Closed Bug 1683080 Opened 5 years ago Closed 5 years ago

vixl sim cache flushing: Simulator::Current asserts when called from asm.js compilation

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox86 --- fixed

People

(Reporter: lth, Assigned: lth)

References

Details

Attachments

(1 file)

Bug 1683080 - Do not access the simulator on background thread. r=nbp
48 bytes, text/x-phabricator-request
Details | Review

When compiling asm.js code for the arm64 simulator (with the arm64 ion pipeline), compilation happens off-thread, and we can end up with a stack like this:

#0  0x000055b196c14d4a in vixl::Simulator::Current () at jit/arm64/vixl/MozSimulator-vixl.cpp:169
#1  0x000055b196c14ad2 in vixl::CPU::EnsureIAndDCacheCoherency () at jit/arm64/vixl/MozCpu-vixl.cpp:175
#2  0x000055b196b0985b in js::jit::FlushICache () at jit/arm64/Architecture-arm64.cpp:80
#3  0x000055b196ffeeba in js::jit::ReprotectRegion () at jit/ProcessExecutableMemory.cpp:745
#4  0x000055b196944566 in js::jit::ExecutableAllocator::makeExecutableAndFlushICache () at jit/ExecutableAllocator.h:191
#5  0x000055b19708a937 in js::wasm::EnsureBuiltinThunksInitialized () at wasm/WasmBuiltins.cpp:1430
#6  0x000055b19708dc79 in StaticallyLink () at wasm/WasmCode.cpp:205
#7  0x000055b19708da73 in js::wasm::ModuleSegment::initialize () at wasm/WasmCode.cpp:383
#8  0x000055b197093857 in js::wasm::CodeTier::initialize () at wasm/WasmCode.cpp:1068
#9  0x000055b1970941dc in js::wasm::Code::initialize () at wasm/WasmCode.cpp:1178
#10 0x000055b1971852a9 in js::wasm::ModuleGenerator::finishModule () at wasm/WasmGenerator.cpp:1271
#11 0x000055b19711b33e in ModuleValidator<char16_t>::finish () at wasm/AsmJS.cpp:2149
#12 0x000055b19709f2ad in CheckModule<char16_t> () at wasm/AsmJS.cpp:6412
#13 0x000055b197056c6a in DoCompileAsmJS<char16_t> () at wasm/AsmJS.cpp:7069
#14 0x000055b197056bd5 in js::CompileAsmJS () at wasm/AsmJS.cpp:7092
#15 0x000055b1965d717a in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::asmJS () at frontend/Parser.cpp:3720
#16 0x000055b1965c24b5 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::asmJS () at frontend/Parser.cpp:3734
...
#55 0x000055b195ed861b in js::ParseTask::runTask () at vm/HelperThreads.cpp:651
#56 0x000055b195ed83d3 in js::ParseTask::runHelperThreadTask () at vm/HelperThreads.cpp:607
#57 0x000055b195ee1c68 in js::GlobalHelperThreadState::runTaskLocked () at vm/HelperThreads.cpp:2679
...
#62 0x00007fcad6ace432 in start_thread () at pthread_create.c:477
#63 0x00007fcad6688913 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

The code in Current() looks like this:

  ...
  JSRuntime* rt = cx->runtime();
  if (!rt) {
    return nullptr;
  }
  MOZ_ASSERT(js::CurrentThreadCanAccessRuntime(rt));
  return cx->simulator();

And in the caller we see

  Simulator* sim = vixl::Simulator::Current();
  if (sim) {
    sim->FlushICache();
  } else if (!codeIsThreadLocal) {
    SimulatorProcess::membarrier();
  }

where one would have thought that maybe the codeIsThreadLocal could have guarded the access to the simulator? Not sure what the logic is here.

Attachment #9193746 - Attachment description: Bug 1683080 - do not access the simulator on background thread (wip) → Bug 1683080 - Do not access the simulator on background thread. r=nbp
Severity: -- → S4
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/00f95b79b806 Do not access the simulator on background thread. r=nbp

https://hg.mozilla.org/mozilla-central/rev/00f95b79b806

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox86: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: