From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org>
To: Sergey Bronnikov <sergeyb@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Subject: [Tarantool-patches] [PATCH luajit] Invalidate SCEV entry when returning to lower frame.
Date: Thu, 4 Sep 2025 12:58:19 +0300 [thread overview]
Message-ID: <20250904095819.6791-1-skaplun@tarantool.org> (raw)
From: Mike Pall <mike>
Thanks to Zhongwei Yao.
(cherry picked from commit 65c849390702b1150d52e64db86cbc6b3c98413e)
When returning to the lower frame, LuaJIT does not clear the Scalar
Evolution analysis entry. Hence, this may lead to its invalid usage in
the next function called if the IR references match. The further
analysis is invalid and may lead to the assertion failure.
This patch invalidates the ScEv entry IR reference index when returning
to the lower frame.
Sergey Kaplun:
* added the description and the test for the problem
Part of tarantool/tarantool#11691
---
Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1115-invalid-scev-entry-lower-frame
Related issues:
* https://github.com/LuaJIT/LuaJIT/pull/1115
* https://github.com/tarantool/tarantool/issues/11691
src/lj_record.c | 1 +
...15-invalid-scev-entry-lower-frame.test.lua | 69 +++++++++++++++++++
2 files changed, 70 insertions(+)
create mode 100644 test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua
diff --git a/src/lj_record.c b/src/lj_record.c
index 1dd22dac..ba409a61 100644
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -898,6 +898,7 @@ void lj_record_ret(jit_State *J, BCReg rbase, ptrdiff_t gotresults)
emitir(IRTG(IR_RETF, IRT_PGC), trpt, trpc);
J->retdepth++;
J->needsnap = 1;
+ J->scev.idx = REF_NIL;
lj_assertJ(J->baseslot == 1+LJ_FR2, "bad baseslot for return");
/* Shift result slots up and clear the slots of the new frame below. */
memmove(J->base + cbase, J->base-1-LJ_FR2, sizeof(TRef)*nresults);
diff --git a/test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua b/test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua
new file mode 100644
index 00000000..47bc87ae
--- /dev/null
+++ b/test/tarantool-tests/lj-1115-invalid-scev-entry-lower-frame.test.lua
@@ -0,0 +1,69 @@
+local tap = require('tap')
+
+-- Test file to demonstrate LuaJIT's incorrect Scalar Evolution
+-- analysis for recording of return to a lower frame.
+-- See also: https://github.com/LuaJIT/LuaJIT/pull/1115.
+local test = tap.test('lj-1115-invalid-scev-entry-lower-frame'):skipcond({
+ ['Test requires JIT enabled'] = not jit.status(),
+})
+
+test:plan(1)
+
+local HOTLOOP = 1
+local HOTEXIT = 1
+local RECORD_IDX = HOTLOOP + 1
+-- Number of iterations to start recording side trace with two
+-- iterations in the cycle.
+local NITER = RECORD_IDX + HOTEXIT + 2
+
+local function test_function(tab)
+ -- XXX: For reproducing the issue, it is necessary to avoid
+ -- UGET. Local functions use MOV and take the same IR slots.
+ local function trace_root(data)
+ -- Start of the trace, setup ScEv entry.
+ for i = 1, #data - 1 do
+ -- Start of the side trace by the hmask check.
+ if data[i].t == 'a' then
+ return i + 1
+ end
+ end
+ -- Unreachable in this test.
+ return nil
+ end
+
+ local function other_scev(data, start)
+ for i = start, #data - 1 do
+ -- The ScEv entry matches the recorded IR from the parent
+ -- trace before the patch. It leads to the assertion
+ -- failure.
+ if data[i].t == 'a' then
+ return
+ end
+ end
+ end
+
+ -- Record the root trace first. Then record the side trace
+ -- returning to the lower frame (this function).
+ local start = trace_root(tab)
+ -- The ScEv entry is invalid after the return to the lower
+ -- frame. Record the trace with another range in the ScEv entry
+ -- to obtain the error.
+ return start, other_scev(tab, start)
+end
+
+local data = {}
+for i = 1, NITER do
+ data[#data + 1] = {t = 'a' .. i}
+end
+
+-- Change the hmask value to start the side trace recording.
+data[RECORD_IDX] = {}
+-- Setup for the trace's return to the lower frame.
+data[NITER - 2] = {t = 'a'}
+
+jit.opt.start('hotloop=' .. HOTLOOP, 'hotexit=' .. HOTEXIT)
+
+test_function(data)
+
+test:ok(true, 'correct ScEv entry invalidation for return to a lower frame')
+test:done(true)
--
2.51.0
reply other threads:[~2025-09-04 9:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250904095819.6791-1-skaplun@tarantool.org \
--to=tarantool-patches@dev.tarantool.org \
--cc=sergeyb@tarantool.org \
--cc=skaplun@tarantool.org \
--subject='Re: [Tarantool-patches] [PATCH luajit] Invalidate SCEV entry when returning to lower frame.' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox