MikePall/RETF_BASE_coalesce_bug.txt

## RETF_BASE_coalesce_bug.txt

Below is the -jdump (there's no isolated testcase) that triggered this fix:

https://github.com/LuaJIT/LuaJIT/commit/2bc63bb6affdb378c1698bd0f97bacb286a61a6f

Reasoning for the interim fix:

Trace 555 has a code generation bug. It must not coalesce with r13 as BASE.
So IR(REF_BASE)->r of trace 555 contains r13. But the RETF in trace 444
modifies BASE with rdx right before exit 4 which leads to trace 555. Trace
555 then jumps to lj_vm_exit_interp with the wrong frame.

This is because there are no RENAMEs for BASE. The interim fix disables all
BASE coalesing opportunities, which is suboptimal. It would be better to
detect the rare 'BASE rename' situation and only then prevent BASE register
coalescing with any children.


---- TRACE 444 start 333/1 abc.lua:777
0018  . MOV      5   0
0019  . MOV      6   1
0020  . MOV      7   2
0021  . MOV      8   4
0022  . RET      5   5
0348  MOV     21  27
0349  MOV     20  26
0350  MOV     18  25
0351  MOV     19  24
0352  UGET    24  19      ; ffi_copy
0353  MOV     25  20
0354  UGET    26  20      ; ffi_cast
0355  UGET    27  21      ; ct_string
0356  MOV     28   0
0357  CALL    26   2   3
0000  . FUNCC               ; ffi.cast
0358  ADDVV   26  26  17
0000  . . FUNCC               ; ffi.meta.__add
0359  MOV     27  22
0360  CALL    24   1   4
0000  . FUNCC               ; ffi.copy
0361  UGET    22   9      ; fstring
0362  MOV     23  19
0363  MOV     24  21
0364  CALL    22   2   3
0000  . FUNCC               ; ffi.string
0365  MOV     23  15
0366  RET     22   3
0098  MOV     22  29
0099  TGETS   29   0   1  ; "xyz"
0100  ISF         29
0101  JMP     30 => 0118
0118  JFORL   25  68
---- TRACE 444 IR
0001 [c]      int SLOAD  #23   PI
0002 rbp      cdt SLOAD  #26   PI
0003 r15      int SLOAD  #27   PI
0004 [8]      cdt SLOAD  #28   PI
0005 rbx      u64 PVAL   #9
0006  {sink}  cdt CNEWI  +12   0005
....              SNAP   #0   [ abc.lua:444|---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0001 0006 abc.lua:443|0002 0003 0004 ---- 0006 ]
0007       >  nil GCSTEP
0008 r14   >  str SLOAD  #1    T
0009 r14      p64 ADD    0008  +16
0010  {sink}  cdt CNEWI  +19   0009
0011       >  int SLOAD  #18   T
0012 rsi      i64 CONV   0011  i64.int sext
0013 rsi      p64 ADD    0012  0009
0014  {sink}  cdt CNEWI  +19   0013
0015          u16 FLOAD  0004  cdata.ctypeid
0016       >  int EQ     0015  +107
0017 rdi      p64 ADD    0004  +8
0020          p64 CALLS  memcpy      (0017 0013 0001)
0021          nil XBAR
....              SNAP   #1   [ abc.lua:444|---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0002 ---- 0006 ---- ---- ]
0022 rdx      int CONV   0005  int.u64
0023          u16 FLOAD  0002  cdata.ctypeid
0024       >  int EQ     0023  +107
0025 rsi      p64 ADD    0002  +8
0026 rax      str XSNEW  0025  0022
0027 r15   >  int SLOAD  #16   T
....              SNAP   #2   [ abc.lua:444|---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0002 ---- 0006 0026 0027 ]
0028       >  p32 RETF   proto: 0x419ee930  [0x419eeaf8]
....              SNAP   #3   [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0026 ]
0029 rbp   >  tab SLOAD  #1    T
0030          int FLOAD  0029  tab.hmask
0031       >  int EQ     0030  +127
0032 rbp      p32 FLOAD  0029  tab.node
0033       >  p32 HREFK  0032  "xyz" @80
0034       >  fal HLOAD  0033
0035          int SLOAD  #27   RI
0036 rbp   >  int SLOAD  #26   TI
0037 rbp      int ADD    0036  +1
....              SNAP   #4   [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0026 ---- ---- ]
0038       >  int LE     0037  0035
....              SNAP   #5   [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0026 ---- ---- 0037 0035 +1   0037 ]
---- TRACE 444 mcode 413
7f660f0729cc  mov r15d, edx
7f660f0729cf  mov ebp, [rsp+0x24]
7f660f0729d3  mov dword [0x4150c410], 0x32c
7f660f0729de  mov [rsp+0xc], r13d
7f660f0729e3  mov [rsp+0x8], ecx
7f660f0729e7  mov r13d, [0x4150c4b4] // G->jit_base, IR(REF_BASE)->r = r13
7f660f0729ef  mov edi, [0x4150c3d8]
7f660f0729f6  cmp edi, [0x4150c3dc]
7f660f0729fd  jb 0x7f660f072a16
7f660f0729ff  mov esi, 0x1
7f660f072a04  mov edi, 0x4150c3b8
7f660f072a09  call 0x7f6603843140	->lj_gc_step_jit
7f660f072a0e  abc eax, eax
7f660f072a10  jnz 0x7f660f0d0010	->0
7f660f072a16  mov edx, [rsp+0xc]
7f660f072a1a  mov ecx, [rsp+0x8]
7f660f072a1e  cmp dword [r13+0x4], -0x05
7f660f072a23  jnz 0x7f660f0d0010	->0
7f660f072a29  mov r14d, [r13+0x0]
7f660f072a2d  add r14, +0x10
7f660f072a31  cmp dword [r13+0x8c], 0xfffeffff
7f660f072a3c  jnz 0x7f660f0d0010	->0
7f660f072a42  movsxd rsi, dword [r13+0x88]
7f660f072a49  add rsi, r14
7f660f072a4c  cmp word [rcx+0x6], +0x6b
7f660f072a51  jnz 0x7f660f0d0010	->0
7f660f072a57  mov edi, ecx
7f660f072a59  add rdi, +0x08
7f660f072a5d  mov rax, 0x0000003de9f448a0
7f660f072a67  call rax
7f660f072a69  mov edi, [0x4150c4b0]
7f660f072a70  mov edx, ebx
7f660f072a72  cmp word [rbp+0x6], +0x6b
7f660f072a77  jnz 0x7f660f0d0014	->1
7f660f072a7d  mov esi, ebp
7f660f072a7f  add rsi, +0x08
7f660f072a83  call 0x7f6603845260	->lj_str_new
7f660f072a88  mov edx, [0x4150c4b4]  // G->jit_base
7f660f072a8f  cmp dword [rdx+0x7c], 0xfffeffff
7f660f072a96  jnz 0x7f660f0d0014	->1
7f660f072a9c  mov r15d, [rdx+0x78]
7f660f072aa0  cmp dword [rdx-0x4], 0x419eeaf8
7f660f072aa7  jnz 0x7f660f0d0018	->2
7f660f072aad  add edx, 0xffffff10    // Move BASE down by 0xf0
7f660f072ab3  mov [0x4150c4b4], edx  // G->jit_base modified with edx, not r13d
7f660f072aba  cmp dword [rdx+0x4], -0x0c
7f660f072abe  jnz 0x7f660f0d001c	->3
7f660f072ac4  mov ebp, [rdx]
7f660f072ac6  cmp dword [rbp+0x1c], +0x7f
7f660f072aca  jnz 0x7f660f0d001c	->3
7f660f072ad0  mov ebp, [rbp+0x14]
7f660f072ad3  mov rdi, 0xfffffffb417ee3b0
7f660f072add  cmp rdi, [rbp+0x788]
7f660f072ae4  jnz 0x7f660f0d001c	->3
7f660f072aea  cmp dword [rbp+0x784], -0x02
7f660f072af1  jnz 0x7f660f0d001c	->3
7f660f072af7  cmp dword [rdx+0xcc], 0xfffeffff
7f660f072b01  jnz 0x7f660f0d001c	->3
7f660f072b07  mov ebp, [rdx+0xc8]
7f660f072b0d  add ebp, +0x01
7f660f072b10  cmp ebp, [rdx+0xd0]
7f660f072b16  jg 0x7f660f0d0020	->4  // TRACE 555 will be attached here
7f660f072b1c  mov dword [rdx+0xe4], 0xfffeffff
7f660f072b26  mov [rdx+0xe0], ebp
7f660f072b2c  mov dword [rdx+0xdc], 0xfffeffff
7f660f072b36  mov dword [rdx+0xd8], 0x1
7f660f072b40  mov dword [rdx+0xcc], 0xfffeffff
7f660f072b4a  mov [rdx+0xc8], ebp
7f660f072b50  mov dword [rdx+0xb4], 0xfffffffb
7f660f072b5a  mov [rdx+0xb0], eax
7f660f072b60  add rsp, +0x20
7f660f072b64  jmp 0x7f660f0f8f95
---- TRACE 444 stop -> 111

---- TRACE 555 start 444/4 abc.lua:999
---- TRACE 555 IR
0001 rax      str SLOAD  #23   PI
....              SNAP   #0   [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0001 ---- ---- ]
....              SNAP   #1   [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0001 ---- ---- ]
---- TRACE 555 mcode 52
7f660f061f60  mov dword [0x4150c410], 0x396
7f660f061f6b  mov edx, r13d  // Coalesced with r13, but exit 4 has BASE in rdx
7f660f061f6e  mov dword [rdx+0xb4], 0xfffffffb
7f660f061f78  mov [rdx+0xb0], eax
7f660f061f7e  xor eax, eax
7f660f061f80  mov ebx, 0x419eeb4c
7f660f061f85  mov r14d, 0x4150cf90
7f660f061f8b  add rsp, +0x20
7f660f061f8f  jmp 0x7f66038410ea	-> lj_vm_exit_interp
---- TRACE 555 stop -> interpreter

	Below is the -jdump (there's no isolated testcase) that triggered this fix:

	https://github.com/LuaJIT/LuaJIT/commit/2bc63bb6affdb378c1698bd0f97bacb286a61a6f

	Reasoning for the interim fix:

	Trace 555 has a code generation bug. It must not coalesce with r13 as BASE.
	So IR(REF_BASE)->r of trace 555 contains r13. But the RETF in trace 444
	modifies BASE with rdx right before exit 4 which leads to trace 555. Trace
	555 then jumps to lj_vm_exit_interp with the wrong frame.

	This is because there are no RENAMEs for BASE. The interim fix disables all
	BASE coalesing opportunities, which is suboptimal. It would be better to
	detect the rare 'BASE rename' situation and only then prevent BASE register
	coalescing with any children.


	---- TRACE 444 start 333/1 abc.lua:777
	0018 . MOV 5 0
	0019 . MOV 6 1
	0020 . MOV 7 2
	0021 . MOV 8 4
	0022 . RET 5 5
	0348 MOV 21 27
	0349 MOV 20 26
	0350 MOV 18 25
	0351 MOV 19 24
	0352 UGET 24 19 ; ffi_copy
	0353 MOV 25 20
	0354 UGET 26 20 ; ffi_cast
	0355 UGET 27 21 ; ct_string
	0356 MOV 28 0
	0357 CALL 26 2 3
	0000 . FUNCC ; ffi.cast
	0358 ADDVV 26 26 17
	0000 . . FUNCC ; ffi.meta.__add
	0359 MOV 27 22
	0360 CALL 24 1 4
	0000 . FUNCC ; ffi.copy
	0361 UGET 22 9 ; fstring
	0362 MOV 23 19
	0363 MOV 24 21
	0364 CALL 22 2 3
	0000 . FUNCC ; ffi.string
	0365 MOV 23 15
	0366 RET 22 3
	0098 MOV 22 29
	0099 TGETS 29 0 1 ; "xyz"
	0100 ISF 29
	0101 JMP 30 => 0118
	0118 JFORL 25 68
	---- TRACE 444 IR
	0001 [c] int SLOAD #23 PI
	0002 rbp cdt SLOAD #26 PI
	0003 r15 int SLOAD #27 PI
	0004 [8] cdt SLOAD #28 PI
	0005 rbx u64 PVAL #9
	0006 {sink} cdt CNEWI +12 0005
	.... SNAP #0 [ abc.lua:444\|---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0001 0006 abc.lua:443\|0002 0003 0004 ---- 0006 ]
	0007 > nil GCSTEP
	0008 r14 > str SLOAD #1 T
	0009 r14 p64 ADD 0008 +16
	0010 {sink} cdt CNEWI +19 0009
	0011 > int SLOAD #18 T
	0012 rsi i64 CONV 0011 i64.int sext
	0013 rsi p64 ADD 0012 0009
	0014 {sink} cdt CNEWI +19 0013
	0015 u16 FLOAD 0004 cdata.ctypeid
	0016 > int EQ 0015 +107
	0017 rdi p64 ADD 0004 +8
	0020 p64 CALLS memcpy (0017 0013 0001)
	0021 nil XBAR
	.... SNAP #1 [ abc.lua:444\|---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0002 ---- 0006 ---- ---- ]
	0022 rdx int CONV 0005 int.u64
	0023 u16 FLOAD 0002 cdata.ctypeid
	0024 > int EQ 0023 +107
	0025 rsi p64 ADD 0002 +8
	0026 rax str XSNEW 0025 0022
	0027 r15 > int SLOAD #16 T
	.... SNAP #2 [ abc.lua:444\|---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0002 ---- 0006 0026 0027 ]
	0028 > p32 RETF proto: 0x419ee930 [0x419eeaf8]
	.... SNAP #3 [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0026 ]
	0029 rbp > tab SLOAD #1 T
	0030 int FLOAD 0029 tab.hmask
	0031 > int EQ 0030 +127
	0032 rbp p32 FLOAD 0029 tab.node
	0033 > p32 HREFK 0032 "xyz" @80
	0034 > fal HLOAD 0033
	0035 int SLOAD #27 RI
	0036 rbp > int SLOAD #26 TI
	0037 rbp int ADD 0036 +1
	.... SNAP #4 [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0026 ---- ---- ]
	0038 > int LE 0037 0035
	.... SNAP #5 [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0026 ---- ---- 0037 0035 +1 0037 ]
	---- TRACE 444 mcode 413
	7f660f0729cc mov r15d, edx
	7f660f0729cf mov ebp, [rsp+0x24]
	7f660f0729d3 mov dword [0x4150c410], 0x32c
	7f660f0729de mov [rsp+0xc], r13d
	7f660f0729e3 mov [rsp+0x8], ecx
	7f660f0729e7 mov r13d, [0x4150c4b4] // G->jit_base, IR(REF_BASE)->r = r13
	7f660f0729ef mov edi, [0x4150c3d8]
	7f660f0729f6 cmp edi, [0x4150c3dc]
	7f660f0729fd jb 0x7f660f072a16
	7f660f0729ff mov esi, 0x1
	7f660f072a04 mov edi, 0x4150c3b8
	7f660f072a09 call 0x7f6603843140 ->lj_gc_step_jit
	7f660f072a0e abc eax, eax
	7f660f072a10 jnz 0x7f660f0d0010 ->0
	7f660f072a16 mov edx, [rsp+0xc]
	7f660f072a1a mov ecx, [rsp+0x8]
	7f660f072a1e cmp dword [r13+0x4], -0x05
	7f660f072a23 jnz 0x7f660f0d0010 ->0
	7f660f072a29 mov r14d, [r13+0x0]
	7f660f072a2d add r14, +0x10
	7f660f072a31 cmp dword [r13+0x8c], 0xfffeffff
	7f660f072a3c jnz 0x7f660f0d0010 ->0
	7f660f072a42 movsxd rsi, dword [r13+0x88]
	7f660f072a49 add rsi, r14
	7f660f072a4c cmp word [rcx+0x6], +0x6b
	7f660f072a51 jnz 0x7f660f0d0010 ->0
	7f660f072a57 mov edi, ecx
	7f660f072a59 add rdi, +0x08
	7f660f072a5d mov rax, 0x0000003de9f448a0
	7f660f072a67 call rax
	7f660f072a69 mov edi, [0x4150c4b0]
	7f660f072a70 mov edx, ebx
	7f660f072a72 cmp word [rbp+0x6], +0x6b
	7f660f072a77 jnz 0x7f660f0d0014 ->1
	7f660f072a7d mov esi, ebp
	7f660f072a7f add rsi, +0x08
	7f660f072a83 call 0x7f6603845260 ->lj_str_new
	7f660f072a88 mov edx, [0x4150c4b4] // G->jit_base
	7f660f072a8f cmp dword [rdx+0x7c], 0xfffeffff
	7f660f072a96 jnz 0x7f660f0d0014 ->1
	7f660f072a9c mov r15d, [rdx+0x78]
	7f660f072aa0 cmp dword [rdx-0x4], 0x419eeaf8
	7f660f072aa7 jnz 0x7f660f0d0018 ->2
	7f660f072aad add edx, 0xffffff10 // Move BASE down by 0xf0
	7f660f072ab3 mov [0x4150c4b4], edx // G->jit_base modified with edx, not r13d
	7f660f072aba cmp dword [rdx+0x4], -0x0c
	7f660f072abe jnz 0x7f660f0d001c ->3
	7f660f072ac4 mov ebp, [rdx]
	7f660f072ac6 cmp dword [rbp+0x1c], +0x7f
	7f660f072aca jnz 0x7f660f0d001c ->3
	7f660f072ad0 mov ebp, [rbp+0x14]
	7f660f072ad3 mov rdi, 0xfffffffb417ee3b0
	7f660f072add cmp rdi, [rbp+0x788]
	7f660f072ae4 jnz 0x7f660f0d001c ->3
	7f660f072aea cmp dword [rbp+0x784], -0x02
	7f660f072af1 jnz 0x7f660f0d001c ->3
	7f660f072af7 cmp dword [rdx+0xcc], 0xfffeffff
	7f660f072b01 jnz 0x7f660f0d001c ->3
	7f660f072b07 mov ebp, [rdx+0xc8]
	7f660f072b0d add ebp, +0x01
	7f660f072b10 cmp ebp, [rdx+0xd0]
	7f660f072b16 jg 0x7f660f0d0020 ->4 // TRACE 555 will be attached here
	7f660f072b1c mov dword [rdx+0xe4], 0xfffeffff
	7f660f072b26 mov [rdx+0xe0], ebp
	7f660f072b2c mov dword [rdx+0xdc], 0xfffeffff
	7f660f072b36 mov dword [rdx+0xd8], 0x1
	7f660f072b40 mov dword [rdx+0xcc], 0xfffeffff
	7f660f072b4a mov [rdx+0xc8], ebp
	7f660f072b50 mov dword [rdx+0xb4], 0xfffffffb
	7f660f072b5a mov [rdx+0xb0], eax
	7f660f072b60 add rsp, +0x20
	7f660f072b64 jmp 0x7f660f0f8f95
	---- TRACE 444 stop -> 111

	---- TRACE 555 start 444/4 abc.lua:999
	---- TRACE 555 IR
	0001 rax str SLOAD #23 PI
	.... SNAP #0 [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0001 ---- ---- ]
	.... SNAP #1 [ ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- 0001 ---- ---- ]
	---- TRACE 555 mcode 52
	7f660f061f60 mov dword [0x4150c410], 0x396
	7f660f061f6b mov edx, r13d // Coalesced with r13, but exit 4 has BASE in rdx
	7f660f061f6e mov dword [rdx+0xb4], 0xfffffffb
	7f660f061f78 mov [rdx+0xb0], eax
	7f660f061f7e xor eax, eax
	7f660f061f80 mov ebx, 0x419eeb4c
	7f660f061f85 mov r14d, 0x4150cf90
	7f660f061f8b add rsp, +0x20
	7f660f061f8f jmp 0x7f66038410ea -> lj_vm_exit_interp
	---- TRACE 555 stop -> interpreter