Fixed multiple ordering bugs involving unsafe a-temporal abstract values

[sb98052]

Release notes: Fixed multiple ordering bugs

Fixes #2327 and #2406. The discussion around this set of issues can be found in #2327. To summarize, sometimes the serializer's CSE algorithm would relocate simplified values out of the path along which they were simplified. This relocation is unsafe for values that can cause side effects and ones that can throw. Otherwise, it may be wasteful but safe.

This PR helps improves the situation by making all potentially unsafe abstract values temporal. The cases I found came out of a code audit. Calls to createFromTemplate should have been covered comprehensively. Most unsafe operations still don't accept abstract values and throw introspection errors, so they are not a problem yet.

[sebmarkbage]

I don’t understand the criteria decided upon. How are not everything temporal according to this definition?

I believe that almost every expression in JavaScript can throw if given invalid input. So when should I not mark something as temporal?

(If we count TDZ, I believe literally everything can throw.)

[sb98052]

I think a more complete statement of the criterion would be "the value produced by the template can throw under a condition that is not precluded by the assumptions under which the template is used." This is the root of the specific bug that this PR tries to knock off, since such dynamic conditions are sensitive to simplifications by the simplifier.

The general problem of formalizing the constraints under which something can be atemporal and balancing those constraints with efficiency is still open, and this PR doesn't help with that.

[sebmarkbage]

"the value produced by the template can throw under a condition that is not precluded by the assumptions under which the template is used"

This seems like circular reasoning to me. This can only be used under the conditions we use it.

I think the most useful definition is that something should be temporal if it can throw at runtime, read mutable state or have side-effects, even when the args to the abstract value have the types that are assumed/inferred by the interpreter.

The issue here is that we end up passing an incorrect type arg. That means that any expression has to be able to accept any type or at least always undefined. This is not useful.

I don't think it's acceptable that everything becomes temporal which is the natural consequence of this.

My concrete concern is that figuring out whether something needs to be temporal or not is hard work. We have already converted things to temporal that shouldn't be. As a result, we now have to go through all of the temporal values and reevaluate if they really should be which is hard work. As we convert more of these, that list grows and it becomes even harder. We have to stop the leak.

I would be much more happy if we just turned on a flag in AbstractValue to turn everything temporal automatically if we just want to work around a bug temporarily. That way we can just turn the flag off when we've fixed the issue that doesn't let us distinguish.

[sebmarkbage]

This is a simple example. Given that the type of the Receiver is a string, this can never throw, have side-effects nor read mutable state (since it's immutable). It can only error if this is fed with the wrong type of input arg. That needs to be fixed.

However, once we fix that, how will I know that this can be turned atemporal again? Not everything has this property. So I have to go through them all one-by-one and think hard if this can really throw or not.

[hermanventer]

Simple: if Receiver is temporal, the get call must be temporal. Otherwise it is a-temporal.

[sebmarkbage]

Another approach could be to require all abstract values to be derived using the generator but add a flag like isTemporal to distinguish things that could be reordered vs things that can't. As long as that information is preserved in the source code.

[sb98052]

"the value produced by the template can throw under a condition that is not precluded by the assumptions under which the template is used"

This seems like circular reasoning to me. This can only be used under the conditions we use it.

More like "This can only throw under the conditions in which it is expected to throw" which is not circular. It's the throwing under certain conditions that is precluded, not the conditions themselves. But my phrasing didn't help in making this clear.

That said, the distinction is irrelevant if the precondition for a value to be atemporal is that it never throw at runtime.

I do see your concern - my approach makes some values atemporal in a conditional setting, but at the cost of making many others temporal, even in an unconditional setting. As a side effect of my change, calls to String.length and such would never get lifted, and that's bad.

I'll try to come up with an approach that strikes a better balance, given these parameters.

[hermanventer]

This seems to be a work in progress and not ready for merging just yet.

[hermanventer]

Only AbstractValue methods should ever call deriveAbstract directly.

[hermanventer]

If getPureBinaryOperationResultType does not throw, it should not be the case that the binary operation may throw or have a side effect.

[hermanventer]

In particular, if val is temporal, then the derived values must be temporal as well. The reason being that val is known to be an object (and thus not null or undefined) at this temporal point, but may be null or undefined at a different temporal point. Since stringify and parse are not total when their arguments are null or undefined, they cannot become a-temporal when their arguments are not also a-temporal.

[hermanventer]

Are you fixing things or just adding a todo comment? If the former, this is not complete, if the latter then please add TODO to the comment along with an issue number.

[hermanventer]

You only need to to do this if O is temporal.

[hermanventer]

Check if O is temporal.

[hermanventer]

Simple: if Receiver is temporal, the get call must be temporal. Otherwise it is a-temporal.

[sb98052]

Very nice. Herman's insight strikes the balance we want, and also refines the criterion. In general, a value must be temporal if it is dynamic (can throw, side effects). The assumption that something is not dynamic may itself rely on dynamic parameters - and those should be temporal. Conversely, if a parameter is temporal, then a value that relies on such an assumption becomes temporal too.

I've updated my implementation to do this. Also, I have added inverted tests to make sure that the operations I have touched get lifted in the unconditional case.

This is still work in progress because turning on the currently commented out invariant in createAbstractConcreteValue breaks a few things. Also, some tests are breaking and have to be fixed.

[sebmarkbage]

I'm still not satisfied with that definition. If an abstract value is atemporal but depends on a temporal value, and is depended upon by a temporal (everything is eventually depended upon by a generator entry). That only means that it has to be computed between those two temporal points. We can still move it relative to other temporal points. That information is already there in the graph and can be computed by the visitor.

If we go with the definition for abstract values needing to be temporal if their dependencies are temporal, then we need to start modeling the dependency graph in the generators instead so that different entries in the generator can be reordered depending on their dependency graph.

[sebmarkbage]

I think this should probably just be modeled directly in AbstractValue. If any arg is temporal, the whole thing should be temporal for any abstract value.

Doing this on a one-by-one basis seems error prone to me. In backends like LLVM, the things that throw are not always the same as when generating JS neither.

Being specific in the interpreter about guessing whether the serialized form can throw or not seems problematic.

[hermanventer]

Rather put this condition into a helper function named something like "operationMustBeTemporal".

[sb98052]

I've deferred this to the refactoring in #2489.

[hermanventer]

There is a logic inversion that needs fixing and testing. There is also a commented out invariant that needs to be uncommented or deleted.

[hermanventer]

I'm still a little bit disturbed by this. If one of the arguments is temporal, then moving the operation to point where the current path conditions do not apply may be safe, but it seems hardly desirable.

In essence, any operation over temporal values should result in a temporal value, as a rule, except for a few specific cases that are well documented.

[sb98052]

I'm going to enforce this protocol in a follow up PR that addresses #2489. Doing so will involve auditing uses of all of the abstract value factory methods.

[hermanventer]

This logic seems the inverse of what you intend. This seems to call for an additional test case.

[sb98052]

It was inverted. On the other hand, it is not obvious to me that InternalJSONClone can create the particular conditions that this PR is trying to fix. So I have dropped this check for now, and will audit in a follow up request.

[hermanventer]

Why is this commented out?

[sb98052]

Thanks, I should have emphasized that the implementation is work in progress. I am yet to audit all of the paths that lead to this invariant.

[trueadm]

Is this PR still active? Seems you addressed most of these issues in other PRs?