[JSC] Add DFG MultiGetByVal and MultiPutByVal

8f6bc9a

Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

+void SpeculativeJIT::compileMultiGetByVal(Node* node)
+{
+    ArrayMode arrayMode = node->arrayMode();
+    ...
+    auto cases = node->multiGetByValData().cases();
+    for (unsigned i = 0; i < cases.size(); ++i) {
+        auto& c = cases[i];
+        m_jit.load8(MacroAssembler::Address(baseGPR, JSCell::indexingTypeAndMiscOffset()), ...
+        switch (c.arrayType()) {
+        case ArrayWithInt32:
+        case ArrayWithDouble:
+        case ArrayWithContiguous:
+            ...
+        case TypedArrayType::Float32:
+            ...
+        }
+    }
+    // OOB sane chain: index가 음수가 아님을 추정하고, slow path 없이 undefined 반환
+    ...
+}

Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

+case MultiGetByVal: {
+    ...
+    for (auto& c : node->multiGetByValData().cases()) {
+        if (c.result() == Int32Result || c.result() == Int52Result) {
+            // ValueRep은 FTL에서만 사용 가능 — GetByVal로 fallback
+            node->convertToGetByVal();
+            break;
+        }
+    }
+    break;
+}

JSC의 JIT pipeline은 Baseline → DFG → FTL의 세 단계로 구성됩니다. DFG(Data Flow Graph)는 node 기반 IR을 사용해 비교적 빠르게 컴파일하는 speculative JIT입니다. FTL은 그 위에 위치하며, LLVM 기반 IR과 ValueRep phase를 포함한 추가 최적화 pass를 수행합니다. ValueRep phase는 각 값의 표현 방식(tagged JSValue, unboxed int32, int52, double)을 주석 형태로 추적합니다.

MultiGetByVal과 MultiPutByVal은 "polymorphic merge" node입니다. GetByVal 호출 지점에서 여러 array 형태(예: Int32 JSArray, Float64Array, Contiguous JSArray)가 관찰된 경우, JIT는 각 타입별로 specialized fast path로 dispatch하는 branch tree를 생성합니다. 이를 통해 호출마다 generic IC slow path를 거치지 않아도 됩니다.

이 commit은 MultiGetByVal과 MultiPutByVal을 FTL에서 DFG 단계로 이식하였습니다. 다만 Int32Result와 Int52Result 표현 방식은 의도적으로 제외되었습니다. DFG에는 unboxed 정수 표현을 추적하는 FTL의 ValueRep annotation phase가 없기 때문입니다. 결과적으로 지원되는 result 타입은 JSResult와 DoubleResult로 한정됩니다. fixup phase에서는 case가 Int32/Int52 result를 요구할 경우 해당 node를 일반 GetByVal로 변환합니다.

Before:                          After:
  DFG tier                         DFG tier
  GetByVal (polymorphic site)      MultiGetByVal (NEW)
    └─► IC miss → slow path          ├─► Int32 array fast path
                                     ├─► Double array fast path
                                     ├─► Contiguous fast path
                                     ├─► TypedArray fast paths
                                     └─► OOB → undefined (sane chain)
                                   (JSResult / DoubleResult only)

Significance

다양한 타입이 관찰된 array 접근이 FTL 승격을 기다리지 않고 DFG 단계에서 inlined multi-shape dispatch로 최적화될 수 있게 되었습니다. 역사적으로 버그가 많았던 type-specialized JIT code path의 attack surface가 그만큼 넓어진 셈입니다. 이 로직은 이제 SpeculativeJIT라는 별도의 코드 생성기를 통해 생성됩니다. 해당 코드 생성기는 자체적인 OOB 및 speculation 메커니즘을 갖추고 있으며, FTL 대비 테스트가 충분히 수행되지 않은 상태입니다.

Audit directions Significance

a Aaa Aaaaaa Aaaa Aaaaa a Aaaaaaaaa Aaaaaaaaa Aa Aaaaa Aaa Aa Aaaa Aaaaaa Aaaaa Aa Aaa Aaa Aaa Aaaa Aaaaa Aaaa Aaaaaaaaaaaaaaa Aaa a Aaaa Aaaa Aaaaaaaaaaa Aaa Aaaa Aaaaa
a Aaaaaaa Aaaaaa Aaa Aaaaaaa Aaaaaa Aaa Aaa Aaaa Aaaaaaaaa Aa Aa Aaaaaaaaaaaa Aaaa Aaaaaa a Aaa Aa Aaaa Aaaa Aa Aaa Aaaaa Aaaaaa
a Aaaaaaaaaaaaaaaaa Aaaaa Aa Aaaaaaaaaaa Aaaa Aaaa Aaaaa Aaaaa Aaaaa Aaa Aa Aaa Aaa Aaaaaaaaaaaaaaa Aaaaaaa Aa Aaa Aaaaa Aa Aa Aaaa Aaaa Aaaa Aaaaa Aaaa Aaaaaaaa Aa a Aaaaaa Aaa Aaaa Aaa a Aaaaa
a Aaaaaaaa Aaaa Aa Aaaaa Aaaaaaaaa Aaaaaaaaaaa Aaaaaaaaaaaaaaa Aaaa Aaaaa Aaa Aaa Aaaaaaaaaa Aaa Aaaaa Aaa Aaa Aaaaa Aaaa Aaaa Aaaaaaaaaa Aaa Aaaa Aa Aaa Aaa Aaaaaa Aaaaa Aa Aaa Aaa Aaaa Aaaaaaaaaaaaaaa Aaaa Aaaaa Aaaa Aaa Aaaa a Aaaa Aaa Aa Aaaaa Aa Aaaaaa

Aaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaa Aaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaa Aaa a Aaaaaaaaaaaaaaaaa Aa Aa Aaaaaaaa Aaaaa Aaa Aaaa Aaa Aaaaaa Aaaaaaaa a Aa Aaaa Aaa Aaaa Aaaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaaaa Aa Aa Aaa Aaa Aaaaa Aaa Aa Aaa Aaaa a Aaa Aaaa Aaaa Aaaaaa Aaaaaaaaaaaa Aaaaaa Aaaa Aaaaaaaa Aaaaaa Aaa Aaaaaaaa Aaaa Aaa Aa Aaaa a Aaa Aaaaaaaa Aaaaa Aaaaaaaaa Aaa Aaaaaaaa

Aaa
Aaaaaaa Aaaaaa
Aaaaaaaaa Aaaaaaaa Aaaaaaaaa Aaaaaaaa
Aaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaa Aaaaaaaaaa a Aaaa Aaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaa
Aaaaaaaaaaaaaa Aaaaaaaaaa Aaa Aaaa Aaaaa Aaa Aaaaaaaaaaa Aaaa
Aaa Aaaaaaaaaaaa Aaa Aaaaaaaaaaa Aaaaa
Aaa Aaaaaaaaaa Aaa a Aa Aaaaaaaaa
Aaa

Aaaaaaa Aaa Aaaa Aaaaaaaaa Aaaaaaa Aaa Aa Aaaaaaaaa Aaaa Aaa Aaaa Aa a Aa Aa Aaaaaa Aaaa Aaaaaa Aaaaaaaa Aaa Aaaaaaaaaaaa Aaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaaa Aaa Aaaaaaaa Aaaaaa Aaaa Aaaa Aaaaaaaaa a Aaa Aaa Aaaaa Aaaaaaa Aaaaaaaaaaaa Aaaa Aaaaaa Aaa Aaaaaa Aaa Aa Aaa Aa Aaaaa Aaaa Aaaaa

🔒

New DFG JIT multi-shape array dispatch with its own OOB speculation path — type and bounds edge cases are worth security investigation.

더 확인하려면 구독해 주세요

Audit directions

a Aaaaaaa Aa Aaaaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaa Aa Aaaaa Aa Aaa Aaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaaaaaa Aaaa Aaaaaa Aa Aaaaaaaa Aa Aa a Aaaaaaa a Aaaaaaaa a Aaaaaaaaaaaaa a Aa Aa Aaa Aaaa Aaa Aaa Aaaaa Aaaaa Aaa Aa Aaa Aa Aa Aaaa Aaaaaaaaa Aaa Aaa Aaaaaaaaaaaaaa Aaaaaaaa Aaa Aaaa Aaaaa a Aa Aaaaaaaaaaaa Aaaaaa Aaaa Aaaaaa Aaaaaaaaa Aaaaaaaaa Aaaa a Aaa Aaaa Aaaaaa
a Aaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaaaaa a Aaa Aaaaaaaaaaaaaaaaaaa Aaaaaaa Aa Aaaa Aa Aaaaaaaaaaa Aaaaaaa Aaaaaa Aaa Aaaa Aaa Aaaaaaaa Aaaaa Aaaaaaa Aaaaaaaaaaaaaaaaa Aa Aaa Aaaaa Aaaaa Aaaaaaaaaa Aaa Aaaaaaa Aaaa Aa Aaaaa Aaaaaaa Aaa Aaaa Aaaaa a Aaaa Aaa Aaaaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaa Aaaa Aaaa Aaa a Aaa Aaa Aaa Aaaaa
a Aaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaa a Aaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaaaaaaaaa Aaaaaa a Aaaaaa Aaaa Aaa Aaaaa Aaaaa Aa Aaa Aaa a Aaaaaaaaa Aa Aa Aaaaaaaaa Aaaaa Aaa Aaa Aaaa Aaaaa Aaaaa Aaaaaaaaaaaa Aaaaaa Aaaaaaaa Aaaaaaaaa Aaa Aaa Aaaa Aaa Aaa a Aaaaa

🔒

New DFG JIT multi-shape array dispatch with its own OOB speculation path — type and bounds edge cases are worth security investigation.

더 확인하려면 구독해 주세요