Closed
Bug 1322445
Opened 9 years ago
Closed 9 years ago
Switch PageProtectingVector from protecting fully used pages to fully unused pages.
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox53 | --- | fixed |
People
(Reporter: ehoogeveen, Assigned: ehoogeveen)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 5 obsolete files)
|
26.50 KB,
patch
|
ehoogeveen
:
review+
|
Details | Diff | Splinter Review |
Analysis of recent crashes from bug 1124397 indicates that whatever is corrupting our buffers, it's always writing to the last page of the buffer. PageProtectingVector works by protecting pages that we're done writing to, and that's obviously never going to apply to the last page in a buffer.
To catch this behavior, instead we can try to protect *unused* pages. That should be cheaper as well, since we won't try to patch jumps in pages we aren't using.
|
Assignee | |
Comment 1•9 years ago
|
||
This extends PageProtectingVector with the ability to protect unused pages as well, makes both kinds of protection optional, and removes all the AutoUnprotect gunk since it's no longer needed. Passes jit tests locally.
Attachment #8817327 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 2•9 years ago
|
||
Oh, and I also noticed several places where I was using capacity() and/or length() incorrectly. This doesn't affect our current use case since sizeof(T) == 1, but it was still wrong.
|
|
Assignee | |
Comment 3•9 years ago
|
||
I set the initial lower bound to 0 for testing, forgot to change that back. Fixed locally.
|
|
Assignee | |
Comment 4•9 years ago
|
||
Fixed an issue that showed up in ASAN and Valgrind. Still waiting on try results, but I expect this to be green now (and I need to head off to bed).
Attachment #8817327 -
Attachment is obsolete: true
Attachment #8817327 -
Flags: review?(jdemooij)
Attachment #8817361 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 5•9 years ago
|
||
|
|
Assignee | |
Comment 6•9 years ago
|
||
Managed to simplify things a bit more after waking up hideously early. I'm pretty happy with this now.
Try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=591a3d43e78a32560f28e9fc3f5eb3c4d26f9722
Attachment #8817361 -
Attachment is obsolete: true
Attachment #8817361 -
Flags: review?(jdemooij)
Attachment #8817396 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 7•9 years ago
|
||
That crashed on ASAN again, and I spotted another bug while looking into that. I think this is correct now.
Attachment #8817396 -
Attachment is obsolete: true
Attachment #8817396 -
Flags: review?(jdemooij)
Attachment #8817446 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 8•9 years ago
|
||
Okay, all green now (ASAN Debug was the only build that showed the problem):
https://treeherder.mozilla.org/#/jobs?repo=try&revision=a38802a7a56b94d004f09e4cddab2c05244a2b3e
|
||
Comment 9•9 years ago
|
||
Wasn't the plan to switch it so we only protect the unused part?
|
|
||
Comment 10•9 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #9)
> Wasn't the plan to switch it so we only protect the unused part?
Nevermind, I missed comment 1.
|
|
Assignee | |
Comment 11•9 years ago
|
||
Sorry, yeah the patch switches to protecting only unused pages, but I didn't want to just completely change what PageProtectingVector can do. Instead I extended it to do both, and switched AssemblerBuffer to only use the unused page protection instead.
|
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8817446 [details] [diff] [review]
v1.3 - Extend PageProtectingVector to protect unused pages as well.
Review of attachment 8817446 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h
@@ +157,5 @@
> }
>
> + PageProtectingVector<unsigned char, 256, SystemAllocPolicy,
> + /* ProtectUsed = */ false, /* ProtectUnused = */ true,
> + /* InitialLowerBound = */ 32 * 1024> m_buffer;
Any thoughts on using a vanilla Vector here #ifdef RELEASE_OR_BETA, to minimize potential risk? I know we have some #ifdefs in PageProtectionVector to disable the protection, but there's still a lot of non-trivial code there that isn't inside #ifdefs and may add runtime overhead.
We may have to #ifdef enableProtection/disableProtection calls too but that seems fine.
Attachment #8817446 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 13•9 years ago
|
||
Thanks for the review!
(In reply to Jan de Mooij [:jandem] from comment #12)
> Any thoughts on using a vanilla Vector here #ifdef RELEASE_OR_BETA, to
> minimize potential risk? I know we have some #ifdefs in PageProtectionVector
> to disable the protection, but there's still a lot of non-trivial code there
> that isn't inside #ifdefs and may add runtime overhead.
>
> We may have to #ifdef enableProtection/disableProtection calls too but that
> seems fine.
I can do that - should be especially easy now that the AutoUnprotect stuff is gone.
|
|
Assignee | |
Comment 14•9 years ago
|
||
Carrying forward r+ with that change. In exchange I removed the ifdefs from PageProtectingVector itself. I think that makes it less surprising if you want the protection it offers on beta and release as well (e.g. if performance isn't a concern). I did leave the ifdef in MemoryProtectionExceptionHandler - with any luck if someone needs PageProtectingVector on beta and release, the crash volume will stand out enough that the annotations aren't needed. If it turns out that they are, it's a one-line change to activate them.
Attachment #8817446 -
Attachment is obsolete: true
Attachment #8818236 -
Flags: review+
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
||
Comment 15•9 years ago
|
||
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6cec2e289658
Extend PageProtectingVector to protect unused pages as well. r=jandem
Keywords: checkin-needed
|
||
Comment 16•9 years ago
|
||
|
|
Assignee | |
Comment 17•9 years ago
|
||
Hmm, sorry about that. Odd, I thought I fixed those - let's see if Try reproduces.
|
|
Assignee | |
Comment 18•9 years ago
|
||
Alright, I spotted the problem, and sm-asan is green now:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1eb5ba958543db0d4967a99903ea7beaa9fe48e8
(that build isn't listed as an option on Trychooser, annoyingly)
Attachment #8818236 -
Attachment is obsolete: true
Attachment #8818812 -
Flags: review+
|
|
Assignee | |
Comment 19•9 years ago
|
||
Let's try this again. I'm not really sure how ASAN managed to trigger that particular edge case, but I'm glad it did.
Keywords: checkin-needed
|
|
||
Comment 20•9 years ago
|
||
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/67f930fb5da8
Extend PageProtectingVector to protect unused pages as well. r=jandem
Keywords: checkin-needed
|
|
||
Comment 21•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
||
Comment 22•9 years ago
|
||
Seemed to have caused a decrease in our slowdown due to less protections:
== Change summary for alert #4526 (as of December 15 2016 13:54 UTC) ==
Improvements:
5% ss 1.0.1 format-xparb linux64 opt shell 15.56 -> 14.83
4% octane 2.0.1 Typescript linux64 opt shell 22502.12 -> 23510.5
4% misc 0.8 bugs-652377-jslint-on-jslint linux64 opt shell 498.97 -> 477.87
3% kraken 1.1 beat-detection linux64 opt shell 90.2 -> 87.23
3% octane 2.0.1 Gameboy linux64 opt shell 49723.71 -> 51282.42
3% speedometer 1.0 summary osx-10-10 opt 45.88 -> 47.12
3% kraken 1.1 crypto-sha256-iterative linux64 opt shell 45.26 -> 44.12
2% kraken 1.1 crypto-pbkdf2 linux64 opt shell 113.05 -> 110.43
2% kraken 1.1 crypto-aes linux64 opt shell 55.78 -> 54.53
For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=4526
|
||
Comment 23•9 years ago
|
||
This also helped wasm baseline compilation of AngryBots a lot (34% faster), nice!
You need to log in
before you can comment on or make changes to this bug.
Description
•