7700 Change-Id: Ice162f061e7ba1dda7ceb4f6fe9234889655b417 Fixed: v8:13250 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865556Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#82931}

[maglev] Fix ResumeGenerator reviving a dead SuspendGenerator
ResumeGenerator is semantically a successor of SuspendGenerator (for reasoning about liveness), but operationally it's a successor of SwitchOnGeneratorState. This means that the jump to ResumeGenerator will always create a new basic block, even if the SuspendGenerator was dead. This causes problems if we made other assumptions on liveness based on the semantics; in particular, we assume that JumpLoop is dead if the loop header is dead (thanks to loop irreducibility). SwitchOnGeneratorState breaks irreducibility, and this manifests as the JumpLoop being alive and trying to jump to a dead header. Since this is a special case, and loops are otherwise irreducible, we can also fix it with a special case; namely, MarkBytecodeDead now has a special case for SuspendGenerator which manually advances the iterator and kills the ResumeGenerator. Bug: v8:7700 Change-Id: Ice162f061e7ba1dda7ceb4f6fe9234889655b417 Fixed: v8:13250 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865556Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#82931}
2f41221f · Leszek Swirski · V8 LUCI CQ · ed8be538 · 2f41221f
Commit 2f41221f authored Sep 01, 2022 by Leszek Swirski Committed by V8 LUCI CQ Sep 02, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

maglev-graph-builder.h src/maglev/maglev-graph-builder.h +24 -0

No files found.
--- a/src/maglev/maglev-graph-builder.h
+++ b/src/maglev/maglev-graph-builder.h
@@ -20,6 +20,7 @@
 #include "src/interpreter/bytecode-array-iterator.h"
 #include "src/interpreter/bytecode-decoder.h"
 #include "src/interpreter/bytecode-register.h"
+#include "src/interpreter/bytecodes.h"
 #include "src/interpreter/interpreter-intrinsics.h"
 #include "src/maglev/maglev-graph-labeller.h"
 #include "src/maglev/maglev-graph-printer.h"
@@ -179,6 +180,29 @@ class MaglevGraphBuilder {
      // Any other bytecode that doesn't return or throw will merge into the
      // fallthrough.
      MergeDeadIntoFrameState(iterator_.next_offset());
+    } else if (bytecode == interpreter::Bytecode::kSuspendGenerator) {
+      // Extra special case for SuspendGenerator, if the suspend is dead then
+      // the resume has to be dead too. However, the resume already has a merge
+      // state, with exactly one predecessor (the generator switch), so it will
+      // be revived along the standard path. This can cause havoc if e.g. the
+      // suspend/resume are inside a dead loop, because the JumpLoop can become
+      // live again.
+      //
+      // So, manually advance the iterator to the resume, go through the motions
+      // of processing the merge state, but immediately emit an abort (which
+      // also kills the resume).
+      //
+      // TODO(leszeks): Instead of emitting an Abort, we could shrink the
+      // generator switch, removing this resume as an option.
+      iterator_.Advance();
+      DCHECK_EQ(iterator_.current_bytecode(),
+                interpreter::Bytecode::kResumeGenerator);
+      int resume_offset = iterator_.current_offset();
+      DCHECK_EQ(NumPredecessors(resume_offset), 1);
+      ProcessMergePoint(resume_offset);
+      StartNewBlock(resume_offset);
+      BuildAbort(AbortReason::kInvalidParametersAndRegistersInGenerator);
+      return;
    }

    // TODO(leszeks): We could now continue iterating the bytecode