[maglev] Initialize loop merge to uninitialized predecessor

Explicitly initialize the loop merge's back-edge predecessor to a specfic "uninitialized" value, distinct from nullptr (which marks dead loops) and done in both debug and release modes. Bug: v8:7700 Change-Id: I6a845cc4dbd7da75954f78607e69a5d4e2ec1ec7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3645114Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#80525}

[maglev] Initialize loop merge to uninitialized predecessor
Explicitly initialize the loop merge's back-edge predecessor to a specfic "uninitialized" value, distinct from nullptr (which marks dead loops) and done in both debug and release modes. Bug: v8:7700 Change-Id: I6a845cc4dbd7da75954f78607e69a5d4e2ec1ec7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3645114Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#80525}
8bba185f · Leszek Swirski · V8 LUCI CQ · dd74a023 · 8bba185f · 8bba185f
Commit 8bba185f authored May 13, 2022 by Leszek Swirski Committed by V8 LUCI CQ May 13, 2022
Showing with 18 additions and 11 deletions

maglev-graph-builder.h src/maglev/maglev-graph-builder.h +2 -2

maglev-graph-printer.cc src/maglev/maglev-graph-printer.cc +2 -1

maglev-interpreter-frame-state.h src/maglev/maglev-interpreter-frame-state.h +14 -8

No files found.
--- a/src/maglev/maglev-graph-builder.h
+++ b/src/maglev/maglev-graph-builder.h
@@ -85,8 +85,8 @@ class MaglevGraphBuilder {
    BasicBlockRef* old_jump_targets = jump_targets_[offset].Reset();
    while (old_jump_targets != nullptr) {
      BasicBlock* predecessor = merge_state.predecessor_at(predecessor_index);
-      if (predecessor == nullptr) {
+      if (predecessor == MergePointInterpreterFrameState::kDeadPredecessor) {
-        // We can have null predecessors if the predecessor is dead.
+        // We might have dead predecessors.
        predecessor_index--;
        continue;
      }

--- a/src/maglev/maglev-graph-printer.cc
+++ b/src/maglev/maglev-graph-printer.cc
@@ -398,7 +398,8 @@ void MaglevPrintingVisitor::Process(Phi* phi, const ProcessingState& state) {
  // moves).
  for (int i = 0; i < phi->input_count(); ++i) {
    if (i > 0) os_ << ", ";
-    if (state.block()->predecessor_at(i) == nullptr) {
+    if (state.block()->predecessor_at(i) ==
+        MergePointInterpreterFrameState::kDeadPredecessor) {
      os_ << "<dead>";
    } else {
      os_ << PrintNodeLabel(graph_labeller, phi->input(i).node());

--- a/src/maglev/maglev-interpreter-frame-state.h
+++ b/src/maglev/maglev-interpreter-frame-state.h
@@ -268,9 +268,7 @@ class MergePointInterpreterFrameState {
        });
    DCHECK(!frame_state_.liveness()->AccumulatorIsLive());
-#ifdef DEBUG
+    predecessors_[0] = uninitialized_predecessor();
-    predecessors_[0] = nullptr;
-#endif
  }
  // Merges an unmerged framestate with a possibly merged framestate into |this|
@@ -299,7 +297,7 @@ class MergePointInterpreterFrameState {
                 const InterpreterFrameState& loop_end_state,
                 BasicBlock* loop_end_block, int merge_offset) {
    DCHECK_EQ(predecessors_so_far_, predecessor_count_);
-    DCHECK_NULL(predecessors_[0]);
+    DCHECK_EQ(predecessors_[0], uninitialized_predecessor());
    predecessors_[0] = loop_end_block;
    frame_state_.ForEachValue(
@@ -331,7 +329,7 @@ class MergePointInterpreterFrameState {
  // JumpLoop has been early terminated with a deopt).
  void MergeDeadLoop() {
    DCHECK_EQ(predecessors_so_far_, predecessor_count_);
-    DCHECK_NULL(predecessors_[0]);
+    DCHECK_EQ(predecessors_[0], uninitialized_predecessor());
    predecessors_[0] = kDeadPredecessor;
  }
@@ -361,7 +359,8 @@ class MergePointInterpreterFrameState {
    DCHECK_EQ(predecessors_so_far_, predecessor_count_);
    // If there is only one predecessor, and it's not set, then this is a loop
    // merge with no forward control flow entering it.
-    return predecessor_count_ == 1 && predecessors_[0] == nullptr;
+    return predecessor_count_ == 1 &&
+           predecessors_[0] == uninitialized_predecessor();
  }
 private:
@@ -369,6 +368,13 @@ class MergePointInterpreterFrameState {
      const MaglevCompilationUnit& info,
      const MergePointInterpreterFrameState& state);
+  // Create an uninitialized value sentinel for loop merges. This is distinct
+  // from kDeadPredecessor, which is for loops that were reached, but were dead.
+  // TODO(leszeks): Do this in a way that isn't UB.
+  static BasicBlock* uninitialized_predecessor() {
+    return reinterpret_cast<BasicBlock*>(0x100b);
+  }
  ValueNode* FromInt32ToTagged(MaglevCompilationUnit& compilation_unit,
                               ValueNode* value) {
    DCHECK_EQ(value->properties().value_representation(),
@@ -440,7 +446,7 @@ class MergePointInterpreterFrameState {
    // If the merged node is null, this is a pre-created loop header merge
    // frame will null values for anything that isn't a loop Phi.
    if (merged == nullptr) {
-      DCHECK_NULL(predecessors_[0]);
+      DCHECK_EQ(predecessors_[0], uninitialized_predecessor());
      DCHECK_EQ(predecessors_so_far_, 1);
      return unmerged;
    }
@@ -489,7 +495,7 @@ class MergePointInterpreterFrameState {
    // If the merged node is null, this is a pre-created loop header merge
    // frame with null values for anything that isn't a loop Phi.
    if (merged == nullptr) {
-      DCHECK_NULL(predecessors_[0]);
+      DCHECK_EQ(predecessors_[0], uninitialized_predecessor());
      DCHECK_EQ(predecessors_so_far_, 1);
      return;
    }