[aix/ibmi] fix leaptiering crash

abmusse · V8 LUCI CQ · commit decb43fae2ed · 2025-04-30T11:13:32.000-07:00
After enabling leaptiering by default I discovered a crash with mksnapshot. I rebuilt with DCHECKs enabled by setting: v8_enable_debugging_features = true This revealed a DCHECK error while running mksnapshot at: ```sh ./mksnapshot \ --turbo_instruction_scheduling \ --stress-turbo-late-spilling \ --target_os=aix \ --target_arch=ppc64 \ --embedded_src gen/embedded.S \ --predictable \ --no-use-ic \ --embedded_variant Default \ --random-seed 314159265 \ --startup_blob snapshot_blob.bin \ --native-code-counters \ --concurrent-builtin-generation \ --concurrent-turbofan-max-threads=0 \ --verify-heap ``` https://source.chromium.org/chromium/chromium/src/+/main:v8/src/sandbox/js-dispatch-table-inl.h;l=24 In the DCHECK above looks like kObjectPointerShift is set to 16 and purpose of the check is to ensure the top 16 bits (2 bytes) are empty. From what I understand mmap will give you back an address in 0x0A.... segment on AIX 0x0A00000000000000 - 0x0AFFFFFFFFFFFFFFF More details: https://www.ibm.com/docs/en/aix/7.2?topic=memory-1-tb-segment-aliasing So there will be something set in the upper bits there leading to garbage results once the bits get shuffled around. I did some additional investigation and its looks like golang ran into a similar problem on AIX and uses offsets https://github.com/golang/go/blob/28d7eec3a23c04fb74863d032d499b76c3c3d4c3/src/runtime/malloc.go#L300-L304 My solution here is to introduce similar offset solution by adding kObjectPointerOffset to the JSDispatchEntry struct. Change-Id: I67ad82f78d763bd35ad90d6c45c8f123d28022fe Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6320599 Reviewed-by: Olivier Flückiger <olivf@chromium.org> Reviewed-by: Samuel Groß <saelo@chromium.org> Commit-Queue: Samuel Groß <saelo@chromium.org> Cr-Commit-Position: refs/heads/main@{#100011}
diff --git a/src/codegen/code-stub-assembler.cc b/src/codegen/code-stub-assembler.cc
@@ -1984,9 +1984,19 @@ TNode<Code> CodeStubAssembler::LoadCodeObjectFromJSDispatchTable(
   TNode<UintPtrT> value = Load<UintPtrT>(table, offset);
   // The LSB is used as marking bit by the js dispatch table, so here we have
   // to set it using a bitwise OR as it may or may not be set.
-  value = UncheckedCast<UintPtrT>(WordOr(
-      WordShr(value, UintPtrConstant(JSDispatchEntry::kObjectPointerShift)),
-      UintPtrConstant(kHeapObjectTag)));
+
+  TNode<UintPtrT> shifted_value;
+  if (JSDispatchEntry::kObjectPointerOffset == 0) {
+    shifted_value =
+        WordShr(value, UintPtrConstant(JSDispatchEntry::kObjectPointerShift));
+  } else {
+    shifted_value = UintPtrAdd(
+        WordShr(value, UintPtrConstant(JSDispatchEntry::kObjectPointerShift)),
+        UintPtrConstant(JSDispatchEntry::kObjectPointerOffset));
+  }
+
+  value = UncheckedCast<UintPtrT>(
+      WordOr(shifted_value, UintPtrConstant(kHeapObjectTag)));
   return CAST(BitcastWordToTagged(value));
 }
 
diff --git a/src/sandbox/js-dispatch-table-inl.h b/src/sandbox/js-dispatch-table-inl.h
@@ -23,10 +23,16 @@ void JSDispatchEntry::MakeJSDispatchEntry(Address object, Address entrypoint,
                                           uint16_t parameter_count,
                                           bool mark_as_alive) {
   DCHECK_EQ(object & kHeapObjectTag, 0);
-  DCHECK_EQ((object << kObjectPointerShift) >> kObjectPointerShift, object);
-
-  Address payload =
-      (object << kObjectPointerShift) | (parameter_count & kParameterCountMask);
+  DCHECK_EQ((((object - kObjectPointerOffset) << kObjectPointerShift) >>
+             kObjectPointerShift) +
+                kObjectPointerOffset,
+            object);
+  DCHECK_EQ((object - kObjectPointerOffset) + kObjectPointerOffset, object);
+  DCHECK_LT((object - kObjectPointerOffset),
+            1ULL << ((sizeof(encoded_word_) * 8) - kObjectPointerShift));
+
+  Address payload = ((object - kObjectPointerOffset) << kObjectPointerShift) |
+                    (parameter_count & kParameterCountMask);
   DCHECK(!(payload & kMarkingBit));
   if (mark_as_alive) payload |= kMarkingBit;
 #ifdef V8_TARGET_ARCH_32_BIT
@@ -49,7 +55,8 @@ Address JSDispatchEntry::GetCodePointer() const {
   // and so may be 0 or 1 here. As the return value is a tagged pointer, the
   // bit must be 1 when returned, so we need to set it here.
   Address payload = encoded_word_.load(std::memory_order_relaxed);
-  return (payload >> kObjectPointerShift) | kHeapObjectTag;
+  return ((payload >> kObjectPointerShift) + kObjectPointerOffset) |
+         kHeapObjectTag;
 }
 
 Tagged<Code> JSDispatchEntry::GetCode() const {
@@ -178,7 +185,9 @@ void JSDispatchEntry::SetCodeAndEntrypointPointer(Address new_object,
   Address parameter_count = old_payload & kParameterCountMask;
   // We want to preserve the marking bit of the entry. Since that happens to
   // be the tag bit of the pointer, we need to explicitly clear it here.
-  Address object = (new_object << kObjectPointerShift) & ~kMarkingBit;
+  Address object =
+      ((new_object - kObjectPointerOffset) << kObjectPointerShift) &
+      ~kMarkingBit;
   Address new_payload = object | marking_bit | parameter_count;
   encoded_word_.store(new_payload, std::memory_order_relaxed);
   entrypoint_.store(new_entrypoint, std::memory_order_relaxed);
diff --git a/src/sandbox/js-dispatch-table.h b/src/sandbox/js-dispatch-table.h
@@ -75,6 +75,18 @@ struct JSDispatchEntry {
   static constexpr uintptr_t kCodeObjectOffset = kSystemPointerSize;
   static constexpr size_t kParameterCountSize = 2;
 
+// On AIX and IBM i, mmap will give you back an address with the top bits set
+// unlike other platforms where the top bits are unset.
+// Therefore kObjectPointerOffset was introduced to ensure we account for
+// the top bits being set when performing pointer operations.
+#if defined(__PASE__)
+  static constexpr uintptr_t kObjectPointerOffset = 0x0700000000000000;
+#elif defined(_AIX)
+  static constexpr uintptr_t kObjectPointerOffset = 0x0a00000000000000;
+#else
+  static constexpr uintptr_t kObjectPointerOffset = 0;
+#endif
+
 #if defined(V8_TARGET_ARCH_64_BIT)
   // Freelist entries contain the index of the next free entry in their lower 32
   // bits and are tagged with this tag.
