Backporting LuaJIT upstream commits part 5 #8825

Buristan · 2023-06-29T16:05:54Z

This ticket is an umbrella for all commits we planning to back-port in the next Q.
This list includes commits excluded from #8516 and may be updated later with some new.

general + x86/x64:

Refactoring and irrelevant (for Tarantool) patches required for backporintg "Fix pow inconsistencies" epic:

Fix pow inconsistencies:

b2307c8a Remove pow() splitting and cleanup backends.
8ae5170c Improve assertions. (depends on pow() splitting b2307c8a)
9512d5c1 Fix pow() optimization inconsistencies.
96d6d503 Revert to trival pow() optimizations to prevent inaccuracies.

Other:

72efc42e MIPS: Fix "bad FP FLOAD" assertion.

Analyzed by Sergey Kaplun. (cherry-picked from commit 94ada59) While recording BC_VARG `J->maxslot` isn't shrunk to the effective stack top. This leads to dead value stored in the JIT slots and the following assertion failure for these slots check in `rec_check_slots()`. Note, that `rec_varg()` modifies `maxslot` only under the condition that `maxslot` should be increased, but the dead values are left for the opposite case. This patch removes the condition inside `rec_varg()` only for the case when varargs are not defined on trace (`framedepth` is 0), but the similar issue still occurs for the case when vararg are defined on the trace. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#8825

Analyzed by Sergey Kaplun. (cherry-picked from commit a01cba9) This patch is the follow-up for the previous one. It removes the condition for `maxslot` changing in the case when varargs are defined on the trace (i.e. `framedepth` > 0). Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#8825

Thanks to Alex Shpilkin. (cherry-picked from commit 56c04ac) As stated here[1], only the first field of a union can be initialized with a flat initializer. However, before this patch, on-trace initialization instructions were emitted for other union members too, overwriting the previous initialization values. This patch fixes the mentioned behavior by preventing initialization of members other than the first one. [1]: https://luajit.org/ext_ffi_semantics.html#init Maxim Kokryashkin: * added the description and the test for the problem Part of tarantool/tarantool#8825

* Fix BC_UCLO insertion for returns. Part of tarantool#8825 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump NO_CHANGELOG=LuaJIT submodule bump

An unused guarded CONV int.num cannot be omitted in general. (cherry-picked from commit 881d02d) In some cases, an unused `CONV` omission may lead to a guard absence, resulting in invalid control flow branching and undefined behavior. For a comprehensive example of the described situation, please refer to the comment in `test/tarantool-tests/mark-conv-non-weak.test.lua`. Maxim Kokryashkin: * added the description and the test for the problem Part of tarantool/tarantool#8825

Mark CONV as non-weak, to prevent elimination of its side-effect. Part of tarantool#8825 NO_DOC=LuaJIT bump NO_TEST=LuaJIT bump

* Fix BC_UCLO insertion for returns. Part of tarantool#8825 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump NO_CHANGELOG=LuaJIT submodule bump

Thanks to Alex Shpilkin. (cherry-picked from commit 56c04ac) As stated here[1], only the first field of a union can be initialized with a flat initializer. However, before this patch, on-trace initialization instructions were emitted for other union members too, overwriting the previous initialization values. This patch fixes the mentioned behavior by preventing initialization of members other than the first one. [1]: https://luajit.org/ext_ffi_semantics.html#init Maxim Kokryashkin: * added the description and the test for the problem Part of tarantool/tarantool#8825

Analyzed by Sergey Kaplun. (cherry-picked from commit 94ada59) While recording BC_VARG `J->maxslot` isn't shrunk to the effective stack top. This leads to dead values stored in the JIT slots and the following assertion failure for these slots check in `rec_check_slots()`. Note, that `rec_varg()` modifies `maxslot` only under the condition that `maxslot` should be increased, but the dead values are left for the opposite case. This patch removes the condition inside `rec_varg()` only for the case when varargs are not defined on trace (`framedepth` is 0), but the similar issue still occurs for the case when varargs are defined on the trace. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#8825

Analyzed by Sergey Kaplun. (cherry-picked from commit a01cba9) This patch is a follow-up to the previous one. It removes the condition for `maxslot` changing in the case when varargs are defined on the trace (i.e. `framedepth` > 0). Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#8825

Contributed by XmiliaH. (cherry-picked from commit 93a65d3) Patch fixes a problem when LuaJIT generates a wrong bytecode with a missed BC_UCLO instruction. When some of BC_RET bytecode instructions are not fixup-ed, due to an early return, if UCLO is obtained before, those leads to VM inconsistency after return from the function. Patch makes the following changes in bytecode (thats it, emits extra BC_UCLO instruction that closes upvalues): @@ -11,11 +11,12 @@ 0006 => LOOP 1 => 0012 0007 ISF 0 0008 JMP 1 => 0010 -0009 RET1 0 2 +0009 UCLO 0 => 0014 0010 => FNEW 0 0 ; uclo.lua:56 0011 JMP 1 => 0006 0012 => UCLO 0 => 0001 0013 => RET0 0 1 +0014 => RET1 0 2 NOTE: After emitting the bytecode instruction BC_FNEW fixup is not required, because FuncState will set a flag PROTO_CHILD that will trigger emitting a pair of instructions BC_UCLO and BC_RET (see <src/lj_parse.c:2355>) and BC_RET will close all upvalues from a base equal to 0. JIT compilation of missing_uclo() function without a patch with fix is failed: src/lj_record.c:135: rec_check_slots: Assertion `((((((tr))>>24) & IRT_TYPE) - (TRef)(IRT_NUM) <= (TRef)(IRT_INT-IRT_NUM)))' failed. (Thanks to Sergey Kaplun for discovering this!) Thus second testcase in a test covers a case with compilation as well. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 Signed-off-by: Sergey Bronnikov <sergeyb@tarantool.org> Co-authored-by: Sergey Kaplun <skaplun@tarantool.org>

Contributed by XmiliaH. (cherry-picked from commit 93a65d3) Patch fixes a problem when LuaJIT generates a wrong bytecode with a missed BC_UCLO instruction. When some of BC_RET bytecode instructions are not fixup-ed, due to an early return, if UCLO is obtained before, those leads to VM inconsistency after return from the function. Patch makes the following changes in bytecode (thats it, emits extra BC_UCLO instruction that closes upvalues): @@ -11,11 +11,12 @@ 0006 => LOOP 1 => 0012 0007 ISF 0 0008 JMP 1 => 0010 -0009 RET1 0 2 +0009 UCLO 0 => 0014 0010 => FNEW 0 0 ; uclo.lua:56 0011 JMP 1 => 0006 0012 => UCLO 0 => 0001 0013 => RET0 0 1 +0014 => RET1 0 2 NOTE: After emitting the bytecode instruction BC_FNEW fixup is not required, because FuncState will set a flag PROTO_CHILD that will trigger emitting a pair of instructions BC_UCLO and BC_RET (see <src/lj_parse.c:2355>) and BC_RET will close all upvalues from a base equal to 0. JIT compilation of missing_uclo() function without a patch with fix is failed: src/lj_record.c:135: rec_check_slots: Assertion `((((((tr))>>24) & IRT_TYPE) - (TRef)(IRT_NUM) <= (TRef)(IRT_INT-IRT_NUM)))' failed. (Thanks to Sergey Kaplun for discovering this!) Thus second testcase in a test covers a case with compilation as well. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 Signed-off-by: Sergey Bronnikov <sergeyb@tarantool.org> Co-developed-by: Sergey Kaplun <skaplun@tarantool.org>

Contributed by XmiliaH. (cherry-picked from commit 93a65d3) Patch fixes a problem when LuaJIT generates a wrong bytecode with a missed BC_UCLO instruction. When some of BC_RET bytecode instructions are not fixup-ed, due to an early return, if UCLO is obtained before, those leads to VM inconsistency after return from the function. Patch makes the following changes in bytecode (thats it, emits extra BC_UCLO instruction that closes upvalues): @@ -11,11 +11,12 @@ 0006 => LOOP 1 => 0012 0007 ISF 0 0008 JMP 1 => 0010 -0009 RET1 0 2 +0009 UCLO 0 => 0014 0010 => FNEW 0 0 ; uclo.lua:56 0011 JMP 1 => 0006 0012 => UCLO 0 => 0001 0013 => RET0 0 1 +0014 => RET1 0 2 NOTE: After emitting the bytecode instruction BC_FNEW fixup is not required, because FuncState will set a flag PROTO_CHILD that will trigger emitting a pair of instructions BC_UCLO and BC_RET (see <src/lj_parse.c:2355>) and BC_RET will close all upvalues from a base equal to 0. JIT compilation of missing_uclo() function without a patch with fix is failed: src/lj_record.c:135: rec_check_slots: Assertion `((((((tr))>>24) & IRT_TYPE) - (TRef)(IRT_NUM) <= (TRef)(IRT_INT-IRT_NUM)))' failed. (Thanks to Sergey Kaplun for discovering this!) Thus second testcase in a test covers a case with compilation as well. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 Signed-off-by: Sergey Bronnikov <sergeyb@tarantool.org>

Contributed by XmiliaH. (cherry-picked from commit 93a65d3) Patch fixes a problem when LuaJIT generates a wrong bytecode with a missed BC_UCLO instruction. When some of BC_RET bytecode instructions are not fixup-ed, due to an early return, if UCLO is obtained before, those leads to VM inconsistency after return from the function. Patch makes the following changes in bytecode (thats it, emits extra BC_UCLO instruction that closes upvalues): @@ -11,11 +11,12 @@ 0006 => LOOP 1 => 0012 0007 ISF 0 0008 JMP 1 => 0010 -0009 RET1 0 2 +0009 UCLO 0 => 0014 0010 => FNEW 0 0 ; uclo.lua:56 0011 JMP 1 => 0006 0012 => UCLO 0 => 0001 0013 => RET0 0 1 +0014 => RET1 0 2 NOTE: After emitting the bytecode instruction BC_FNEW fixup is not required, because FuncState will set a flag PROTO_CHILD that will trigger emitting a pair of instructions BC_UCLO and BC_RET (see <src/lj_parse.c:2355>) and BC_RET will close all upvalues from a base equal to 0. JIT compilation of missing_uclo() function without a patch with fix is failed: src/lj_record.c:135: rec_check_slots: Assertion `((((((tr))>>24) & IRT_TYPE) - (TRef)(IRT_NUM) <= (TRef)(IRT_INT-IRT_NUM)))' failed. (Thanks to Sergey Kaplun for discovering this!) Thus second testcase in a test covers a case with compilation as well. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 Helped-by: Sergey Kaplun <skaplun@tarantool.org> Signed-off-by: Sergey Bronnikov <sergeyb@tarantool.org>

Contributed by XmiliaH. (cherry-picked from commit 93a65d3) Patch fixes a problem when LuaJIT generates a wrong bytecode with a missed BC_UCLO instruction. When some of BC_RET bytecode instructions are not fixup-ed, due to an early return, if UCLO is obtained before, those leads to VM inconsistency after return from the function. Patch makes the following changes in bytecode (thats it, emits extra BC_UCLO instruction that closes upvalues): @@ -11,11 +11,12 @@ 0006 => LOOP 1 => 0012 0007 ISF 0 0008 JMP 1 => 0010 -0009 RET1 0 2 +0009 UCLO 0 => 0014 0010 => FNEW 0 0 ; uclo.lua:56 0011 JMP 1 => 0006 0012 => UCLO 0 => 0001 0013 => RET0 0 1 +0014 => RET1 0 2 NOTE: After emitting the bytecode instruction BC_FNEW fixup is not required, because FuncState will set a flag PROTO_CHILD that will trigger emitting a pair of instructions BC_UCLO and BC_RET (see <src/lj_parse.c:2355>) and BC_RET will close all upvalues from a base equal to 0. JIT compilation of missing_uclo() function without a patch with fix is failed: src/lj_record.c:135: rec_check_slots: Assertion `((((((tr))>>24) & IRT_TYPE) - (TRef)(IRT_NUM) <= (TRef)(IRT_INT-IRT_NUM)))' failed. (Thanks to Sergey Kaplun for discovering this!) Thus second testcase in a test covers a case with compilation as well. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 Helped-by: Sergey Kaplun <skaplun@tarantool.org> Signed-off-by: Sergey Bronnikov <sergeyb@tarantool.org> Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org> Reviewed-by: Sergey Kaplun <skaplun@tarantool.org> Signed-off-by: Igor Munkin <imun@tarantool.org>

Contributed by XmiliaH. (cherry-picked from commit 93a65d3) Patch fixes a problem when LuaJIT generates a wrong bytecode with a missed BC_UCLO instruction. When some of BC_RET bytecode instructions are not fixup-ed, due to an early return, if UCLO is obtained before, those leads to VM inconsistency after return from the function. Patch makes the following changes in bytecode (thats it, emits extra BC_UCLO instruction that closes upvalues): @@ -11,11 +11,12 @@ 0006 => LOOP 1 => 0012 0007 ISF 0 0008 JMP 1 => 0010 -0009 RET1 0 2 +0009 UCLO 0 => 0014 0010 => FNEW 0 0 ; uclo.lua:56 0011 JMP 1 => 0006 0012 => UCLO 0 => 0001 0013 => RET0 0 1 +0014 => RET1 0 2 NOTE: After emitting the bytecode instruction BC_FNEW fixup is not required, because FuncState will set a flag PROTO_CHILD that will trigger emitting a pair of instructions BC_UCLO and BC_RET (see <src/lj_parse.c:2355>) and BC_RET will close all upvalues from a base equal to 0. JIT compilation of missing_uclo() function without a patch with fix is failed: src/lj_record.c:135: rec_check_slots: Assertion `((((((tr))>>24) & IRT_TYPE) - (TRef)(IRT_NUM) <= (TRef)(IRT_INT-IRT_NUM)))' failed. (Thanks to Sergey Kaplun for discovering this!) Thus second testcase in a test covers a case with compilation as well. Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825 Helped-by: Sergey Kaplun <skaplun@tarantool.org> Signed-off-by: Sergey Bronnikov <sergeyb@tarantool.org> Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org> Reviewed-by: Sergey Kaplun <skaplun@tarantool.org> Signed-off-by: Igor Munkin <imun@tarantool.org> (cherry picked from commit 47f5383)

Thanks to Alex Shpilkin. (cherry-picked from commit 56c04ac) As stated here[1], only the first field of a union can be initialized with a flat initializer. However, before this patch, on-trace initialization instructions were emitted for other union members too, overwriting the previous initialization values. This patch fixes the mentioned behavior by preventing initialization of members other than the first one. [1]: https://luajit.org/ext_ffi_semantics.html#init Maxim Kokryashkin: * added the description and the test for the problem Part of tarantool/tarantool#8825

An unused guarded CONV int.num cannot be omitted in general. (cherry-picked from commit 881d02d) In some cases, an unused `CONV int.num` omission in `DUALNUM` mode may lead to a guard absence, resulting in invalid control flow branching and undefined behavior. For a comprehensive example of the described situation, please refer to the comment in `test/tarantool-tests/mark-conv-non-weak.test.lua`. Maxim Kokryashkin: * added the description and the test for the problem Part of tarantool/tarantool#8825

Mark CONV as non-weak, to prevent elimination of its side-effect. Part of tarantool#8825 NO_DOC=LuaJIT bump NO_TEST=LuaJIT bump

Analyzed by Sergey Kaplun. (cherry-picked from commit 94ada59) While recording BC_VARG `J->maxslot` isn't shrunk to the effective stack top. This leads to dead values stored in the JIT slots and the following assertion failure for these slots check in `rec_check_slots()`. Note, that `rec_varg()` modifies `maxslot` only under the condition that `maxslot` should be increased, but the dead values are left for the opposite case. This patch removes the condition inside `rec_varg()` only for the case when varargs are not defined on trace (`framedepth` is 0), but the similar issue still occurs for the case when varargs are defined on the trace. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#8825

Analyzed by Sergey Kaplun. (cherry-picked from commit a01cba9) This patch is a follow-up to the previous one. It removes the condition for `maxslot` changing in the case when varargs are defined on the trace (i.e. `framedepth` > 0). Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#8825

Analyzed by Sergey Kaplun. (cherry-picked from commit 94ada59) While recording BC_VARG `J->maxslot` isn't shrunk to the effective stack top. This leads to dead values stored in the JIT slots and the following assertion failure for these slots check in `rec_check_slots()`. Note, that `rec_varg()` modifies `maxslot` only under the condition that `maxslot` should be increased, but the dead values are left for the opposite case. This patch removes the condition inside `rec_varg()` only for the case when varargs are not defined on trace (`framedepth` is 0), but the similar issue still occurs for the case when varargs are defined on the trace. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#8825

* test: fix fix-mips64-spare-side-exit-patching * test: fix `fillmcode()` generator helper * MIPS: Fix "bad FP FLOAD" assertion. * Handle table unsinking in the presence of IRFL_TAB_NOMM. * Fix handling of instable types in TNEW/TDUP load forwarding. * Fix predict_next() in parser (again). * Always exit after machine code page protection change fails. Part of #8825 NO_DOC=LuaJIT submodule bump NO_TEST=LuaJIT submodule bump

Reported by Arseny Vakhrushev. Fix contributed by Peter Cawley. As specified in the comment in `lj_record_stop`, all loops must set `J->pc` to the next instruction. However, the chunk of logic in `lj_trace_exit` expects it to be set to `BC_JLOOP` itself if it used to be a `BC_RET`. This wrong pc results in the execution of random data that goes after `BC_JLOOP` in the case of restoration from the snapshot. This patch fixes that behavior by adapting the loop recording logic to this specific case. Maxim Kokryashkin: * added the description and the test for the problem Part of tarantool/tarantool#8825

Fix snapshot PC when linking to BC_JLOOP that was a BC_RET*. Part of tarantool#8825 NO_DOC=LuaJIT bump NO_TEST=LuaJIT bump

Reported by Mathias Westerdahl. (cherry picked from commit 633f265) Lua 5.1 Reference Manual [1] defines a function `lua_concat`, that: > void lua_concat (lua_State *L, int n); > > Concatenates the n values at the top of the stack, pops them, and leaves > the result at the top. Without the patch `lua_concat()` behaved incorrectly with userdata with defined `__concat` metamethod. The problem is GC64-specific. Assuming we have three literals and a userdata with defined "__concat" metamethod on top of the Lua stack: 1 [string] 2 [string] 3 [string] 4 [string] 5 [userdata] <--- top On attempt to concatenate *two* items on top of the Lua stack, `lua_concat()` concatenates *four* items and leaves result on the top: 1 [string] 2 [string][string][string][userdata] <--- top The problem is in incorrect calculation of `n` counter in the loop in implementation of function `lua_concat`. Without the fix `n` is equal to 3 at the end of the first iteration and therefore it goes to the next iteration of concatenation. In the fixed implementation of `lua_concat()` `n` is equal to 1 at the end of the first loop iteration, decremented in a loop postcondition and breaks the loop. The patch fixes incorrect behaviour. 1. https://www.lua.org/manual/5.1/manual.html Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#8825