Merged PR 149294: avoid prop record lookup for external function creation, put more spectre stuff behind flags

avoid prop record lookup for external function creation, put more spectre stuff behind flags

Author: MikeHolman

lib/Backend/BackwardPass.cpp

@@ -3631,6 +3631,7 @@ BackwardPass::ProcessBlock(BasicBlock * block)
         && !block->GetFirstInstr()->m_func->GetJITFunctionBody()->IsWasmFunction()
         && !block->isDead
         && !block->isDeleted
+        && CONFIG_FLAG_RELEASE(AddMaskingBlocks)
         )
     {
         FOREACH_PREDECESSOR_BLOCK(blockPred, block)

lib/Common/CommonDefines.h

@@ -340,6 +340,7 @@
 #endif
 
 #ifdef NTBUILD
+#define ENABLE_SPECTRE_RUNTIME_MITIGATIONS
 #define ENABLE_PROJECTION
 #define ENABLE_FOUNDATION_OBJECT
 #define ENABLE_EXPERIMENTAL_FLAGS

lib/Common/ConfigFlagsList.h

@@ -522,6 +522,8 @@ PHASE(All)
 
 #define DEFAULT_CONFIG_MitigateSpectre (false)
 
+#define DEFAULT_CONFIG_AddMaskingBlocks (false)
+
 #define DEFAULT_CONFIG_PoisonVarArrayLoad (false)
 #define DEFAULT_CONFIG_PoisonIntArrayLoad (false)
 #define DEFAULT_CONFIG_PoisonFloatArrayLoad (false)
@@ -1306,6 +1308,8 @@ FLAGNR(Boolean, ForceMaxJitThreadCount, "Force the number of parallel jit thread
 
 FLAGR(Boolean, MitigateSpectre, "Use mitigations for Spectre", DEFAULT_CONFIG_MitigateSpectre)
 
+FLAGPR(Boolean, MitigateSpectre, AddMaskingBlocks, "Optimize Spectre mitigations by masking on loop out edges", DEFAULT_CONFIG_AddMaskingBlocks)
+
 FLAGPR(Boolean, MitigateSpectre, PoisonVarArrayLoad, "Poison loads from Var arrays", DEFAULT_CONFIG_PoisonVarArrayLoad)
 FLAGPR(Boolean, MitigateSpectre, PoisonIntArrayLoad, "Poison loads from Int arrays", DEFAULT_CONFIG_PoisonIntArrayLoad)
 FLAGPR(Boolean, MitigateSpectre, PoisonFloatArrayLoad, "Poison loads from Float arrays", DEFAULT_CONFIG_PoisonFloatArrayLoad)

lib/Runtime/Language/JavascriptOperators.cpp

@@ -3881,7 +3881,9 @@ using namespace Js;
 
     Var JavascriptOperators::OP_GetElementI(Var instance, Var index, ScriptContext* scriptContext)
     {
+#ifdef ENABLE_SPECTRE_RUNTIME_MITIGATIONS
         instance = BreakSpeculation(instance);
+#endif
         if (TaggedInt::Is(index))
         {
             return GetElementIIntIndex(instance, index, scriptContext);

lib/Runtime/Library/JavascriptExternalFunction.cpp

@@ -314,24 +314,6 @@ namespace Js
         END_LEAVE_SCRIPT(scriptContext);
 #endif
 
-        bool marshallingMayBeNeeded = false;
-        if (result != nullptr)
-        {
-            marshallingMayBeNeeded = Js::VarIs<Js::RecyclableObject>(result);
-            if (marshallingMayBeNeeded)
-            {
-            Js::RecyclableObject * obj = Js::VarTo<Js::RecyclableObject>(result);
-
-            // For JSRT, we could get result marshalled in different context.
-            bool isJSRT = scriptContext->GetThreadContext()->IsJSRT();
-                marshallingMayBeNeeded = obj->GetScriptContext() != scriptContext;
-                if (!isJSRT && marshallingMayBeNeeded)
-            {
-                Js::Throw::InternalError();
-            }
-        }
-        }
-
         if (scriptContext->HasRecordedException())
         {
             bool considerPassingToDebugger = false;
@@ -354,7 +336,7 @@ namespace Js
         {
             result = scriptContext->GetLibrary()->GetUndefined();
         }
-        else if (marshallingMayBeNeeded)
+        else
         {
             result = CrossSite::MarshalVar(scriptContext, result);
         }

lib/Runtime/Library/JavascriptLibrary.cpp

@@ -5911,20 +5911,8 @@ namespace Js
 
     JavascriptExternalFunction* JavascriptLibrary::CreateStdCallExternalFunction(StdCallJavascriptMethod entryPoint, Var name, void *callbackState)
     {
-        Var functionNameOrId = name;
-        if (VarIs<JavascriptString>(name))
-        {
-            JavascriptString * functionName = VarTo<JavascriptString>(name);
-            const char16 * functionNameBuffer = functionName->GetString();
-            int functionNameBufferLength = functionName->GetLengthAsSignedInt();
-
-            PropertyId functionNamePropertyId = scriptContext->GetOrAddPropertyIdTracked(functionNameBuffer, functionNameBufferLength);
-            functionNameOrId = TaggedInt::ToVarUnchecked(functionNamePropertyId);
-        }
-
-        AssertOrFailFast(TaggedInt::Is(functionNameOrId));
         JavascriptExternalFunction* function = this->CreateIdMappedExternalFunction(entryPoint, stdCallFunctionWithDeferredPrototypeType);
-        function->SetFunctionNameId(functionNameOrId);
+        function->SetFunctionNameId(name);
         function->SetCallbackState(callbackState);
         return function;
     }

lib/Runtime/Library/JavascriptObject.cpp

@@ -1209,7 +1209,7 @@ JavascriptArray* JavascriptObject::CreateKeysHelper(RecyclableObject* object, Sc
     AssertMsg(includeStringProperties || includeSymbolProperties, "Should either get string or symbol properties.");
 
     JavascriptStaticEnumerator enumerator;
-        EnumeratorFlags flags = EnumeratorFlags::UseCache;
+    EnumeratorFlags flags = EnumeratorFlags::UseCache;
     JavascriptArray* newArr = scriptContext->GetLibrary()->CreateArray(0);
     if (includeNonEnumerable)
     {
@@ -1219,8 +1219,8 @@ JavascriptArray* JavascriptObject::CreateKeysHelper(RecyclableObject* object, Sc
     {
         flags |= EnumeratorFlags::EnumSymbols;
     }
-        EnumeratorCache* cache = scriptContext->GetLibrary()->GetCreateKeysCache(object->GetType());
-        if (!object->GetEnumerator(&enumerator, flags, scriptContext, cache))
+    EnumeratorCache* cache = scriptContext->GetLibrary()->GetCreateKeysCache(object->GetType());
+    if (!object->GetEnumerator(&enumerator, flags, scriptContext, cache))
     {
         return newArr;  // Return an empty array if we don't have an enumerator
     }
@@ -1231,7 +1231,7 @@ JavascriptArray* JavascriptObject::CreateKeysHelper(RecyclableObject* object, Sc
     uint32 symbolIndex = 0;
     const PropertyRecord* propertyRecord;
     JavascriptSymbol* symbol;
-        JavascriptArray* newArrForSymbols = nullptr;
+    JavascriptArray* newArrForSymbols = nullptr;
     while ((propertyName = enumerator.MoveAndGetNext(propertyId)) != NULL)
     {
         if (propertyName)
@@ -1244,10 +1244,10 @@ JavascriptArray* JavascriptObject::CreateKeysHelper(RecyclableObject* object, Sc
                 {
                     symbol = scriptContext->GetSymbol(propertyRecord);
                     // no need to marshal symbol because it is created from scriptContext
-                        if (!newArrForSymbols)
-                        {
-                            newArrForSymbols = scriptContext->GetLibrary()->CreateArray(0);
-                        }
+                    if (!newArrForSymbols)
+                    {
+                        newArrForSymbols = scriptContext->GetLibrary()->CreateArray(0);
+                    }
                     newArrForSymbols->DirectSetItemAt(symbolIndex++, symbol);
                     continue;
                 }
@@ -1270,14 +1270,14 @@ JavascriptArray* JavascriptObject::CreateKeysHelper(RecyclableObject* object, Sc
         }
     }
 
-        if (newArrForSymbols)
-        {
+    if (newArrForSymbols)
+    {
         // Append all the symbols at the end of list
         uint32 totalSymbols = newArrForSymbols->GetLength();
         for (uint32 symIndex = 0; symIndex < totalSymbols; symIndex++)
         {
             newArr->DirectSetItemAt(propertyIndex++, newArrForSymbols->DirectGetItem(symIndex));
-            }
+        }
     }
 
     return newArr;

lib/Runtime/Library/JavascriptString.cpp

@@ -733,7 +733,9 @@ namespace Js
         Var value;
         if (pThis->GetItemAt(idxPosition, &value))
         {
+#ifdef ENABLE_SPECTRE_RUNTIME_MITIGATIONS
             value = BreakSpeculation(value);
+#endif
             return value;
         }
         else
@@ -782,7 +784,11 @@ namespace Js
             return scriptContext->GetLibrary()->GetNaN();
         }
 
-        return BreakSpeculation(TaggedInt::ToVarUnchecked(pThis->GetItem(idxPosition)));
+        Var charCode = TaggedInt::ToVarUnchecked(pThis->GetItem(idxPosition));
+#ifdef ENABLE_SPECTRE_RUNTIME_MITIGATIONS
+        charCode = BreakSpeculation(charCode);
+#endif
+        return charCode;
     }
 
     Var JavascriptString::EntryCodePointAt(RecyclableObject* function, CallInfo callInfo, ...)
@@ -1837,7 +1843,9 @@ namespace Js
             idxEnd = idxStart;
         }
 
+#ifdef ENABLE_SPECTRE_RUNTIME_MITIGATIONS
         pThis = (JavascriptString*)BreakSpeculation(pThis);
+#endif
 
         return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);
     }
@@ -1958,7 +1966,9 @@ namespace Js
             return pThis;
         }
 
+#ifdef ENABLE_SPECTRE_RUNTIME_MITIGATIONS
         pThis = (JavascriptString*)BreakSpeculation(pThis);
+#endif
 
         return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);
     }
@@ -2016,7 +2026,9 @@ namespace Js
             return pThis;
         }
 
+#ifdef ENABLE_SPECTRE_RUNTIME_MITIGATIONS
         pThis = (JavascriptString*)BreakSpeculation(pThis);
+#endif
 
         Assert(0 <= idxStart && idxStart <= idxEnd && idxEnd <= len);
         return SubstringCore(pThis, idxStart, idxEnd - idxStart, scriptContext);

lib/Runtime/Library/RuntimeFunction.cpp

@@ -7,15 +7,15 @@
 namespace Js
 {
     RuntimeFunction::RuntimeFunction(DynamicType * type)
-        : JavascriptFunction(type), functionNameId(nullptr)
+        : JavascriptFunction(type), isDisplayString(false), functionNameId(nullptr)
     {}
 
     RuntimeFunction::RuntimeFunction(DynamicType * type, FunctionInfo * functionInfo)
-        : JavascriptFunction(type, functionInfo), functionNameId(nullptr)
+        : JavascriptFunction(type, functionInfo), isDisplayString(false), functionNameId(nullptr)
     {}
 
     RuntimeFunction::RuntimeFunction(DynamicType * type, FunctionInfo * functionInfo, ConstructorCache* cache)
-        : JavascriptFunction(type, functionInfo, cache), functionNameId(nullptr)
+        : JavascriptFunction(type, functionInfo, cache), isDisplayString(false), functionNameId(nullptr)
     {}
 
     JavascriptString *
@@ -24,33 +24,39 @@ namespace Js
         JavascriptLibrary* library = this->GetLibrary();
         ScriptContext * scriptContext = library->GetScriptContext();
         JavascriptString * retStr = nullptr;
+        if (this->isDisplayString)
+        {
+            return VarTo<JavascriptString>(this->functionNameId);
+        }
+
         if (this->functionNameId == nullptr)
         {
             retStr = library->GetFunctionDisplayString();
-            this->functionNameId = retStr;
         }
         else
         {
+            if (this->GetTypeHandler()->IsDeferredTypeHandler())
+            {
+                JavascriptString* functionName = nullptr;
+                DebugOnly(bool status = ) this->GetFunctionName(&functionName);
+                Assert(status);
+                this->SetPropertyWithAttributes(PropertyIds::name, functionName, PropertyConfigurable, nullptr);
+            }
             if (TaggedInt::Is(this->functionNameId))
             {
-                if (this->GetTypeHandler()->IsDeferredTypeHandler())
-                {
-                    JavascriptString* functionName = nullptr;
-                    DebugOnly(bool status = ) this->GetFunctionName(&functionName);
-                    Assert(status);
-                    this->SetPropertyWithAttributes(PropertyIds::name, functionName, PropertyConfigurable, nullptr);
-                }
-
                 // This has a side-effect where any other code (such as debugger) that uses functionNameId value will now get the value like "function foo() { native code }"
                 // instead of just "foo". Alternative ways will need to be devised; if it's not desirable to use this full display name value in those cases.
-                 retStr = GetNativeFunctionDisplayString(scriptContext, scriptContext->GetPropertyString(TaggedInt::ToInt32(this->functionNameId)));
-                 this->functionNameId = retStr;
+                retStr = GetNativeFunctionDisplayString(scriptContext, scriptContext->GetPropertyString(TaggedInt::ToInt32(this->functionNameId)));
             }
             else
             {
-                retStr = VarTo<JavascriptString>(this->functionNameId);
+                retStr = GetNativeFunctionDisplayString(scriptContext, VarTo<JavascriptString>(this->functionNameId));
             }
         }
+
+        this->functionNameId = retStr;
+        this->isDisplayString = true;
+
         return retStr;
     }
 
@@ -62,6 +68,7 @@ namespace Js
 
         // We are only reference the propertyId, it needs to be tracked to stay alive
         Assert(!TaggedInt::Is(nameId) || this->GetScriptContext()->IsTrackedPropertyId(TaggedInt::ToInt32(nameId)));
+        this->isDisplayString = false;
         this->functionNameId = nameId;
     }
 

lib/Runtime/Library/RuntimeFunction.h

@@ -25,6 +25,7 @@ namespace Js
         // NOTE: This has a side-effect that after toString() is called for the first time on a built-in function the functionNameId gets replaced with a string like "function foo() { native code }".
         // As a result any code like debugger(F12) that shows the functionNameId to the user will need to pre-process this string as it may not be desirable to use this as-is in some cases.
         // See RuntimeFunction::EnsureSourceString() for details.
+        Field(bool) isDisplayString;
         Field(Var) functionNameId;
         virtual Var GetSourceString() const { return functionNameId; }
         virtual JavascriptString * EnsureSourceString();