[turbofan] BitcastWordToTagged must not be pure.

The BitcastWordToTagged operator is used for bump pointer allocation to construct the actual HeapObject pointer. The input to this operator is a naked pointer (derived from the allocation top). If this input value is live across an allocation, then the resulting tagged pointer is invalid because the GC might have scavenged new space in the meantime. That means we must not allow Node splitting (in the Scheduler) for these instructions, as that could extend the live range of the naked pointer input across arbitrary code. As such, this operator must not be marked as pure. R=jarin@chromium.org BUG=v8:6059 Review-Url: https://codereview.chromium.org/2739093002 Cr-Commit-Position: refs/heads/master@{#43683}

[turbofan] BitcastWordToTagged must not be pure.
The BitcastWordToTagged operator is used for bump pointer allocation to construct the actual HeapObject pointer. The input to this operator is a naked pointer (derived from the allocation top). If this input value is live across an allocation, then the resulting tagged pointer is invalid because the GC might have scavenged new space in the meantime. That means we must not allow Node splitting (in the Scheduler) for these instructions, as that could extend the live range of the naked pointer input across arbitrary code. As such, this operator must not be marked as pure. R=jarin@chromium.org BUG=v8:6059 Review-Url: https://codereview.chromium.org/2739093002 Cr-Commit-Position: refs/heads/master@{#43683}
64fbb304 · bmeurer · Commit bot · cce8a197 · 64fbb304
Commit 64fbb304 authored Mar 09, 2017 by bmeurer Committed by Commit bot Mar 09, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 1 deletion

machine-operator.cc src/compiler/machine-operator.cc +17 -1

No files found.
--- a/src/compiler/machine-operator.cc
+++ b/src/compiler/machine-operator.cc
@@ -135,7 +135,6 @@ MachineType AtomicExchangeRepresentationOf(Operator const* op) {
  V(Word32Clz, Operator::kNoProperties, 1, 0, 1)                           \
  V(Word64Clz, Operator::kNoProperties, 1, 0, 1)                           \
  V(BitcastTaggedToWord, Operator::kNoProperties, 1, 0, 1)                 \
-  V(BitcastWordToTagged, Operator::kNoProperties, 1, 0, 1)                 \
  V(BitcastWordToTaggedSigned, Operator::kNoProperties, 1, 0, 1)           \
  V(TruncateFloat64ToWord32, Operator::kNoProperties, 1, 0, 1)             \
  V(ChangeFloat32ToFloat64, Operator::kNoProperties, 1, 0, 1)              \
@@ -607,6 +606,19 @@ struct MachineOperatorGlobalCache {
  ATOMIC_TYPE_LIST(ATOMIC_EXCHANGE)
 #undef ATOMIC_EXCHANGE

+  // The {BitcastWordToTagged} operator must not be marked as pure (especially
+  // not idempotent), because otherwise the splitting logic in the Scheduler
+  // might decide to split these operators, thus potentially creating live
+  // ranges of allocation top across calls or other things that might allocate.
+  // See https://bugs.chromium.org/p/v8/issues/detail?id=6059 for more details.
+  struct BitcastWordToTaggedOperator : public Operator {
+    BitcastWordToTaggedOperator()
+        : Operator(IrOpcode::kBitcastWordToTagged,
+                   Operator::kEliminatable | Operator::kNoWrite,
+                   "BitcastWordToTagged", 1, 0, 0, 1, 0, 0) {}
+  };
+  BitcastWordToTaggedOperator kBitcastWordToTagged;
+
  struct DebugBreakOperator : public Operator {
    DebugBreakOperator()
        : Operator(IrOpcode::kDebugBreak, Operator::kNoThrow, "DebugBreak", 0,
@@ -784,6 +796,10 @@ const Operator* MachineOperatorBuilder::UnsafePointerAdd() {
  return &cache_.kUnsafePointerAdd;
 }

+const Operator* MachineOperatorBuilder::BitcastWordToTagged() {
+  return &cache_.kBitcastWordToTagged;
+}
+
 const Operator* MachineOperatorBuilder::DebugBreak() {
  return &cache_.kDebugBreak;
 }