Closed Bug 1591598 Opened 5 years ago Closed 5 years ago

Unify LazyScript::enclosingLazyScriptOrScope with JSScript::warmUpData

Categories

(Core :: JavaScript Engine, task, P2)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: tcampbell, Assigned: tcampbell)

References

Details

Attachments

(3 files)

Bug 1591598 - Move js::ScriptWarmUpData before js::BaseScript. r?jandem
47 bytes, text/x-phabricator-request
Details | Review
Bug 1591598 - Support storing LazyScript/Scope in ScriptWarmUpData. r?jandem!,jonco!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1591598 - Move 'warmUpData_' field to js::BaseScript. r?jandem
47 bytes, text/x-phabricator-request
Details | Review

See proposal in https://bugzilla.mozilla.org/show_bug.cgi?id=1529456#c1

We can unify the LazyScript::enclosingLazyScriptOrScope and JSScript::warmUpData fields and move them into js::BaseScript. This reduces the differences between LazyScript and JSScript.

Once a lazy script is compiled, the enclosing scope can be found by looking at enclosing scope of the outermost scope. As a result, the word of memory can be used to store JIT tracking data.

Assignee: nobody → tcampbell
Status: NEW → ASSIGNED

Prepare to move the warmUpData field to BaseScript by first moving the type
definition earlier in the file.

Allow storing manually-barriered GC pointers in ScriptWarmUpData. This
updates the 'trace' method as needed. When switching types, the user must
first 'clear' the old type and then 'init' the new type. We continue to use
WarmUpCount(0) as the default safe state.

Depends on D55033

Unify the JSScript::warmUpData_ and LazyScript::enclosingLazyScriptOrScope_
fields into BaseScript. As a script progresses from lazy up to being JIT-ed
it the type stored in this field will change. If a script is in a compiled
state, the enclosingLazyScriptOrScope_ value can always be reconstructed
during relazification.

Depends on D55034

Attachment #9112123 - Attachment description: Bug 1591598 - Support storing LazyScript/Scope in ScriptWarmUpData. r?jandem,jonco → Bug 1591598 - Support storing LazyScript/Scope in ScriptWarmUpData. r?jandem!,jonco!
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/42ca239ee6a6 Move js::ScriptWarmUpData before js::BaseScript. r=jandem https://hg.mozilla.org/integration/autoland/rev/5ea098cc9ef0 Support storing LazyScript/Scope in ScriptWarmUpData. r=jandem,jonco https://hg.mozilla.org/integration/autoland/rev/5163670bfede Move 'warmUpData_' field to js::BaseScript. r=jandem

https://hg.mozilla.org/mozilla-central/rev/42ca239ee6a6
https://hg.mozilla.org/mozilla-central/rev/5ea098cc9ef0
https://hg.mozilla.org/mozilla-central/rev/5163670bfede

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73

Backed out 7 changesets (bug 1600439, bug 1566466, bug 1591598) for raptor crashes

Backout: https://hg.mozilla.org/integration/autoland/rev/4cb3934b76b14f04d8f8cd781f14a56693312f40

Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=14f33b78f0eb5e32fd3e9c116f21a23ab7221f26

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=279099999&repo=autoland&lineNumber=829

[task 2019-12-02T17:34:43.940Z] 17:34:43 INFO - raptor-control-server Info: received webext_status: update tab: 2
[task 2019-12-02T17:34:43.942Z] 17:34:43 INFO - raptor-control-server Info: received webext_status: test tab updated: 2
[task 2019-12-02T17:34:43.952Z] 17:34:43 INFO - PID 7936 | console.log: "[raptor-runnerjs] post success"
[task 2019-12-02T17:34:43.952Z] 17:34:43 INFO - PID 7936 | console.log: "[raptor-runnerjs] post success"
[task 2019-12-02T17:52:39.464Z] 17:52:39 CRITICAL - raptor-main Critical: Tests failed to finish! Application timed out.
[task 2019-12-02T17:52:39.465Z] 17:52:39 ERROR - raptor-main Error: Test failed to finish. Application timed out after 1100 seconds
[task 2019-12-02T17:52:39.465Z] 17:52:39 INFO - mozcrash Downloading symbols from: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/PjM4OKf0TKm6B0XbmjcRIQ/artifacts/public/build/target.crashreporter-symbols.zip
[task 2019-12-02T17:52:42.149Z] 17:52:42 INFO - mozcrash Copy/paste: C:\Users\task_1575307310\build\win32-minidump_stackwalk.exe c:\users\task_1575307310\appdata\local\temp\tmpsswfoz.mozrunner\minidumps\c3ee38ba-83a5-4d92-9851-63b46b8fd533.dmp c:\users\task_1575307310\appdata\local\temp\tmpj_zlga
[task 2019-12-02T17:52:47.488Z] 17:52:47 INFO - mozcrash Saved minidump as C:\Users\task_1575307310\build\blobber_upload_dir\c3ee38ba-83a5-4d92-9851-63b46b8fd533.dmp
[task 2019-12-02T17:52:47.488Z] 17:52:47 INFO - mozcrash Saved app info as C:\Users\task_1575307310\build\blobber_upload_dir\c3ee38ba-83a5-4d92-9851-63b46b8fd533.extra
[task 2019-12-02T17:52:47.489Z] 17:52:47 ERROR - PROCESS-CRASH | runner.py | application crashed [@ static class mozilla::Result<mozilla::Ok,JS::TranscodeResult> js::LazyScript::XDRScriptData<js::XDR_ENCODE>(class js::XDRState<js::XDR_ENCODE> *, class JS::Handle<js::ScriptSourceObject *>, class JS::Handle<js::LazyScript *>)]
[task 2019-12-02T17:52:47.490Z] 17:52:47 INFO - Crash dump filename: c:\users\task_1575307310\appdata\local\temp\tmpsswfoz.mozrunner\minidumps\c3ee38ba-83a5-4d92-9851-63b46b8fd533.dmp
[task 2019-12-02T17:52:47.491Z] 17:52:47 INFO - Operating system: Windows NT
[task 2019-12-02T17:52:47.491Z] 17:52:47 INFO - 10.0.15063
[task 2019-12-02T17:52:47.491Z] 17:52:47 INFO - CPU: amd64
[task 2019-12-02T17:52:47.492Z] 17:52:47 INFO - family 6 model 94 stepping 3
[task 2019-12-02T17:52:47.492Z] 17:52:47 INFO - 8 CPUs
[task 2019-12-02T17:52:47.492Z] 17:52:47 INFO - GPU: UNKNOWN
[task 2019-12-02T17:52:47.492Z] 17:52:47 INFO - Crash reason: EXCEPTION_ACCESS_VIOLATION_READ
[task 2019-12-02T17:52:47.492Z] 17:52:47 INFO - Crash address: 0x0
[task 2019-12-02T17:52:47.493Z] 17:52:47 INFO - Assertion: Unknown assertion type 0x00000000
[task 2019-12-02T17:52:47.493Z] 17:52:47 INFO - Process uptime: 36 seconds
[task 2019-12-02T17:52:47.493Z] 17:52:47 INFO - Thread 0 (crashed)
[task 2019-12-02T17:52:47.493Z] 17:52:47 INFO - 0 xul.dll!static class mozilla::Result<mozilla::Ok,JS::TranscodeResult> js::LazyScript::XDRScriptData<js::XDR_ENCODE>(class js::XDRState<js::XDR_ENCODE> *, class JS::Handle<js::ScriptSourceObject *>, class JS::Handle<js::LazyScript *>) [JSScript.cpp:14f33b78f0eb5e32fd3e9c116f21a23ab7221f26 : 253 + 0x7]
[task 2019-12-02T17:52:47.493Z] 17:52:47 INFO - rax = 0x0000000000000000 rdx = 0x0000019c0f0576a0
[task 2019-12-02T17:52:47.494Z] 17:52:47 INFO - rcx = 0x00000015bc9fdec0 rbx = 0x0000019c0f0576a0
[task 2019-12-02T17:52:47.494Z] 17:52:47 INFO - rsi = 0x0000019c0f0576a8 rdi = 0x0000019c0f0576f0
[task 2019-12-02T17:52:47.494Z] 17:52:47 INFO - rbp = 0x0000019c0f0576a8 rsp = 0x00000015bc9fde80
[task 2019-12-02T17:52:47.494Z] 17:52:47 INFO - r8 = 0x00000015bc9fdf70 r9 = 0x00000015bc9fe050
[task 2019-12-02T17:52:47.494Z] 17:52:47 INFO - r10 = 0x00000015bc9fe1a0 r11 = 0x0000000000000000
[task 2019-12-02T17:52:47.495Z] 17:52:47 INFO - r12 = 0x0000019c0f0576a0 r13 = 0x0000000000017f49
[task 2019-12-02T17:52:47.495Z] 17:52:47 INFO - r14 = 0x00000015bc9fe020 r15 = 0x00000015bc9fe020
[task 2019-12-02T17:52:47.495Z] 17:52:47 INFO - rip = 0x00007ff8dfd39bab
[task 2019-12-02T17:52:47.495Z] 17:52:47 INFO - Found by: given as instruction pointer in context
[task 2019-12-02T17:52:47.495Z] 17:52:47 INFO - 1 xul.dll!class mozilla::Result<mozilla::Ok,JS::TranscodeResult> js::XDRLazyScript<js::XDR_ENCODE>(class js::XDRState<js::XDR_ENCODE> *, class JS::Handle<js::Scope *>, class JS::Handle<js::ScriptSourceObject *>, class JS::Handle<JSFunction *>, class JS::MutableHandle<js::LazyScript *>) [JSScript.cpp:14f33b78f0eb5e32fd3e9c116f21a23ab7221f26 : 1343 + 0x8]
[task 2019-12-02T17:52:47.496Z] 17:52:47 INFO - rbx = 0x0000019c0f0576a0 rbp = 0x0000019c0f0576a8
[task 2019-12-02T17:52:47.496Z] 17:52:47 INFO - rsp = 0x00000015bc9fdf40 r12 = 0x0000019c0f0576a0
[task 2019-12-02T17:52:47.496Z] 17:52:47 INFO - r13 = 0x0000000000017f49 r14 = 0x00000015bc9fe020
[task 2019-12-02T17:52:47.496Z] 17:52:47 INFO - r15 = 0x00000015bc9fe020 rip = 0x00007ff8dfd398bb
[task 2019-12-02T17:52:47.496Z] 17:52:47 INFO - Found by: call frame info

Status: RESOLVED → REOPENED
status-firefox73: fixed → ---
Flags: needinfo?(tcampbell)
Resolution: FIXED → ---
Target Milestone: mozilla73 → ---

This is a nullptr crash with BinAST and XDR from the patches in Bug 1600439. The fix is to check for nullptr in LazyScript::XDRScriptData. I'll update the revision and reland the stack.

Flags: needinfo?(tcampbell)
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9a5476cdfaba Move js::ScriptWarmUpData before js::BaseScript. r=jandem https://hg.mozilla.org/integration/autoland/rev/bb3d55c2eb05 Support storing LazyScript/Scope in ScriptWarmUpData. r=jandem,jonco https://hg.mozilla.org/integration/autoland/rev/ab89cd94ef40 Move 'warmUpData_' field to js::BaseScript. r=jandem
Pushed by shindli@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/36d96e39ad22 Move js::ScriptWarmUpData before js::BaseScript. r=jandem https://hg.mozilla.org/mozilla-central/rev/1f2f66ee6703 Support storing LazyScript/Scope in ScriptWarmUpData. r=jandem,jonco https://hg.mozilla.org/mozilla-central/rev/7fffe9024632 Move 'warmUpData_' field to js::BaseScript. r=jandem

https://hg.mozilla.org/mozilla-central/rev/9a5476cdfaba
https://hg.mozilla.org/mozilla-central/rev/bb3d55c2eb05
https://hg.mozilla.org/mozilla-central/rev/ab89cd94ef40

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: