[hazards] Prevent false alarms when a refcounted variable goes out of scope when it can be proven to not Release
Categories
(Core :: JavaScript: GC, enhancement, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox98 | --- | fixed |
People
(Reporter: sfink, Assigned: sfink)
References
(Blocks 1 open bug)
Details
Attachments
(10 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
The basic scenario:
JSObject* f() {
Rooted<JSObject*> obj = gcpointer();
RefPtr<Foo> r = blah();
...
r.forget();
return obj;
}
The hazard analysis currently rejects this, because the obj return value is extracted into a register, then RefPtr<Foo>::~RefPtr() is invoked. The hazard analysis thinks of that destructor as a GC call, which it in fact is, because if the refcount happens to go to zero during destruction, Release() will be called and there are a handful of Releases that can in fact GC.
But in this case, the refcount can be proven to be zero, so Release will not be called.
|
Assignee | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
|
Assignee | |
Comment 4•2 years ago
|
||
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
•
|
||
Ugh, looks like these changes revealed some false positives. The previous code looks like it wasn't quite correct in how it traversed the graph, and there are a few places where we depend on some Maybe<AutoCheckCannotGC> that aren't really correct. (As in, the code is fine, but the proof that it was safe was wrong.) It seems like it'll require some kind of annotations.
|
|
Assignee | |
Comment 7•2 years ago
|
||
|
|
Assignee | |
Comment 8•2 years ago
|
||
|
|
Assignee | |
Comment 9•2 years ago
|
||
|
|
Assignee | |
Comment 10•2 years ago
|
||
|
|
Assignee | |
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ff509fe4671d Generalize traversing through a function's CFG with BFS_upwards(). r=jonco https://hg.mozilla.org/integration/autoland/rev/5c5742535301 Move some CFG-traversing code from analyzeRoots.js to the common CFG.js, to prepare for calling it from other phases of the analysis. r=jonco https://hg.mozilla.org/integration/autoland/rev/774bdb9939a9 Switch to command-line argument parser. r=jonco https://hg.mozilla.org/integration/autoland/rev/a9c16e721533 Generate gcEdges file with computeCallgraph instead of computeGCFunctions r=jonco https://hg.mozilla.org/integration/autoland/rev/54a60388fb11 Annotate edges that invoke destructors on ref-counted values that can be proven to not Release r=jonco https://hg.mozilla.org/integration/autoland/rev/1ed9d77885c6 Fix the false positive from a loop-scoped GC pointer named temporary r=jonco https://hg.mozilla.org/integration/autoland/rev/2b0caa13d0fc Switch RootList::init from taking an AutoCheckCannotGC token to returning one r=jonco https://hg.mozilla.org/integration/autoland/rev/c288fe1c6c84 Replace the overcomplicated bodyEatsVariable with a quick linear-only test, and improve the comments around std::move + UniquePtr&& handling r=jonco https://hg.mozilla.org/integration/autoland/rev/f4e4bf6ba8ff Fix return value handling, specifically when the final edge in a function body GCs and is treating as using the return value. (This fixes false alarms when returning nullptr in the scope of a GC'ing RAII destructor.) r=jonco https://hg.mozilla.org/integration/autoland/rev/edbf96722e4b arg0_holder can have a non *Argument type, eg if it's using SpiderMonkeyInterfaceRooter. r=jonco
|
||
Comment 13•2 years ago
|
||
Backed out 10 changesets (Bug 1746090) for causing build bustages on TestingFunctions.cpp.
Backout link
Push with failures
Failure Log
|
|
||
Comment 14•2 years ago
|
||
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b9b4558c03dc Generalize traversing through a function's CFG with BFS_upwards(). r=jonco https://hg.mozilla.org/integration/autoland/rev/2f7a62b93266 Move some CFG-traversing code from analyzeRoots.js to the common CFG.js, to prepare for calling it from other phases of the analysis. r=jonco https://hg.mozilla.org/integration/autoland/rev/a0b1735ffffd Switch to command-line argument parser. r=jonco https://hg.mozilla.org/integration/autoland/rev/fe5ac63668b4 Generate gcEdges file with computeCallgraph instead of computeGCFunctions r=jonco https://hg.mozilla.org/integration/autoland/rev/3a282a6b5f65 Annotate edges that invoke destructors on ref-counted values that can be proven to not Release r=jonco https://hg.mozilla.org/integration/autoland/rev/92a55bc8c1c8 Fix the false positive from a loop-scoped GC pointer named temporary r=jonco https://hg.mozilla.org/integration/autoland/rev/86dfecd590e8 Switch RootList::init from taking an AutoCheckCannotGC token to returning one r=jonco https://hg.mozilla.org/integration/autoland/rev/42586bdfd56f Replace the overcomplicated bodyEatsVariable with a quick linear-only test, and improve the comments around std::move + UniquePtr&& handling r=jonco https://hg.mozilla.org/integration/autoland/rev/aea63ceb5ff5 Fix return value handling, specifically when the final edge in a function body GCs and is treating as using the return value. (This fixes false alarms when returning nullptr in the scope of a GC'ing RAII destructor.) r=jonco https://hg.mozilla.org/integration/autoland/rev/132c6be41ec2 arg0_holder can have a non *Argument type, eg if it's using SpiderMonkeyInterfaceRooter. r=jonco
|
||
Comment 15•2 years ago
•
|
||
Backed out 10 changesets (Bug 1746090) for causing failures in HeapSnapshot.cpp CLOSED TREE
Log: https://treeherder.mozilla.org/logviewer?job_id=364912510&repo=autoland
[task 2022-01-21T00:47:12.938Z] 00:47:12 WARNING - TEST-UNEXPECTED-FAIL | devtools/shared/heapsnapshot/tests/xpcshell/test_HeapAnalyses_takeCensus_04.js | xpcshell return code: -11
[task 2022-01-21T00:47:12.939Z] 00:47:12 INFO - TEST-INFO took 247ms
[task 2022-01-21T00:47:12.939Z] 00:47:12 INFO - >>>>>>>
[task 2022-01-21T00:47:12.939Z] 00:47:12 INFO - PID 12917 | [Parent 12917, Main Thread] WARNING: Couldn't get the user appdata directory. Crash events may not be produced.: file /builds/worker/checkouts/gecko/toolkit/crashreporter/nsExceptionHandler.cpp:2965
[task 2022-01-21T00:47:12.939Z] 00:47:12 INFO - (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2022-01-21T00:47:12.940Z] 00:47:12 INFO - (xpcshell/head.js) | test run_next_test 0 pending (2)
[task 2022-01-21T00:47:12.940Z] 00:47:12 INFO - (xpcshell/head.js) | test MAIN run_test finished (2)
[task 2022-01-21T00:47:12.940Z] 00:47:12 INFO - running event loop
[task 2022-01-21T00:47:12.940Z] 00:47:12 INFO - devtools/shared/heapsnapshot/tests/xpcshell/test_HeapAnalyses_takeCensus_04.js | Starting test
[task 2022-01-21T00:47:12.942Z] 00:47:12 INFO - (xpcshell/head.js) | test test pending (2)
[task 2022-01-21T00:47:12.942Z] 00:47:12 INFO - PID 12917 | [Parent 12917, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, kKnownEsrVersion) failed with result 0x80004002 (NS_NOINTERFACE): file /builds/worker/checkouts/gecko/toolkit/components/resistfingerprinting/nsRFPService.cpp:560
[task 2022-01-21T00:47:12.942Z] 00:47:12 INFO - PID 12917 | Assertion failure: roots.initialized(), at /builds/worker/checkouts/gecko/devtools/shared/heapsnapshot/HeapSnapshot.cpp:786
[task 2022-01-21T00:47:12.942Z] 00:47:12 INFO - PID 12917 | #01: mozilla::dom::ChromeUtils::SaveHeapSnapshotShared(mozilla::dom::GlobalObject&, mozilla::dom::HeapSnapshotBoundaries const&, nsTSubstring<char16_t>&, nsTSubstring<char16_t>&, mozilla::ErrorResult&) [devtools/shared/heapsnapshot/HeapSnapshot.cpp:1483]
[task 2022-01-21T00:47:12.942Z] 00:47:12 INFO - PID 12917 | #02: mozilla::dom::ChromeUtils::SaveHeapSnapshot(mozilla::dom::GlobalObject&, mozilla::dom::HeapSnapshotBoundaries const&, nsTSubstring<char16_t>&, mozilla::ErrorResult&) [devtools/shared/heapsnapshot/HeapSnapshot.cpp:1529]
[task 2022-01-21T00:47:12.943Z] 00:47:12 INFO - PID 12917 | #03: mozilla::dom::ChromeUtils_Binding::saveHeapSnapshot(JSContext*, unsigned int, JS::Value*) [s3:gecko-generated-sources:57ee2e519b7ade52dd478a265547fabc43d590df97b30d43c92781f0f62d07901e7e44122a5fe995158849b11f04087fda5070c85db0037cb21478e956aea809/dom/bindings/ChromeUtilsBinding.cpp::3652]
[task 2022-01-21T00:47:12.944Z] 00:47:12 INFO - PID 12917 | #04: CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) [js/src/vm/Interpreter.cpp:425]
[task 2022-01-21T00:47:12.945Z] 00:47:12 INFO - PID 12917 | #05: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) [js/src/vm/Interpreter.cpp:512]
[task 2022-01-21T00:47:12.945Z] 00:47:12 INFO - PID 12917 | #06: InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) [js/src/vm/Interpreter.cpp:572]
[task 2022-01-21T00:47:12.946Z] 00:47:12 INFO - PID 12917 | #07: Interpret(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:3309]
[task 2022-01-21T00:47:12.946Z] 00:47:12 INFO - PID 12917 | #08: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:394]
[task 2022-01-21T00:47:12.947Z] 00:47:12 INFO - PID 12917 | #09: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) [js/src/vm/Interpreter.cpp:544]
[task 2022-01-21T00:47:12.947Z] 00:47:12 INFO - PID 12917 | #10: InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) [js/src/vm/Interpreter.cpp:572]
[task 2022-01-21T00:47:12.948Z] 00:47:12 INFO - PID 12917 | #11: js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) [js/src/jit/BaselineIC.cpp:1595]
[task 2022-01-21T00:47:12.948Z] 00:47:12 INFO - PID 12917 | #12: ??? (???:???)
[task 2022-01-21T00:47:12.948Z] 00:47:12 INFO - PID 12917 | ExceptionHandler::GenerateDump cloned child 12930
[task 2022-01-21T00:47:12.949Z] 00:47:12 INFO - PID 12917 | ExceptionHandler::SendContinueSignalToChild sent continue signal to child
[task 2022-01-21T00:47:12.950Z] 00:47:12 INFO - PID 12917 | ExceptionHandler::WaitForContinueSignal waiting for continue signal...
[task 2022-01-21T00:47:12.950Z] 00:47:12 INFO - <<<<<<<
[task 2022-01-21T00:47:15.205Z] 00:47:15 WARNING - PROCESS-CRASH | devtools/shared/heapsnapshot/tests/xpcshell/test_HeapAnalyses_takeCensus_04.js | application crashed [@ mozilla::dom::ChromeUtils::SaveHeapSnapshotShared(mozilla::dom::GlobalObject&, mozilla::dom::HeapSnapshotBoundaries const&, nsTSubstring<char16_t>&, nsTSubstring<char16_t>&, mozilla::ErrorResult&)]
Backout: https://hg.mozilla.org/integration/autoland/rev/2b284e2021238133e06360fbd9780cf7c54d0f9f
|
|
||
Comment 16•2 years ago
|
||
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8c0cf85100bd Generalize traversing through a function's CFG with BFS_upwards(). r=jonco https://hg.mozilla.org/integration/autoland/rev/7e9997f43382 Move some CFG-traversing code from analyzeRoots.js to the common CFG.js, to prepare for calling it from other phases of the analysis. r=jonco https://hg.mozilla.org/integration/autoland/rev/696487e1deea Switch to command-line argument parser. r=jonco https://hg.mozilla.org/integration/autoland/rev/578eafe2d4ef Generate gcEdges file with computeCallgraph instead of computeGCFunctions r=jonco https://hg.mozilla.org/integration/autoland/rev/16083f3b9c4e Annotate edges that invoke destructors on ref-counted values that can be proven to not Release r=jonco https://hg.mozilla.org/integration/autoland/rev/893538c007bf Fix the false positive from a loop-scoped GC pointer named temporary r=jonco https://hg.mozilla.org/integration/autoland/rev/8cdc7b80f4cd Switch RootList::init from taking an AutoCheckCannotGC token to returning one r=jonco https://hg.mozilla.org/integration/autoland/rev/108b34a5b7bc Replace the overcomplicated bodyEatsVariable with a quick linear-only test, and improve the comments around std::move + UniquePtr&& handling r=jonco https://hg.mozilla.org/integration/autoland/rev/6fafd8c4cf28 Fix return value handling, specifically when the final edge in a function body GCs and is treating as using the return value. (This fixes false alarms when returning nullptr in the scope of a GC'ing RAII destructor.) r=jonco https://hg.mozilla.org/integration/autoland/rev/22f66843f6fa arg0_holder can have a non *Argument type, eg if it's using SpiderMonkeyInterfaceRooter. r=jonco
|
||
Comment 17•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8c0cf85100bd
https://hg.mozilla.org/mozilla-central/rev/7e9997f43382
https://hg.mozilla.org/mozilla-central/rev/696487e1deea
https://hg.mozilla.org/mozilla-central/rev/578eafe2d4ef
https://hg.mozilla.org/mozilla-central/rev/16083f3b9c4e
https://hg.mozilla.org/mozilla-central/rev/893538c007bf
https://hg.mozilla.org/mozilla-central/rev/8cdc7b80f4cd
https://hg.mozilla.org/mozilla-central/rev/108b34a5b7bc
https://hg.mozilla.org/mozilla-central/rev/6fafd8c4cf28
https://hg.mozilla.org/mozilla-central/rev/22f66843f6fa
|
|
Assignee | |
Updated•2 years ago
|
Description
•