jit: guard-snapshot capture side channels TLS → explicit GuardCaptureScope parameter#515
Conversation
…Scope parameter Replace the three call-scoped thread-locals bracketed around walker_capture_snapshot_for_last_guard (FBW_FORITER_NEXT_CATCH_RESUME, BRANCH_GUARD_JITCODE_PC, BRANCH_GUARD_KEPT_RECOVERED) with a GuardCaptureScope parameter threaded through the capture impl, walker_capture_multi_frame_inline_snapshot, and collect_outer_active_boxes — the explicit-parameter shape capture_resumedata's keyword arguments (pyjitpl.py:2599-2603) already use for after_residual_call. The two writer sites (FOR_ITER-next residual GUARD_NO_EXCEPTION, kept-stack branch guard) call a new _scoped variant; their TLS set/clear brackets are deleted. The ordinary capture call sites keep the two-argument signature and forward the default (empty) scope. collect_outer_active_boxes callers outside the capture path pass an empty slice, matching the empty TLS they previously observed. Assisted-by: Claude
|
Warning Review limit reached
Next review available in: 45 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🤖 Codex parity reviewStatic analysis of this diff vs the local RPython/PyPy sources (commit 303ebc1). 1. Regressions to PyPy parity introduced by this patchNone. 2. Other mismatches introduced by this patchNone. 3. Pre-existing mismatches (already present before this patch)
4. Structural adaptations
|
Follow-up to #500/#509 (FBW walker per-walk TLS → explicit ownership). This slice absorbs the three remaining call-scoped TLS side channels in
jitcode_dispatch.rs, which were set immediately before exactly onewalker_capture_snapshot_for_last_guardcall and cleared right after:FBW_FORITER_NEXT_CATCH_RESUME— FOR_ITER-next residual's GUARD_NO_EXCEPTION catch-resume marker flagBRANCH_GUARD_JITCODE_PC— kept-stack branch guard's own jitcode pc for the snapshot encoder (cranelift: lower Int{Add,Sub,Mul}Ovf via sadd/ssub/smul_overflow #124)BRANCH_GUARD_KEPT_RECOVERED— resolved(dst, value)edge-move recovery pairs (wasm JIT: inline callee guard snapshot empty + resume side-effect duplication (4 wasm-only failures) #420)Change
They become fields of a
GuardCaptureScope<'_>parameter — the explicit-parameter shapecapture_resumedata's keyword arguments (pyjitpl.py:2599-2603) already use forafter_residual_call, which pyre threads explicitly today.walker_capture_snapshot_for_last_guard(ctx, pc)signature, forwarding the default (empty) scope — identical to the empty TLS those captures observed._scopedvariant; the TLS set/clear brackets (and their unwind hazard) are deleted.walker_capture_snapshot_for_last_guard_implandwalker_capture_multi_frame_inline_snapshot;collect_outer_active_boxestakes the recovery pairs as a slice parameter. Its five callers outside the capture path pass&[], matching the empty TLS they previously observed.Option<usize>replaces theusize::MAXsentinel for the guard pc.No behavior change intended; every read observes exactly the value the TLS version observed on the same path.
Verification
cargo test -p pyre-jit-trace --release --no-default-features --features dynasm: 282 passed / 0 failedpython3 pyre/check.py: 162/162 on dynasm, cranelift, wasmrg "FBW_FORITER_NEXT_CATCH_RESUME|BRANCH_GUARD_JITCODE_PC|BRANCH_GUARD_KEPT_RECOVERED": zero hits🤖 Generated with Claude Code