Closed
Bug 1370869
Opened 7 years ago
Closed 7 years ago
XDR decoding creates scope Data objects and then deletes them
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: jonco, Assigned: jonco)
References
Details
Attachments
(3 files, 1 obsolete file)
36.14 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
41.85 KB,
patch
|
jonco
:
review+
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
36.64 KB,
patch
|
jonco
:
review+
abillings
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
Scope::XDRSizedBindingNames creates and returns a scope Data object of the required length. In most cases we then check if the length is zero and if so delete it again. Not only is this wasteful, but it bumps into one of the GC's rough edges: we can't immediately delete objects that contain GCPtrs because the store buffer may contain pointers into them. Instead we have to queue them for deletion at a safe time (hopefully we can kill this with bug 1370868 but that's not certain). This deferred deletion was only intended to be used to handle errors (e.g. OOM initialising some object), not normal code paths that happen regularly.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → jcoppeard
Updated•7 years ago
|
Blocks: js-startup-cache
Assignee | ||
Comment 1•7 years ago
|
||
Change Scope::XDRSizedBindingNames to only allocate the Scope::Data if length != 0 and also return the length.
Attachment #8875315 -
Flags: review?(shu)
Comment 2•7 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #0) > Scope::XDRSizedBindingNames creates and returns a scope Data object of the > required length. In most cases we then check if the length is zero and if > so delete it again. > > Not only is this wasteful, but it bumps into one of the GC's rough edges: we > can't immediately delete objects that contain GCPtrs because the store > buffer may contain pointers into them. Instead we have to queue them for > deletion at a safe time (hopefully we can kill this with bug 1370868 but > that's not certain). This deferred deletion was only intended to be used to > handle errors (e.g. OOM initialising some object), not normal code paths > that happen regularly. Interesting, did this show up in profiles?
Comment 3•7 years ago
|
||
Comment on attachment 8875315 [details] [diff] [review] bug1370869-xdr-size-bindings Review of attachment 8875315 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the patch. ::: js/src/vm/Scope.cpp @@ +588,5 @@ > return false; > > if (mode == XDR_DECODE) { > + if (length == 0) > + return false; Should be clearer and equivalent to check if (!data). @@ +790,5 @@ > + data->nonPositionalFormalStart = nonPositionalFormalStart; > + data->varStart = varStart; > + } else { > + MOZ_ASSERT(!nonPositionalFormalStart); > + MOZ_ASSERT(!varStart); What happened to the !data->nextFrameSlot assert?
Attachment #8875315 -
Flags: review?(shu) → review+
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #3) > What happened to the !data->nextFrameSlot assert? I deleted it because |data| is null at this point. I'll add an assert later on that nextFrameSlot ends up as zero if there are no bindings.
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8a43148a783b Don't allocate scope bindings data only to delete it immediately r=shu
Comment 6•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8a43148a783b
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Assignee | ||
Comment 7•7 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #2) > Interesting, did this show up in profiles? This showed up trying to land bug 1358073 on esr52. We fall foul of bug 1371234. The cleanup mechanism for GC managed objects destroyed outside of the GC was not intended to be used as part of normal operation but as a way of handling e.g. OOM during initialisation.
Assignee | ||
Comment 8•7 years ago
|
||
Looking at the code some more I realised that in the non-zero-length case XDR decoding still creates scope data, copies it and then deletes the original.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: XDR decoding creates zero-length scope Data objects and immediately deletes them → XDR decoding creates scope Data objects and then deletes them
Assignee | ||
Comment 9•7 years ago
|
||
This patch refactors scope creation so that it doesn't copy the scope data for the XDR decode case. This doesn't set nextFrameSlot on the data passed in by the frontend any more (it just sets it on the copy) but as far as I can see that is not used. This patch applies over a backout of the previous patch.
Attachment #8875315 -
Attachment is obsolete: true
Attachment #8876071 -
Flags: review?(shu)
Comment 10•7 years ago
|
||
Comment on attachment 8876071 [details] [diff] [review] bug1370869-dont-copy-scope-data-for-xdr Review of attachment 8876071 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/Scope.cpp @@ +519,5 @@ > uint32_t firstFrameSlot, HandleScope enclosing) > { > + MOZ_ASSERT(data, "LexicalScopes should not be created if there are no bindings."); > + > + // The data that's passed in may be from the frontend and LifoAlloc'd. Please update this comment and others like it below. The always-copy behavior was for uniformity of the code, thus the "may be from the frontend". Now the API is that |create| always copies the data, and |createWithData| mutates then moves the data, this should say the data always comes from the frontend. @@ +762,5 @@ > > { > + Maybe<Rooted<UniquePtr<Data>>> uniqueData; > + if (mode == XDR_DECODE) > + uniqueData.emplace(cx, data); Nice, removed the ScopeExit.
Attachment #8876071 -
Flags: review?(shu) → review+
Comment 11•7 years ago
|
||
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d54918df1a29 Don't copy scope data in XDR decode r=shu
Comment 12•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/d54918df1a29
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Comment 13•7 years ago
|
||
> This patch applies over a backout of the previous patch. I got a bit confused with the milestone of mozilla-central changeset d54918df1a29 and the tracking flags here. (milestone says 55.0a1, tracking flag says 56) I think d54918df1a29 just missed the train. Should d54918df1a29 be uplift to 55 branch as well?
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 14•7 years ago
|
||
Approval Request Comment [Feature/Bug causing the regression]: Bug 1358073. [User impact if declined]: Possible OOM crashes XDR decoding when the nursery is full. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: This doesn't affect behaviour, it's a refactoring that reduces the number of memory allocations when XDR decoding. [String changes made/needed]: None. The first patch for this has landed on 55 already.
Flags: needinfo?(jcoppeard)
Attachment #8877528 -
Flags: review+
Attachment #8877528 -
Flags: approval-mozilla-beta?
Comment 15•7 years ago
|
||
This was reopened after landing the first patch so resetting 55 status (which only has that first patch) to affected.
Comment 16•7 years ago
|
||
Comment on attachment 8877528 [details] [diff] [review] bug1370869-beta-55 Looks like a big refactor, but it sounds like we should take this for 55 or else back out the other huge patch. Since we're still early in beta I'd rather uplift part 2.
Attachment #8877528 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•7 years ago
|
tracking-firefox55:
--- → +
Comment 17•7 years ago
|
||
NI ryanvm just in case sheriffs missed uplift tracking due to TM being set as 55.
Flags: needinfo?(ryanvm)
Comment 18•7 years ago
|
||
Not necessary (we go off tracking flags, not TM), but thanks anyway :)
Flags: needinfo?(ryanvm)
Target Milestone: mozilla55 → mozilla56
Comment 19•7 years ago
|
||
uplift |
Jon pushed this: https://hg.mozilla.org/releases/mozilla-beta/rev/ea84df3bdb99
Updated•7 years ago
|
Flags: qe-verify-
Assignee | ||
Comment 21•7 years ago
|
||
[Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: Required for backport of patch in bug 1358073. User impact if declined: Bug 1358073 fixes some crashes / possible vulnerability. Fix Landed on Version: 56 Risk to taking this patch (and alternatives if risky): Low. String or UUID changes made by this patch: None. This patch applies on top of the bug1358073-esr52 patch in the other bug.
Flags: needinfo?(jcoppeard)
Attachment #8879889 -
Flags: review+
Attachment #8879889 -
Flags: approval-mozilla-esr52?
Updated•7 years ago
|
Attachment #8879889 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Comment 22•7 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr52/rev/3b8fde840188
status-firefox-esr52:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•