[20] [JSC] DFG object allocation sinking shouldn't insert a check when given a PutByVal

Severity: Medium | Component: JSC DFG JIT | cdfa73f

DFG allocation sinking 단계에 잔존하던 특수 처리 코드가 현재 graph invariant를 위반하는 IR을 생성했기 때문에 Medium으로 분류되었습니다. --validateGraph 빌드에서는 GetButterfly validator rule 위반이 발생했습니다. Release 빌드에서는 잘못 컴파일된 graph가 이후 단계에 전달되어 일관성 없는 exit-state metadata를 동반할 가능성이 있습니다.

ObjectAllocationSinkingPhase::run() 안에 남아 있던 if (node->op() == PutByVal) 블록이 합성된 PutHint 앞에 저장 값에 대한 Check를 삽입했습니다. 이 블록은 현재 교체된 array-sinking 구현을 위한 수정 코드였으며, 주변 코드의 invariant와 더 이상 일치하지 않았습니다.

Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp / DFGValidate.cpp

-                       if (node->op() == PutByVal) {
-                           Edge value = m_graph.varArgChild(node, 2);
-                           m_insertionSet.insertNode(nodeIndex + 1, SpecNone, Check, node->origin, Edge(value.node(), value.useKind()));
-                       }

-                case GetButterfly:
-                    VALIDATE((node), !node->child1()->isPhantomAllocation());
-                    break;

주변 알고리즘이 교체된 이후에도 잔존하여, 현재 DFG graph invariant를 위반하는 node를 생성하던 최적화 단계의 오래된 code path.

GetButterfly validator rule도 함께 제거되었습니다. 이는 allocation-sinking 처리 과정이 이제 이전 validator에서 금지했던 형태를 합법적으로 생성하게 되었음을 나타냅니다.

Aa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaa Aa Aaa Aaa Aaaaaaaaaaa Aaaaa Aaaaaa Aa Aaaaaa Aaaaaaaaaaaa Aa Aa Aaaaaaaaaa Aa Aaaaaaa Aaa Aaaa a a Aaaaa Aaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaaaaaa Aaa a Aaa Aa Aa Aaaa Aaaaaaa Aa Aaaa Aaa Aa Aaa Aaaaaaaaaaa Aaa Aaaaa Aaa Aaaaa Aaa Aaaa Aaaaaaa Aaaa Aaaa Aaaaaaaaaa Aaa Aaaaaaaa Aaaa Aaaaa

a Aaaaaaaaaaaaaa Aaaaaaaa Aaaa Aaa Aaaaaaaaa Aaaaaaaaaaa Aaa Aaaaaaa Aa Aaaa Aa Aaa Aaa Aaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaaa Aaa a Aaaaaa Aaaaa Aa Aaaa Aaa Aa Aaa Aaaa Aaaa a Aaaa Aaaaaa

🔒

The downstream consequences of an allocation-sinking phase emitting an invariant-violating graph node — and what that implies for release-build codegen — are analyzed in depth.

더 확인하려면 구독해 주세요

Audit directions

a Aaaaa Aaaaaaaa Aa Aa Aaaa Aaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaa Aa Aaaa Aaa Aaaa Aaaa Aaa Aaaaa Aaaa Aaa Aa Aaaaa Aaa Aaaaaa Aa Aaaa Aaaa Aa Aaaaaaaa Aaaa Aaa Aaaaaaaaaaa Aa Aaaaa Aaa Aaaaaa
a Aaaaaaaaaaaa Aaaaaaaaaaaaaaa Aa Aaa Aaaa Aa Aaaaa Aa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaa Aa Aaaaaa
a Aaaaaaa Aaa Aa Aaa Aaa Aaaaaaaaa Aaaaaaa Aa Aa Aaa Aa Aaaaaaaaaa Aa Aaaa Aaaa Aaaa Aaaa Aaa Aaa Aaa Aaaaaa

🔒

Multiple reusable audit patterns identified, covering vestigial phase fixes, exit-state invariants, and validator-rule hygiene across the DFG.

더 확인하려면 구독해 주세요