On 15 Dec 2022, at 13:13, Sergey Kaplun <skaplun@tarantool.org> wrote:
Hi, Sergos!Thanks for the review!On 14.12.22, sergos wrote:Hi!
Thanks for the patch!
Some addition to Max’s comments. And a question on the test.
Sergos
On 8 Dec 2022, at 08:46, Sergey Kaplun <skaplun@tarantool.org> wrote:
From: Mike Pall <mike>
Contributed by Peter Cawley.
(cherry picked from commit b4ed3219a1a98dd9fe7d1e3eeea3b82f5a780948)
When emitting `IR_HREF` for constant value to lookup the `ir_khash()`
an ^^^
perhaps just ‘for a constant value lokup’?
function is used to calculate hash for the corresponding object.
This calculation must be the same as in the corresponding `hashkey()`
function from <lj_tab.c>.
Hash calculating via passing two arguments `lo`, and `hi` to `hashrot()`
the
routine. For non-string GC objects the first `lo` argument is the same
for GC64 and not GC64 mode -- lower 32 bits of the object address. For
GC64 mode `hi` argument is upper 32 bits of the object address,
including specific type NaN-tag. This `hi` argument in `ir_khash()`
a
function is miscalculated in GC64 using non-GC64 value (`lo` +
mode a
`HASH_BIAS`). As a result, the hash for the GC object is miscalculated
on trace and we exit from trace due to assertion guard on the type or
the an
value check.
This patch fixes calculation of hash value on trace for GC64 mode by
making it consistent with `hashkey()`.
the
Fixed your comments.The new commit message is the following:| LJ_GC64: Fix ir_khash for non-string GCobj.|| Contributed by Peter Cawley.|| (cherry picked from commit b4ed3219a1a98dd9fe7d1e3eeea3b82f5a780948)|| When emitting the `IR_HREF` for a constant value lookup the `ir_khash()`| function is used to calculate the hash for the corresponding object.| This calculation must be the same as in the corresponding `hashkey()`| function from <lj_tab.c>.|| Hash is calculated by passing two arguments `lo`, and `hi` to the| `hashrot()` routine. For non-string GC objects the first `lo` argument| is the same for GC64 and not GC64 mode -- lower 32 bits of the object| address. For GC64 mode `hi` argument is upper 32 bits of the object| address, including a specific type NaN-tag. This `hi` argument in| `ir_khash()` function is miscalculated in GC64 mode using a non-GC64| value (`lo` + `HASH_BIAS`). As a result, the hash for the GC object is| miscalculated on trace and we exit from the trace due to an assertion| guard on the type or value check.|| This patch fixes calculation of the hash value on trace for GC64 mode by| making it consistent with the `hashkey()`.|| Sergey Kaplun:| * added the description and the test for the problem|| Part of tarantool/tarantool#7230Sergey Kaplun:
* added the description and the test for the problem
Part of tarantool/tarantool#7230
---
Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-356-ir-khash-non-string-obj-full-ci
Issue/PR:
* https://github.com/tarantool/tarantool/issues/7230
* https://github.com/LuaJIT/LuaJIT/pull/356
Tarantool PR: https://github.com/tarantool/tarantool/pull/8020
Side note: Problems with red fuzzer jobs look irrelevant to the patch.
<snipped>diff --git a/test/tarantool-tests/lj-356-ir-khash-non-string-obj.test.lua b/test/tarantool-tests/lj-356-ir-khash-non-string-obj.test.lua
new file mode 100644
index 00000000..fff0b1a5
--- /dev/null
+++ b/test/tarantool-tests/lj-356-ir-khash-non-string-obj.test.lua
@@ -0,0 +1,90 @@
+local tap = require('tap')
+local traceinfo = require('jit.util').traceinfo
+local table_new = require('table.new')
+
+-- Test file to demonstrate the incorrect GC64 JIT behaviour
+-- for `IR_HREF` for on-trace-constant key lookup.
of an an
+-- See also https://github.com/LuaJIT/LuaJIT/pull/356.
+local test = tap.test('lj-356-ir-khash-non-string-obj')
+local N_ITERATIONS = 4
+
+-- Amount of iteration for trace compilation and execution and
+-- additional check, that there is no new trace compiled.
+test:plan(N_ITERATIONS + 1)
+
+-- To reproduce the issue we need to compile a trace with
+-- `IR_HREF`, with a lookup of constant hash key GC value. To
+-- prevent `IR_HREFK` to be emitted instead, we need a table with
an `IR_HREFK` emission
Side note: I'm not sure about "emission" corectness here, so ignoringthis part.I've fixed the rest of your comments, see the iterative patch below.===================================================================diff --git a/test/tarantool-tests/lj-356-ir-khash-non-string-obj.test.lua b/test/tarantool-tests/lj-356-ir-khash-non-string-obj.test.luaindex fff0b1a5..7f304183 100644--- a/test/tarantool-tests/lj-356-ir-khash-non-string-obj.test.lua+++ b/test/tarantool-tests/lj-356-ir-khash-non-string-obj.test.lua@@ -3,7 +3,7 @@ local traceinfo = require('jit.util').traceinfolocal table_new = require('table.new')-- Test file to demonstrate the incorrect GC64 JIT behaviour--- for `IR_HREF` for on-trace-constant key lookup.+-- of an `IR_HREF` for the on-trace-constant key lookup.-- See also https://github.com/LuaJIT/LuaJIT/pull/356.local test = tap.test('lj-356-ir-khash-non-string-obj')local N_ITERATIONS = 4@@ -14,10 +14,10 @@ test:plan(N_ITERATIONS + 1)-- To reproduce the issue we need to compile a trace with-- `IR_HREF`, with a lookup of constant hash key GC value. To--- prevent `IR_HREFK` to be emitted instead, we need a table with--- a huge hash part. Delta of address between the start of the--- hash part of the table and the current node to lookup must be--- more than `(1024 * 64 - 1) * sizeof(Node)`.+-- prevent an `IR_HREFK` to be emitted instead, we need a table+-- with a huge hash part. Delta of address between the start of+-- the hash part of the table and the current node to lookup must+-- be more than `(1024 * 64 - 1) * sizeof(Node)`.-- See <src/lj_record.c>, for details.-- XXX: This constant is well suited to prevent test to be flaky,-- because the aforementioned delta is always large enough.@@ -36,8 +36,8 @@ end-- exiting the main test cycle.jit.opt.start('hotloop=1')--- Prevent `get_const_cdata()` become hot and be compiled before--- the main test cycle.+-- Prevent `get_const_cdata()` from becoming hot and being+-- compiled before the main test cycle.jit.off()filled_tab[get_const_cdata()] = MAGIC@@ -46,10 +46,10 @@ filled_tab[get_const_cdata()] = MAGICjit.on()-- Filling-up the table with GC values to minimize the amount of--- hash collisions and increases delta between the start of the+-- hash collisions and increase delta between the start of the-- hash part of the table and currently stored node.-for i = 1, N_HASH_FIELDS do- filled_tab[1LL] = i+for _ = 1, N_HASH_FIELDS do+ filled_tab[1LL] = 1end-- Prevent JIT misbehaviour before the main test chunk.===================================================================
+-- a huge hash part. Delta of address between the start of the
+-- hash part of the table and the current node to lookup must be
+-- more than `(1024 * 64 - 1) * sizeof(Node)`.
+-- See <src/lj_record.c>, for details.
+-- XXX: This constant is well suited to prevent test to be flaky,
+-- because the aforementioned delta is always large enough.
+local N_HASH_FIELDS = 1024 * 1024 * 8
+local MAGIC = 42
<snipped>+
+test:ok(not traceinfo(2), 'the second trace should not be compiled')
That’s not quite clear to me: a second trace generation is a side-effect
of the incorrect hash calculation. Is it always leads to the trace
generation?
How I see this for now. There are two possibilities, when theaforementioned hash is miscalculated:1) We got `nil` value on a trace to lookup and we exit from the trace byassertion guard on the field type (the most possible one, AFAIKS).2) We got a value for some existing cdata after hash lookup, so we don'texit from a trace, but got an incorrect value by the given key. NB: I'veupdated the generation of the table content to avoid clashing with`MAGIC` value on the 42nd iteration :).So this test should cover both cases.
+
+-- No more need to prevent trace compilation.
+jit.on()
+
+for i = 1, N_ITERATIONS do
+ -- Check that that all lookups are correct and there is no
+ -- value from other cdata stored in the table.
+ test:ok(result_tab[i] == MAGIC, 'correct hash lookup from the table')
And this one checks what then? The hash is calculated correctly, but the value
read from the `filled_tab` is incorrect - what can lead to this?
+end
+
+os.exit(test:check() and 0 or 1)
--
2.34.1
-- Best regards,Sergey Kaplun