some write barrier fixes

- false poisitive on EntryPointInfo->jsMethod after native address reuse in recycler - false poisitive in arena allocator cacheBlockEnd reused in leaf block in recycler (sharing same page allocator) - overload ChangeToAssign in JIT code, check all posible assign for write barrier - missing barriers in various location

Author: leirocks

lib/Backend/Lower.cpp

@@ -102,30 +102,30 @@ Lowerer::Lower()
  this->LowerRange(m_func->m_headInstr, m_func->m_tailInstr, defaultDoFastPath, loopFastPath);
 
 #if DBG
-// TODO: (leish)(swb) implement for arm
+ // TODO: (leish)(swb) implement for arm
 #if defined(_M_IX86) || defined(_M_AMD64)
-if (CONFIG_FLAG(ForceSoftwareWriteBarrier) && CONFIG_FLAG(RecyclerVerifyMark))
-{
-// find out all write barrier setting instr, call Recycler::WBSetBit for verification purpose
-// should do this in LowererMD::GenerateWriteBarrier, however, can't insert call instruction there
-FOREACH_INSTR_EDITING(instr, instrNext, m_func->m_headInstr)
-if (instr->m_src1 && instr->m_src1->IsAddrOpnd())
-{
-IR::AddrOpnd* addrOpnd = instr->m_src1->AsAddrOpnd();
-if (addrOpnd->GetAddrOpndKind() == IR::AddrOpndKindWriteBarrierCardTable)
-{
-auto& leaInstr = instr->m_prev->m_prev;
-auto& shrInstr = instr->m_prev;
-Assert(leaInstr->m_opcode == Js::OpCode::LEA);
-Assert(shrInstr->m_opcode == Js::OpCode::SHR);
-m_lowererMD.LoadHelperArgument(shrInstr, leaInstr->m_dst);
-IR::Instr* instrCall = IR::Instr::New(Js::OpCode::Call, m_func);
-shrInstr->InsertBefore(instrCall);
-m_lowererMD.ChangeToHelperCall(instrCall, IR::HelperWriteBarrierSetVerifyBit);
-}
-}
-NEXT_INSTR_EDITING
-}
+ if (CONFIG_FLAG(ForceSoftwareWriteBarrier) && CONFIG_FLAG(RecyclerVerifyMark))
+ {
+ // find out all write barrier setting instr, call Recycler::WBSetBit for verification purpose
+ // should do this in LowererMD::GenerateWriteBarrier, however, can't insert call instruction there
+ FOREACH_INSTR_EDITING(instr, instrNext, m_func->m_headInstr)
+ if (instr->m_src1 && instr->m_src1->IsAddrOpnd())
+ {
+ IR::AddrOpnd* addrOpnd = instr->m_src1->AsAddrOpnd();
+ if (addrOpnd->GetAddrOpndKind() == IR::AddrOpndKindWriteBarrierCardTable)
+ {
+ auto& leaInstr = instr->m_prev->m_prev;
+ auto& shrInstr = instr->m_prev;
+ Assert(leaInstr->m_opcode == Js::OpCode::LEA);
+ Assert(shrInstr->m_opcode == Js::OpCode::SHR);
+ m_lowererMD.LoadHelperArgument(shrInstr, leaInstr->m_dst);
+ IR::Instr* instrCall = IR::Instr::New(Js::OpCode::Call, m_func);
+ shrInstr->InsertBefore(instrCall);
+ m_lowererMD.ChangeToHelperCall(instrCall, IR::HelperWriteBarrierSetVerifyBit);
+ }
+ }
+ NEXT_INSTR_EDITING
+ }
 #endif
 #endif
 
@@ -14558,7 +14558,7 @@ IR::Instr *Lowerer::InsertMove(IR::Opnd *dst, IR::Opnd *src, IR::Instr *const in
  }
  else
  {
- LowererMD::ChangeToAssign(instr);
+ LowererMD::ChangeToAssignNoBarrierCheck(instr);
  }
 
  return instr;

lib/Backend/LowerMDShared.cpp

@@ -756,11 +756,17 @@ IR::Instr* LowererMD::ChangeToHelperCallMem(IR::Instr * instr, IR::JnHelperMeth
 ///----------------------------------------------------------------------------
 
 IR::Instr *
-LowererMD::ChangeToAssign(IR::Instr * instr)
+LowererMD::ChangeToAssignNoBarrierCheck(IR::Instr * instr)
 {
  return ChangeToAssign(instr, instr->GetDst()->GetType());
 }
 
+IR::Instr *
+LowererMD::ChangeToAssign(IR::Instr * instr)
+{
+ return ChangeToWriteBarrierAssign(instr, instr->m_func);
+}
+
 IR::Instr *
 LowererMD::ChangeToAssign(IR::Instr * instr, IRType type)
 {
@@ -4712,7 +4718,7 @@ LowererMD::GenerateLoadPolymorphicInlineCacheSlot(IR::Instr * instrLdSt, IR::Reg
  instrLdSt->InsertBefore(instr);
 }
 
-void
+IR::Instr *
 LowererMD::ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func)
 {
 #ifdef RECYCLER_WRITE_BARRIER_JIT
@@ -4747,7 +4753,7 @@ LowererMD::ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func)
  }
 #endif
 
- ChangeToAssign(assignInstr);
+ IR::Instr * instr = ChangeToAssignNoBarrierCheck(assignInstr);
 
  // Now insert write barrier if necessary
 #ifdef RECYCLER_WRITE_BARRIER_JIT
@@ -4758,6 +4764,8 @@ LowererMD::ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func)
 LowererMD::GenerateWriteBarrier(assignInstr);
  }
 #endif
+
+ return instr;
 }
 
 void

lib/Backend/LowerMDShared.h

@@ -85,6 +85,7 @@ class LowererMD
  static IR::Instr * CreateAssign(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsertPt, bool generateWriteBarrier = true);
 
  static IR::Instr * ChangeToAssign(IR::Instr * instr);
+ static IR::Instr * ChangeToAssignNoBarrierCheck(IR::Instr * instr);
  static IR::Instr * ChangeToAssign(IR::Instr * instr, IRType type);
  static IR::Instr * ChangeToLea(IR::Instr *const instr, bool postRegAlloc = false);
  static void ImmedSrcToReg(IR::Instr * instr, IR::Opnd * newOpnd, int srcNum);
@@ -305,7 +306,7 @@ class LowererMD
 
  void GenerateWriteBarrierAssign(IR::IndirOpnd * opndDst, IR::Opnd * opndSrc, IR::Instr * insertBeforeInstr);
  void GenerateWriteBarrierAssign(IR::MemRefOpnd * opndDst, IR::Opnd * opndSrc, IR::Instr * insertBeforeInstr);
- static void ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func);
+ static IR::Instr * ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func);
 
  static IR::BranchInstr * GenerateLocalInlineCacheCheck(IR::Instr * instrLdSt, IR::RegOpnd * opndType, IR::RegOpnd * opndInlineCache, IR::LabelInstr * labelNext, bool checkTypeWithoutProperty = false);
  static IR::BranchInstr * GenerateProtoInlineCacheCheck(IR::Instr * instrLdSt, IR::RegOpnd * opndType, IR::RegOpnd * opndInlineCache, IR::LabelInstr * labelNext);

lib/Backend/arm/LowerMD.cpp

@@ -2343,11 +2343,18 @@ IR::Instr* LowererMD::ChangeToHelperCallMem(IR::Instr * instr, IR::JnHelperMeth
 ///----------------------------------------------------------------------------
 
 IR::Instr *
-LowererMD::ChangeToAssign(IR::Instr * instr)
+LowererMD::ChangeToAssignNoBarrierCheck(IR::Instr * instr)
 {
  return ChangeToAssign(instr, instr->GetDst()->GetType());
 }
 
+IR::Instr *
+LowererMD::ChangeToAssign(IR::Instr * instr)
+{
+ // TODO: (swb)(leish) assert that the dest is not indir or memref
+ return ChangeToWriteBarrierAssign(instr, instr->m_func);
+}
+
 IR::Instr *
 LowererMD::ChangeToAssign(IR::Instr * instr, IRType type)
 {
@@ -2381,13 +2388,13 @@ LowererMD::ChangeToAssign(IR::Instr * instr, IRType type)
  return instr;
 }
 
-void
+IR::Instr *
 LowererMD::ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func)
 {
 #ifdef RECYCLER_WRITE_BARRIER_JIT
  // WriteBarrier-TODO- Implement ARM JIT
 #endif
- ChangeToAssign(assignInstr);
+ return ChangeToAssign(assignInstr);
 }
 
 ///----------------------------------------------------------------------------

lib/Backend/arm/LowerMD.h

@@ -70,6 +70,7 @@ class LowererMD
  IR::Instr * ChangeToHelperCallMem(IR::Instr * instr, IR::JnHelperMethod helperMethod);
  static IR::Instr * CreateAssign(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsertPt, bool generateWriteBarrier = true);
  static IR::Instr * ChangeToAssign(IR::Instr * instr);
+ static IR::Instr * ChangeToAssignNoBarrierCheck(IR::Instr * instr);
  static IR::Instr * ChangeToAssign(IR::Instr * instr, IRType type);
  static IR::Instr * ChangeToLea(IR::Instr *const instr, bool postRegAlloc = false);
  static IR::Instr * ForceDstToReg(IR::Instr *instr);
@@ -270,7 +271,7 @@ class LowererMD
  static void GenerateStFldFromLocalInlineCache(IR::Instr * instrStFld, IR::RegOpnd * opndBase, IR::Opnd * opndSrc, IR::RegOpnd * opndInlineCache, IR::LabelInstr * labelFallThru, bool isInlineSlot);
  void GenerateFunctionObjectTest(IR::Instr * callInstr, IR::RegOpnd *functionOpnd, bool isHelper, IR::LabelInstr* continueAfterExLabel = nullptr);
 
- static void ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func);
+ static IR::Instr * ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func);
 
  int GetHelperArgsCount() { return this->helperCallArgsCount; }
  void ResetHelperArgsCount() { this->helperCallArgsCount = 0; }

lib/Backend/arm64/LowerMD.h

@@ -264,7 +264,7 @@ class LowererMD
  static void GenerateLdLocalFldFromFlagInlineCache(IR::Instr * instrLdFld, IR::RegOpnd * opndBase, IR::Opnd * opndDst, IR::RegOpnd * opndInlineCache, IR::LabelInstr * labelFallThru, bool isInlineSlot) { __debugbreak(); }
  static void GenerateStFldFromLocalInlineCache(IR::Instr * instrStFld, IR::RegOpnd * opndBase, IR::Opnd * opndSrc, IR::RegOpnd * opndInlineCache, IR::LabelInstr * labelFallThru, bool isInlineSlot) { __debugbreak(); }
 
- static void ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func) { __debugbreak(); }
+ static IR::Instr * ChangeToWriteBarrierAssign(IR::Instr * assignInstr, const Func* func) { __debugbreak(); }
 
  int GetHelperArgsCount() { __debugbreak(); return 0; }
  void ResetHelperArgsCount() { __debugbreak(); }

lib/Common/Memory/ArenaAllocator.cpp

@@ -70,6 +70,13 @@ ArenaAllocatorBase<TFreeListPolicy, ObjectAlignmentBitShiftArg, RequireObjectAli
  ArenaMemoryTracking::ReportFreeAll(this);
  ArenaMemoryTracking::ArenaDestroyed(this);
 
+#if DBG
+ // tag the fields in case the address is reused in recycler and create a false positive
+ this->cacheBlockEnd = (char*)((intptr_t)this->cacheBlockEnd | 1);
+#else
+ this->cacheBlockEnd = nullptr;
+#endif
+
  if (!pageAllocator->IsClosed())
  {
  ReleasePageMemory();
@@ -79,6 +86,7 @@ ArenaAllocatorBase<TFreeListPolicy, ObjectAlignmentBitShiftArg, RequireObjectAli
 #ifdef PROFILE_MEM
  LogEnd();
 #endif
+
 }
 
 template <class TFreeListPolicy, size_t ObjectAlignmentBitShiftArg, bool RequireObjectAlignment, size_t MaxObjectSize>

lib/Common/Memory/Recycler.cpp

@@ -7599,7 +7599,7 @@ Recycler::TrackAllocCore(void * object, size_t size, const TrackAllocData& track
  {
  size_t stackTraceSize = 16 * sizeof(void*);
  item = NoCheckHeapNewPlus(stackTraceSize, TrackerItem, typeInfo);
- StackBackTrace::Capture((char*)&item[1], stackTraceSize, 0);
+ StackBackTrace::Capture((char*)&item[1], stackTraceSize, 7);
  }
  else
  {

lib/Common/Memory/RecyclerPointers.h

@@ -539,13 +539,13 @@ void* __cdecl memcpy(WriteBarrierPtr<T> *dst, const void *src, size_t count)
 template <typename T>
 errno_t __cdecl memcpy_s(WriteBarrierPtr<T> *dst, size_t dstSize, const void *src, size_t srcSize)
 {
- CompileAssert(false);
+ static_assert(false, "Use CopyArray instead");
 }
 
 template <typename T>
 void __stdcall js_memcpy_s(__bcount(sizeInBytes) WriteBarrierPtr<T> *dst, size_t sizeInBytes, __bcount(count) const void *src, size_t count)
 {
- CompileAssert(false);
+ static_assert(false, "Use CopyArray instead");
 }
 
 template <typename T>

lib/Runtime/Base/FunctionBody.cpp

@@ -9373,6 +9373,13 @@ namespace Js
  }
 #endif
 
+#if DBG
+ // tag the jsMethod in case the native address is reused in recycler and create a false positive
+ this->jsMethod = (Js::JavascriptMethod)((intptr_t)this->jsMethod | 1);
+#else
+ this->jsMethod = nullptr;
+#endif
+
  this->state = CleanedUp;
 #if ENABLE_DEBUG_CONFIG_OPTIONS
 #if !DBG