JIT: signed integer overflow and other fixes

Address CR comments.

Refactored IntMath classes to share common code and use builtins when
available.

Cleaned up signed integer overflow cases. Added build.sh --sanity=...
support to help future diagnostics. Turned off CLANG signed integer
overflow optimization with `-fwrapv` switch.

Fixed a ICU call bug (found in running Octane/typescript.js).

Implemented another AsmJs thunk. (called by Octane/zlib.js).

Synced to latest and fix merge errors.

Author: Jianchun Xu

CMakeLists.txt

@@ -253,7 +253,15 @@ if(CLR_CMAKE_PLATFORM_XPLAT)
     add_compile_options(
         -fasm-blocks
         -fms-extensions
+        -fwrapv                 # Treat signed integer overflow as two's complement
     )
+
+    # Clang -fsanitize.
+    if (CLANG_SANITIZE_SH)
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=${CLANG_SANITIZE_SH}")
+        set(CMAKE_CXX_LINK_FLAGS "${CMAKE_CXX_LINK_FLAGS} -fsanitize=${CLANG_SANITIZE_SH}")
+        unset(CLANG_SANITIZE_SH CACHE)      # don't cache
+    endif()
 endif(CLR_CMAKE_PLATFORM_XPLAT)
 
 if(CMAKE_BUILD_TYPE STREQUAL Debug)
@@ -286,16 +294,19 @@ if(CLR_CMAKE_PLATFORM_XPLAT)
    add_definitions(-DFEATURE_PAL)
 endif(CLR_CMAKE_PLATFORM_XPLAT)
 
-if(NO_JIT
+if(NO_JIT_SH
    OR CLR_CMAKE_PLATFORM_DARWIN)  # TODO: JIT for OSX
+    unset(NO_JIT_SH CACHE)      # don't cache
+    unset(BuildJIT CACHE)       # also clear it just in case
     add_definitions(-DDISABLE_JIT=1)
 else()
     set(BuildJIT 1)
 endif()
 
-if(WITHOUT_FEATURES)
-   add_definitions(${WITHOUT_FEATURES})
-endif(WITHOUT_FEATURES)
+if(WITHOUT_FEATURES_SH)
+    unset(WITHOUT_FEATURES_SH CACHE)    # don't cache
+    add_definitions(${WITHOUT_FEATURES_SH})
+endif(WITHOUT_FEATURES_SH)
 
 enable_language(ASM)
 

build.sh

@@ -42,6 +42,8 @@ PRINT_USAGE() {
     echo "      --xcode          Generate XCode project"
     echo "  -t, --test-build     Test build (by default Release build)"
     echo "      --static         Build as static library (by default shared library)"
+    echo "      --sanitize=CHECKS Build with clang -fsanitize checks,"
+    echo "                       e.g. undefined,signed-integer-overflow"
     echo "  -v, --verbose        Display verbose output including all options"
     echo "      --create-deb=V   Create .deb package with given V version"
     echo "      --without=FEATURE,FEATURE,..."
@@ -66,6 +68,7 @@ MULTICORE_BUILD=""
 NO_JIT=
 ICU_PATH="-DICU_SETTINGS_RESET=1"
 STATIC_LIBRARY="-DSHARED_LIBRARY_SH=1"
+SANITIZE=
 WITHOUT_FEATURES=""
 CREATE_DEB=0
 ARCH="-DCC_TARGETS_AMD64_SH=1"
@@ -194,7 +197,7 @@ while [[ $# -gt 0 ]]; do
         ;;
 
     --no-jit)
-        NO_JIT="-DNO_JIT=1"
+        NO_JIT="-DNO_JIT_SH=1"
         ;;
 
     --xcode)
@@ -211,13 +214,19 @@ while [[ $# -gt 0 ]]; do
         STATIC_LIBRARY="-DSTATIC_LIBRARY_SH=1"
         ;;
 
+    --sanitize=*)
+        SANITIZE=$1
+        SANITIZE=${SANITIZE:11}    # value after --sanitize=
+        SANITIZE="-DCLANG_SANITIZE_SH=${SANITIZE}"
+        ;;
+
     --without=*)
         FEATURES=$1
         FEATURES=${FEATURES:10}    # value after --without=
         for x in ${FEATURES//,/ }  # replace comma with space then split
         do
             if [[ "$WITHOUT_FEATURES" == "" ]]; then
-                WITHOUT_FEATURES="-DWITHOUT_FEATURES="
+                WITHOUT_FEATURES="-DWITHOUT_FEATURES_SH="
             else
                 WITHOUT_FEATURES="$WITHOUT_FEATURES;"
             fi
@@ -312,7 +321,8 @@ else
 fi
 
 echo Generating $BUILD_TYPE makefiles
-cmake $CMAKE_GEN $CC_PREFIX $ICU_PATH $STATIC_LIBRARY $ARCH -DCMAKE_BUILD_TYPE=$BUILD_TYPE $NO_JIT $WITHOUT_FEATURES ../..
+cmake $CMAKE_GEN $CC_PREFIX $ICU_PATH $STATIC_LIBRARY $ARCH \
+    -DCMAKE_BUILD_TYPE=$BUILD_TYPE $SANITIZE $NO_JIT $WITHOUT_FEATURES ../..
 
 _RET=$?
 if [[ $? == 0 ]]; then

lib/Backend/EhFrame.cpp

@@ -119,6 +119,8 @@ void EhFrame::Entry::Begin()
 
 void EhFrame::Entry::End()
 {
+    Assert(beginOffset != -1); // Must have called Begin()
+
     // padding
     size_t padding = (MachPtr - writer->Count() % MachPtr) % MachPtr;
     for (size_t i = 0; i < padding; i++)

lib/Backend/Func.cpp

@@ -1723,7 +1723,7 @@ IR::IndirOpnd * Func::GetConstantAddressIndirOpnd(intptr_t address, IR::AddrOpnd
     {
         Assert(regOpnd->m_sym->IsSingleDef());
         void * curr = regOpnd->m_sym->m_instrDef->GetSrc1()->AsAddrOpnd()->m_address;
-        ptrdiff_t diff = (intptr_t)address - (intptr_t)curr;
+        ptrdiff_t diff = (uintptr_t)address - (uintptr_t)curr;
         if (!Math::FitsInDWord(diff))
         {
             return false;

lib/Backend/GlobOpt.cpp

@@ -8480,7 +8480,7 @@ GlobOpt::PropagateIntRangeBinary(IR::Instr *instr, int32 min1, int32 max1,
         {
             // Turn values like 0x1010 into 0x1111
             max = 1 << Math::Log2(max);
-            max = (max << 1) - 1;
+            max = (uint32)(max << 1) - 1;
             min = 0;
         }
 
@@ -8566,7 +8566,7 @@ GlobOpt::PropagateIntRangeBinary(IR::Instr *instr, int32 min1, int32 max1,
                 if (max1)
                 {
                     max1 = 1 << Math::Log2(max1);
-                    max1 = (max1 << 1) - 1;
+                    max1 = (uint32)(max1 << 1) - 1;
                 }
 
                 if (max1 > 0)

lib/Backend/IntBounds.cpp

@@ -304,7 +304,8 @@ bool IntBounds::IsGreaterThanOrEqualTo(const int constantValue, const int consta
     if(offset == 1)
         return constantValue > constantBoundBase;
 
-    const int constantBound = constantBoundBase + offset;
+    // use unsigned to avoid signed int overflow
+    const int constantBound = (unsigned)constantBoundBase + (unsigned)offset;
     return
         offset >= 0
             ? constantBound >= constantBoundBase && constantValue >= constantBound
@@ -318,7 +319,8 @@ bool IntBounds::IsLessThanOrEqualTo(const int constantValue, const int constantB
     if(offset == -1)
         return constantValue < constantBoundBase;
 
-    const int constantBound = constantBoundBase + offset;
+    // use unsigned to avoid signed int overflow
+    const int constantBound = (unsigned)constantBoundBase + (unsigned)offset;
     return
         offset >= 0
             ? constantBound < constantBoundBase || constantValue <= constantBound

lib/Backend/IntConstantBounds.h

@@ -65,7 +65,7 @@ class IntConstantBounds
     IntConstantBounds And_0x1f() const
     {
         const int32 mask = 0x1f;
-        if(static_cast<UIntConstType>(upperBound - lowerBound) >= static_cast<UIntConstType>(mask) ||
+        if(static_cast<UIntConstType>(upperBound) - static_cast<UIntConstType>(lowerBound) >= static_cast<UIntConstType>(mask) ||
             (lowerBound & mask) > (upperBound & mask))
         {
             // The range contains all items in the set {0-mask}, or the range crosses a boundary of {0-mask}. Since we cannot

lib/Backend/Lower.cpp

@@ -254,7 +254,7 @@ Lowerer::LowerRange(IR::Instr *instrStart, IR::Instr *instrEnd, bool defaultDoFa
         case Js::OpCode::InvalCachedScope:
             this->LowerBinaryHelper(instr, IR::HelperOP_InvalidateCachedScope);
             break;
-        
+
         case Js::OpCode::InitCachedScope:
             instrPrev = this->LowerInitCachedScope(instr);
             break;
@@ -3166,7 +3166,7 @@ Lowerer::LoadOptimizationOverridesValueOpnd(IR::Instr *instr, OptimizationOverri
 
 IR::Opnd *
 Lowerer::LoadNumberAllocatorValueOpnd(IR::Instr *instr, NumberAllocatorValue valueType)
-{    
+{
     ScriptContextInfo *scriptContext = instr->m_func->GetScriptContextInfo();
     bool allowNativeCodeBumpAllocation = scriptContext->GetRecyclerAllowNativeCodeBumpAllocation();
 
@@ -3513,7 +3513,7 @@ Lowerer::LowerNewScObjectLiteral(IR::Instr *newObjInstr)
     propertyArrayOpnd = IR::AddrOpnd::New(propArrayAddr, IR::AddrOpndKindDynamicMisc, this->m_func);
 
     //#if 0 TODO: OOP JIT, obj literal types
-    // should pass in isShared bit through RPC, enable for in-proc jit to see perf impact    
+    // should pass in isShared bit through RPC, enable for in-proc jit to see perf impact
     Js::DynamicType * literalType = func->IsOOPJIT() || !CONFIG_FLAG(OOPJITMissingOpts) ? nullptr : *(Js::DynamicType **)literalTypeRef;
 
     if (literalType == nullptr || !literalType->GetIsShared())
@@ -6832,7 +6832,7 @@ Lowerer::GenerateStFldWithCachedType(IR::Instr *instrStFld, bool* continueAsHelp
 
     if (hasTypeCheckBailout)
     {
-        AssertMsg(PHASE_ON1(Js::ObjTypeSpecIsolatedFldOpsWithBailOutPhase) || !propertySymOpnd->IsTypeDead(), 
+        AssertMsg(PHASE_ON1(Js::ObjTypeSpecIsolatedFldOpsWithBailOutPhase) || !propertySymOpnd->IsTypeDead(),
             "Why does a field store have a type check bailout, if its type is dead?");
 
         if (instrStFld->GetBailOutInfo()->bailOutInstr != instrStFld)
@@ -8590,7 +8590,7 @@ Lowerer::LowerMemset(IR::Instr * instr, IR::RegOpnd * helperRet)
     m_lowererMD.LoadHelperArgument(instr, baseOpnd);
     m_lowererMD.ChangeToHelperCall(instr, helperMethod);
     dst->Free(m_func);
-    
+
     return instrPrev;
 }
 
@@ -8865,10 +8865,10 @@ Lowerer::GenerateFastBrBReturn(IR::Instr * instr)
     // TEST firstPrototypeOpnd, firstPrototypeOpnd
     // JNE $helper
     IR::RegOpnd * firstPrototypeOpnd = IR::RegOpnd::New(TyMachPtr, this->m_func);
-    InsertMove(firstPrototypeOpnd, 
+    InsertMove(firstPrototypeOpnd,
         IR::IndirOpnd::New(forInEnumeratorOpnd, Js::ForInObjectEnumerator::GetOffsetOfFirstPrototype(), TyMachPtr, this->m_func), instr);
     InsertTestBranch(firstPrototypeOpnd, firstPrototypeOpnd, Js::OpCode::BrNeq_A, labelHelper, instr);
-    
+
     // MOV currentEnumeratorOpnd, forInEnumerator->enumerator.currentEnumerator
     // TEST currentEnumeratorOpnd, currentEnumeratorOpnd
     // JNE $helper
@@ -8883,7 +8883,7 @@ Lowerer::GenerateFastBrBReturn(IR::Instr * instr)
     IR::RegOpnd * objectOpnd = IR::RegOpnd::New(TyMachPtr, this->m_func);
     InsertMove(objectOpnd,
         IR::IndirOpnd::New(forInEnumeratorOpnd, Js::ForInObjectEnumerator::GetOffsetOfEnumeratorObject(), TyMachPtr, this->m_func), instr);
-    InsertTestBranch(objectOpnd, objectOpnd, Js::OpCode::BrEq_A, labelHelper, instr);   
+    InsertTestBranch(objectOpnd, objectOpnd, Js::OpCode::BrEq_A, labelHelper, instr);
 
     // MOV initialTypeOpnd, forInEnumerator->enumerator.initialType
     // CMP initialTypeOpnd, objectOpnd->type
@@ -8907,7 +8907,7 @@ Lowerer::GenerateFastBrBReturn(IR::Instr * instr)
     InsertCompareBranch(enumeratedCountOpnd,
         IR::IndirOpnd::New(cachedDataOpnd, Js::DynamicObjectPropertyEnumerator::GetOffsetOfCachedDataCachedCount(), TyUint32, this->m_func),
         Js::OpCode::BrGe_A, labelHelper, instr);
-    
+
     // MOV propertyAttributesOpnd, cachedData->attributes
     // MOV objectPropertyAttributesOpnd, propertyAttributesOpnd[enumeratedCount]
     // CMP objectPropertyAttributesOpnd & PropertyEnumerable, PropertyEnumerable
@@ -8923,7 +8923,7 @@ Lowerer::GenerateFastBrBReturn(IR::Instr * instr)
 
     InsertCompareBranch(andPropertyEnumerableInstr->GetDst(), IR::IntConstOpnd::New(PropertyEnumerable, TyUint8, this->m_func),
         Js::OpCode::BrNeq_A, labelHelper, instr);
-    
+
     IR::Opnd * opndDst = instr->GetDst(); // ForIn result propertyString
     Assert(opndDst->IsRegOpnd());
 
@@ -9932,7 +9932,7 @@ Lowerer::LowerArgIn(IR::Instr *instrArgIn)
     // ...
     //     s2 = assign param2
     // $done:
-    
+
     AnalysisAssert(instrArgIn);
 
     IR::Opnd *restDst = nullptr;
@@ -10086,7 +10086,7 @@ Lowerer::LowerArgIn(IR::Instr *instrArgIn)
 
 
     BVSparse<JitArenaAllocator> *formalsBv = JitAnew(this->m_alloc, BVSparse<JitArenaAllocator>, this->m_alloc);
-    
+
     while (currArgInCount > 0)
     {
         dstOpnd = instrArgIn->GetDst();
@@ -10104,9 +10104,9 @@ Lowerer::LowerArgIn(IR::Instr *instrArgIn)
         //     BrEq_A $Ln-1
 
         currArgInCount--;
-        
+
         labelInitNext = IR::LabelInstr::New(Js::OpCode::Label, this->m_func);
-        
+
 
         // And insert the "normal" initialization before the "done" label
 
@@ -10206,7 +10206,7 @@ Lowerer::LowerArgIn(IR::Instr *instrArgIn)
         this->m_lowererMD.ChangeToAssign(instrArgIn);
     }
 
-	JitAdelete(this->m_alloc, formalsBv);
+    JitAdelete(this->m_alloc, formalsBv);
 
     return instrResume;
 }
@@ -10248,8 +10248,8 @@ Lowerer::LoadGeneratorObject(IR::Instr * instrInsert)
     instrInsert->m_func->SetArgOffset(generatorSym, LowererMD::GetFormalParamOffset() * MachPtr);
     IR::SymOpnd * generatorSymOpnd = IR::SymOpnd::New(generatorSym, TyMachPtr, instrInsert->m_func);
     IR::RegOpnd * generatorRegOpnd = IR::RegOpnd::New(TyMachPtr, instrInsert->m_func);
-	instrInsert->m_func->SetHasImplicitParamLoad();
-	return LowererMD::CreateAssign(generatorRegOpnd, generatorSymOpnd, instrInsert);
+    instrInsert->m_func->SetHasImplicitParamLoad();
+    return LowererMD::CreateAssign(generatorRegOpnd, generatorSymOpnd, instrInsert);
 }
 
 IR::Instr *
@@ -10904,7 +10904,7 @@ Lowerer::LoadCallInfo(IR::Instr * instrInsert)
     {
         // Generator function arguments and ArgumentsInfo are not on the stack.  Instead they
         // are accessed off the generator object (which is prm1).
-		IR::Instr *genLoadInstr = LoadGeneratorObject(instrInsert);
+        IR::Instr *genLoadInstr = LoadGeneratorObject(instrInsert);
         IR::RegOpnd * generatorRegOpnd = genLoadInstr->GetDst()->AsRegOpnd();
 
         IR::IndirOpnd * indirOpnd = IR::IndirOpnd::New(generatorRegOpnd, Js::JavascriptGenerator::GetCallInfoOffset(), TyMachPtr, func);
@@ -12543,7 +12543,7 @@ Lowerer::GenerateBailOut(IR::Instr * instr, IR::BranchInstr * branchInstr, IR::L
             else
             {
                 indexOpnd = IR::MemRefOpnd::New((BYTE*)bailOutInfo->bailOutRecord + BailOutRecord::GetOffsetOfPolymorphicCacheIndex(), TyUint32, this->m_func);
-            }             
+            }
 
             m_lowererMD.CreateAssign(
                 indexOpnd, IR::IntConstOpnd::New(bailOutInfo->polymorphicCacheIndex, TyUint32, this->m_func), instr);
@@ -14694,7 +14694,7 @@ Lowerer::GenerateFastElemIIntIndexCommon(
     const bool needBailOutOnInvalidLength = !!(bailOutKind & (IR::BailOutOnInvalidatedArrayHeadSegment));
     const bool needBailOutToHelper = !!(bailOutKind & (IR::BailOutOnArrayAccessHelperCall | IR::BailOutOnInvalidatedArrayLength));
     const bool needBailOutOnSegmentLengthCompare = needBailOutToHelper || needBailOutOnInvalidLength;
-    
+
     if(indexIsLessThanHeadSegmentLength || needBailOutOnSegmentLengthCompare)
     {
         if (needBailOutOnSegmentLengthCompare)
@@ -18522,7 +18522,7 @@ Lowerer::GenerateFastArgumentsLdElemI(IR::Instr* ldElem, IR::LabelInstr *labelFa
         ldElem->InsertBefore(labelCreateHeapArgs);
         emittedFastPath = true;
     }
-    
+
     if (!emittedFastPath)
     {
         throw Js::RejitException(RejitReason::DisableStackArgOpt);
@@ -20633,7 +20633,7 @@ Lowerer::GenerateLdHomeObjProto(IR::Instr* instr)
     //
     //  $Err:
     //  ThrowRuntimeReferenceError(JSERR_BadSuperReference);
-    //  
+    //
     //  $NoErr:
     //  instance = ((RecyclableObject*)instance)->GetPrototype();
     //  if (instance == nullptr) goto $Done;