Closed
Bug 1400442
Opened 7 years ago
Closed 7 years ago
stylo heap write analysis: Move known bugs into bug-commented annotations in the analysis code, and fix the rest
Categories
(Core :: CSS Parsing and Computation, enhancement)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla57
Tracking | Status | |
---|---|---|
firefox57 | --- | fixed |
People
(Reporter: sfink, Assigned: sfink)
References
Details
Attachments
(18 files, 2 obsolete files)
8.25 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
1.06 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
4.10 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
1.16 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
1.21 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
4.64 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
2.02 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
1.67 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
1.89 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
1.46 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
1.49 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
1.08 KB,
patch
|
manishearth
:
review+
|
Details | Diff | Splinter Review |
4.86 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
4.17 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
997 bytes,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
7.04 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
5.27 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
1.79 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
Currently, we have a handful of known hazards, with an expectation count that controls whether the job will turn red. Now that they are all understood, I am going to whitelist them all, which means we should have a count of zero. They will be recorded as blocking bug 1356458 instead. This should make it easier to see added hazards, as you won't have to ignore the known ones when looking at the hazard results file. This bug will also improve the analysis so that it only whitelists a small number of Gecko_ functions in the first place (these are the ones that are commented with bugs and block 1356458).
Assignee | ||
Comment 1•7 years ago
|
||
Debugging-only tool, not used by actual analysis, no need for review.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•7 years ago
|
||
Attachment #8908889 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 3•7 years ago
|
||
The code is void LangGroupFontPrefs::Initialize(nsIAtom* aLangGroupAtom) { nsFont* fontTypes[] = { &mDefaultVariableFont, &mDefaultFixedFont, &mDefaultSerifFont, &mDefaultSansSerifFont, &mDefaultMonospaceFont, &mDefaultCursiveFont, &mDefaultFantasyFont }; nsFont* font = fontTypes[3]; font->size = 42; } 'this' is known to be a safe pointer (exclusively owned by the current thread), so a pointer to one of its members is also safe. But the analysis can't track safety across all that, so I have a special-case annotation here that says that fontTypes[3] returns a safe pointer if and only if 'this' is safe. Note that all of those fields (eg mDefaultVariableFont) are nsFont structs, not pointers, so although you'd expect this to be one dereference away from a safe pointer's memory, it is not; assigning to font->size ends up being a write to some offset within the 'this' pointer, which is known to be safe here.
Attachment #8908891 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 4•7 years ago
|
||
Attachment #8908892 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8908893 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 6•7 years ago
|
||
This is for nicer output only, and does not affect the computation. A WorkListEntry contains a stack of CallSites, and the top of the stack represents the entry itself and so should share parameterNames. This changes fixes cases where some names were being registered in a different table than ended up being used by printouts.
Attachment #8908894 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 7•7 years ago
|
||
Assignee | ||
Comment 8•7 years ago
|
||
At some point, I convinced myself that this cache was useful for performance. I'm not entirely sure that's true. (When stepping through the debugger, I saw it going back to the CFG repeatedly for the same variables. But I don't *really* know whether it matters.)
Attachment #8908896 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 9•7 years ago
|
||
Phew. I thought hard about how to handle getter_Copies, and when I finally went to implement it, I found that you'd already done exactly what I was intending for getter_Addrefs. \o/
Attachment #8908897 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 10•7 years ago
|
||
This really doesn't matter, but I was running some sanity tests on old xdbs, and it looks like these things have changed names.
Assignee | ||
Comment 11•7 years ago
|
||
nsStyleStruct has the field: nsBorderColors** mBorderColors; It starts out nullptr, and when it is needed, it allocates an array of 4 nsBorderColors pointers. But the nsStyleStruct exclusively owns the array; nothing else can get at it. This change teaches the analysis that if 'this' is a safe nsStyleStruct*, then it should treat mBorderColors as if it were an inline length-4 array.
Attachment #8908899 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 12•7 years ago
|
||
Attachment #8908902 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 13•7 years ago
|
||
I believe it is safe to say that Servo_ComputedValues_EqualCustomProperties won't do any racy writes.
Attachment #8908903 -
Flags: review?(manishearth)
Assignee | ||
Comment 14•7 years ago
|
||
Oops, missed a followup fix to handle when isSafeLocalVariable is called with a totally different type of CFG node.
Attachment #8908905 -
Flags: review?(bhackett1024)
Assignee | ||
Updated•7 years ago
|
Attachment #8908899 -
Attachment is obsolete: true
Attachment #8908899 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 15•7 years ago
|
||
Third time's a charm. There were two different fragments left out of the first upload here. I also needed to annotate the incoming parameters.
Attachment #8908906 -
Flags: review?(bhackett1024)
Assignee | ||
Updated•7 years ago
|
Attachment #8908905 -
Attachment is obsolete: true
Attachment #8908905 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 16•7 years ago
|
||
Attachment #8908907 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 17•7 years ago
|
||
I don't actually know who I should be asking for review here. You? emilio? Please redirect as appropriate.
Attachment #8908908 -
Flags: review?(manishearth)
Assignee | ||
Comment 18•7 years ago
|
||
A bunch of machinery just to annotate keyframe->mTimingFunction.emplace() keyframe->mTimingFunction->Init() as passing in a safe 'this' to Init().
Attachment #8908910 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 19•7 years ago
|
||
This doesn't exactly need review; the try server will review it for me. But it's the big one that removes all of the whole-function annotations that don't have a good reason to exist, and drops the expectation to zero. \o/
Attachment #8908911 -
Flags: review?(jcoppeard)
Assignee | ||
Comment 20•7 years ago
|
||
Comment on attachment 8908898 [details] [diff] [review] Backward-compatible js::Class[Ops].trace annotation Marking r=me for tidiness.
Attachment #8908898 -
Flags: review+
Assignee | ||
Comment 21•7 years ago
|
||
Comment on attachment 8908888 [details] [diff] [review] CFG dumping utility, handy for debugging, r=me, debugging tool only
Attachment #8908888 -
Flags: review+
Assignee | ||
Comment 22•7 years ago
|
||
Comment on attachment 8908895 [details] [diff] [review] Refactor the --function debugging command line option (and alias it to -f) to analyzeHeapWrites.js, r=me, debugging code only.
Attachment #8908895 -
Flags: review+
Assignee | ||
Comment 23•7 years ago
|
||
Comment on attachment 8908908 [details] [diff] [review] Assert that Gecko_ShouldCreateStyleThreadPool is only called on the main thread r=emilio via IRC
Attachment #8908908 -
Flags: review?(manishearth) → review+
Assignee | ||
Comment 24•7 years ago
|
||
Oops, missed this patch when uploading stuff.
Attachment #8908928 -
Flags: review?(bhackett1024)
Updated•7 years ago
|
Attachment #8908892 -
Flags: review?(jcoppeard) → review+
Updated•7 years ago
|
Attachment #8908893 -
Flags: review?(jcoppeard) → review+
Updated•7 years ago
|
Attachment #8908894 -
Flags: review?(jcoppeard) → review+
Updated•7 years ago
|
Attachment #8908896 -
Flags: review?(jcoppeard) → review+
Updated•7 years ago
|
Attachment #8908902 -
Flags: review?(jcoppeard) → review+
Updated•7 years ago
|
Attachment #8908907 -
Flags: review?(jcoppeard) → review+
Updated•7 years ago
|
Attachment #8908911 -
Flags: review?(jcoppeard) → review+
Updated•7 years ago
|
Attachment #8908903 -
Flags: review?(manishearth) → review+
Updated•7 years ago
|
Attachment #8908891 -
Flags: review?(bhackett1024) → review+
Updated•7 years ago
|
Attachment #8908897 -
Flags: review?(bhackett1024) → review+
Updated•7 years ago
|
Attachment #8908906 -
Flags: review?(bhackett1024) → review+
Updated•7 years ago
|
Attachment #8908910 -
Flags: review?(bhackett1024) → review+
Updated•7 years ago
|
Attachment #8908928 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 25•7 years ago
|
||
Comment on attachment 8908889 [details] [diff] [review] Annotate atof as not doing any racy writes This one patch got missed, but it's trivial, so r=me.
Attachment #8908889 -
Flags: review?(jcoppeard) → review+
Comment 26•7 years ago
|
||
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/9a3d18f5faee CFG dumping utility, handy for debugging, r=me https://hg.mozilla.org/integration/mozilla-inbound/rev/6696c7a9ed71 Propagate safety through RefPtr, r=bhackett https://hg.mozilla.org/integration/mozilla-inbound/rev/4901b60d0126 Annotate atof as not doing any racy writes, r=me https://hg.mozilla.org/integration/mozilla-inbound/rev/c5239fd503f2 Targeted annotation for static local array of member pointers in LangGroupFontPrefs::Initialize, r=bhackett https://hg.mozilla.org/integration/mozilla-inbound/rev/84018f3951f9 Annotate MOZ_CrashPrintf, r=jonco https://hg.mozilla.org/integration/mozilla-inbound/rev/46c262a38922 Broaden the annotation for string appending functions to handle more types, r=jonco https://hg.mozilla.org/integration/mozilla-inbound/rev/410efc5458e0 Fix handling of parameterNames, r=jonco https://hg.mozilla.org/integration/mozilla-inbound/rev/c37bd96f868a Refactor the --function debugging command line option (and alias it to -f) to analyzeHeapWrites.js, r=me https://hg.mozilla.org/integration/mozilla-inbound/rev/3835877e5870 analyzeHeapWrites: implement a cache for checking whether local variables are safe pointers, r=jonco https://hg.mozilla.org/integration/mozilla-inbound/rev/4ff3e372de3d analyzeHeapWrites: getter_Copies preserves safety (similar to getter_AddRefs), r=bhackett https://hg.mozilla.org/integration/mozilla-inbound/rev/8fe39aef352a Backward-compatible js::Class[Ops].trace annotation, r=me https://hg.mozilla.org/integration/mozilla-inbound/rev/eb2b0c8fa756 Annotate border colors array as being thread-owned by container, r=bhackett https://hg.mozilla.org/integration/mozilla-inbound/rev/8ec91b85f043 Annotate nsTArray::InsertElementAt as returning a value that propagates safety of the array, r=jonco https://hg.mozilla.org/integration/mozilla-inbound/rev/08c0fdb95713 Annotate Servo_ComputedValues_EqualCustomProperties as safe, r=manishearth https://hg.mozilla.org/integration/mozilla-inbound/rev/239eedb24ef2 stylo heap write analysis: Miscellaneous minor annotations, r=jonco https://hg.mozilla.org/integration/mozilla-inbound/rev/696b8f10fcf3 Assert that Gecko_ShouldCreateStyleThreadPool is only called on the main thread, r=emilio https://hg.mozilla.org/integration/mozilla-inbound/rev/d7209c7f31af Special-case annotation for a->b->emplace(); a->b->Init(), r=bhackett https://hg.mozilla.org/integration/mozilla-inbound/rev/1a53a959fd02 Trim down whitelists to only what is required, and mark all known issues with bug numbers, r=jonco
Comment 27•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/9a3d18f5faee https://hg.mozilla.org/mozilla-central/rev/6696c7a9ed71 https://hg.mozilla.org/mozilla-central/rev/4901b60d0126 https://hg.mozilla.org/mozilla-central/rev/c5239fd503f2 https://hg.mozilla.org/mozilla-central/rev/84018f3951f9 https://hg.mozilla.org/mozilla-central/rev/46c262a38922 https://hg.mozilla.org/mozilla-central/rev/410efc5458e0 https://hg.mozilla.org/mozilla-central/rev/c37bd96f868a https://hg.mozilla.org/mozilla-central/rev/3835877e5870 https://hg.mozilla.org/mozilla-central/rev/4ff3e372de3d https://hg.mozilla.org/mozilla-central/rev/8fe39aef352a https://hg.mozilla.org/mozilla-central/rev/eb2b0c8fa756 https://hg.mozilla.org/mozilla-central/rev/8ec91b85f043 https://hg.mozilla.org/mozilla-central/rev/08c0fdb95713 https://hg.mozilla.org/mozilla-central/rev/239eedb24ef2 https://hg.mozilla.org/mozilla-central/rev/696b8f10fcf3 https://hg.mozilla.org/mozilla-central/rev/d7209c7f31af https://hg.mozilla.org/mozilla-central/rev/1a53a959fd02
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in
before you can comment on or make changes to this bug.
Description
•