Closed
Bug 456511
(imacros)
Opened 16 years ago
Closed 16 years ago
TM: Make conversion work on arbitrary JSObjects
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1
People
(Reporter: bzbarsky, Assigned: brendan)
References
Details
(Keywords: verified1.9.1)
Attachments
(4 files, 13 obsolete files)
See bug 456165 comment 13. Brendan says that this is most certainly something to be done with trampolines, with arithmetic working on anything that has a sane valueOf.
Reporter | ||
Comment 1•16 years ago
|
||
Note that we need this to be able to trace the V8 testsuite.
Updated•16 years ago
|
Severity: normal → enhancement
Assignee | ||
Updated•16 years ago
|
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P2
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1
Comment 2•16 years ago
|
||
We have a related problem in the match_str_obj builtin, which potentially calls ToString on the object. This cases must be stringified on trace. Builtins should only take objects if they are guaranteed not to call script on them.
Assignee | ||
Comment 3•16 years ago
|
||
(In reply to comment #2) > We have a related problem in the match_str_obj builtin, js_String_p_match_obj /be
Assignee | ||
Updated•16 years ago
|
Summary: TM: Make arithmetic work on arbitrary JSObjects → TM: Make conversion work on arbitrary JSObjects
Assignee | ||
Comment 4•16 years ago
|
||
This is not an enhancement, but a critical bug. See the dependent bug. /be
Severity: enhancement → critical
Assignee | ||
Comment 5•16 years ago
|
||
This handles iterator testcases such as var i = 0; var o = { __iterator__: function () { return { next: function () { if (i == 10) throw StopIteration; return i++; } }; } }; var a=[]; for(var j in o) a[j] = j*j; print(uneval(a)); /be
Assignee | ||
Comment 6•16 years ago
|
||
Attachment #345673 -
Attachment is obsolete: true
Comment 7•16 years ago
|
||
why don't we use regular js functions as macros? The call overhead on trace would be null. Just wondering.
Assignee | ||
Comment 8•16 years ago
|
||
We could, but we would have to write those functions in string constants or else in separately loaded .js files, figure out how to name them (in string constants they could be lambdas), figure out how to run the compiler to generate bytecode from those sources (without hurting startup or any other perf metric), and put up with the overhead of the record-time invocation (frame construction, etc.). The imacros idea is to hand-code JSOP_* sequences that avoid the inefficiency and source overhead of self-hosting functions-as-macros. It seems worth it given all the combinations to be handled (getting into valueOf now for bz's testcase from bug 456165). /be
Assignee | ||
Comment 9•16 years ago
|
||
Also we do guard in these macros, so we'd incur 4 stores of state.rp overhead for each inlined call. The call overhead on trace is not null. /be
Assignee | ||
Comment 10•16 years ago
|
||
Forgot to mention that interposing a scripted helper function at recording time would mess with security checks, which are based on principals compiled into the function's script. We could clone helper functions' objects at record-time to carry overriding scope chain links to the right global objects (which own their own principals) to work around this, but it's more pain. OTOH, using functions instead of macros would save fp->imacpc and the recovery code needed when the trace recorder aborts from within an imacro. /be
Assignee | ||
Comment 11•16 years ago
|
||
This gets bz's date-diff benchmark staying on trace, along with other tests I have to put into trace-test.js form. It should be good for some wins (modulo new latent bugs it exposes :-/) in SS. /be
Attachment #345817 -
Attachment is obsolete: true
Assignee | ||
Comment 12•16 years ago
|
||
~1.5% win for me, 1341 w/o patch to 1316 w/ patch best of three bench.sh times. The main impetus is to keep us from reentering the interpreter, for correctness. There is an #if 0 block in TraceRecorder::record_JSOP_GENERATOR, a thumbnail sketch only. The idea is to make a generator object on trace and flush native slots to its jsval slots on yield, and "build" the native slots from its jsvals when resuming the generator via a gen.next() or gen.send() built-in. Comments welcome there too. /be
Updated•16 years ago
|
Alias: imacros
Assignee | ||
Comment 13•16 years ago
|
||
Attachment #346207 -
Attachment is obsolete: true
I think I'm missing something here: why do we want to always abort recording when we hit an imacro (call_imacro always returning false)? Bug, or something subtle related to the interaction with the interpreter that might be worth a comment?
Assignee | ||
Comment 15•16 years ago
|
||
(In reply to comment #14) > I think I'm missing something here: why do we want to always abort recording > when we hit an imacro (call_imacro always returning false)? Bug, No, it works ;-). > or something > subtle related to the interaction with the interpreter that might be worth a > comment? See jstracer.h. We don't want a three-state return value for all the record_* hooks (I played with it, not worth the eyestrain or the extra overhead in all the call sites that do not use imacros). Instead we return false with fp->imacpc set, and only the RECORD macro expandions for the particular imacro-using ops include the "onfalse" code to switch regs.pc. Facing a regression due to other changes, and the patch is out of date again. New patch shortly. /be
Yeah, I saw the TRACE_ARGS expansion, but didn't see the control flow in the onfalse part of RECORD_ARGS. Thanks!
Assignee | ||
Comment 17•16 years ago
|
||
I should review too, I've been interdiff'ing a long time. /be
Attachment #346964 -
Attachment is obsolete: true
Attachment #347442 -
Flags: review?(gal)
Comment 18•16 years ago
|
||
Don't we need a guard in binary() that the value method still exists at trace execution time? Or does the CALLPROP already guard sufficiently? Why not use a large ip_adj high byte to indicate that we are not in an imacro so we don't have to bias the code position. At the very least we should add a static assert guarding the JSOP_NEXTITER shortcutting the initialization path. This might want a static assert: #define JSOP_IS_BINARY(op) ((uintN)((op) - JSOP_BITOR) <= (uintN)(JSOP_MOD - JSOP_BITOR)) We should wait for green before landing this. Its going to change the way we record a lot of the code. But we really want this in b2 so lets hope we can get it in soon.
Assignee | ||
Comment 19•16 years ago
|
||
(In reply to comment #18) > Don't we need a guard in binary() that the value method still exists at trace > execution time? Or does the CALLPROP already guard sufficiently? The latter -- shapes guard method values :-). > Why not use a large ip_adj high byte to indicate that we are not in an imacro > so we don't have to bias the code position. Because testing against zero is faster than testing against 0xff. > At the very least we should add a > static assert guarding the JSOP_NEXTITER shortcutting the initialization path. Will do. > This might want a static assert: > > #define JSOP_IS_BINARY(op) ((uintN)((op) - JSOP_BITOR) <= (uintN)(JSOP_MOD - > JSOP_BITOR)) Good point, I had that somewhere but seem to have lost it. > We should wait for green before landing this. Its going to change the way we > record a lot of the code. But we really want this in b2 so lets hope we can get > it in soon. The forthcoming patch passes the JS testsuite. More testing required, but it's looking good (I found a few glitches doing my own review). Thanks, /be
Assignee | ||
Comment 20•16 years ago
|
||
Jesse, this patch should fix the fuzz-found bugs I linked to this bug. Let me know what's still broken. Thanks, /be
Attachment #347442 -
Attachment is obsolete: true
Attachment #347483 -
Flags: review?(gal)
Attachment #347442 -
Flags: review?(gal)
Comment 21•16 years ago
|
||
Assertion failure: (uint32)((atoms - script->atomMap.vector + ((uintN)(((regs.pc + 0)[1] << 8) | (regs.pc + 0)[2])))) < objects_->length, at ../jsinterp.cpp:6791
Comment 22•16 years ago
|
||
jsfunfuzz usually dies with: Assertion failure: fp->imacpc ? atoms == COMMON_ATOMS_START(&rt->atomState) && GET_INDEX(regs.pc + 0) < js_common_atom_count : (size_t)(atoms - script->atomMap.vector) < (size_t)(script->atomMap.length - GET_INDEX(regs.pc + 0)), at ../jsinterp.cpp:5352 but I can't reproduce that easily. (Long assertions!)
Assignee | ||
Comment 23•16 years ago
|
||
Attachment #347483 -
Attachment is obsolete: true
Attachment #347552 -
Flags: review?(gal)
Attachment #347483 -
Flags: review?(gal)
Updated•16 years ago
|
Attachment #347552 -
Flags: review?(gal) → review+
Comment 24•16 years ago
|
||
Comment on attachment 347552 [details] [diff] [review] fix abort_imacro to reset atoms We should wait for green before landing this.
Comment 25•16 years ago
|
||
With this patch, "watch" causes issues, such as crashes [@ isPromoteInt] or assertions. For example: this.watch('n', function() { }); for (let j = 0; j < 9; ++j) { n = 3; } Assertion failure: !TRACE_RECORDER(cx) ^ (jumpTable == recordingJumpTable), at ../jsinterp.cpp:4614
Comment 26•16 years ago
|
||
Same with setters: this.__defineSetter__('x', function(q) q); for (let j = 0; j < 5; ++j) { x = 0; } Crash [@ isPromoteInt
Assignee | ||
Comment 27•16 years ago
|
||
The latest jsfunfuzz finds are all due to ripping out deepAbort machinery, pending the work jorendorff's doing under the tracking bug 462027. I could put back the deepAbort junk pending that patch-series landing. Let me debug a bit and noodle on it. /be
Assignee | ||
Comment 28•16 years ago
|
||
Correction -- I restored the deepAbort junk and those tests still crash, but only with the patch applied. Debugging... /be
Assignee | ||
Comment 29•16 years ago
|
||
No, I was right the first time (in comment 27). My attempt to restore deepAbort suffered from too little context in isolating the diff to apply, resulting in the if (tr) {...} code at the bottom of js_Interpret being applied just after the return ok! Fixed patch next. Jason, it's up to you to lay the deepAbort stuff to rest. /be
Assignee | ||
Comment 30•16 years ago
|
||
The imacro name fits: these must be interpreter-macros (or at least interpreter-somethings), they can't be hidden in the trace recorder as I initially hoped, and as bad remnants such as the abort_imacro code still tried to do. When an imacro is active in a frame, any exception other than StopIteration from JSOP_NEXTITER will be handled as if thrown from the pc that called the imacro. The operands to the imacro may have been swapped (see, e.g. binary_obj_any_imacro in jstracer.cpp) but the stack will be popped back to the depth at which the try (if any) around the opcode with the implicit conversion was entered. Hurray for termination rather than resumption semantics. Yes, this means you can't hand-code JSOP_TRY etc. in an imacro. There's no need to abort_imacro, and indeed it would leave the stacked operands swapped in bad cases, so was just wrong. If trace recording aborts in an imacro, the imacro keeps on trucking until JSOP_STOP or exception. Since the code at JSOP_STOP's if (fp->imacpc) {...} block is critical to imacro termination, I moved the end_imacro: label there and used a backward goto (which we try to avoid generally) from the hardcoded StopIteration exception handler way down under the error: label. /be
Attachment #347552 -
Attachment is obsolete: true
Attachment #347612 -
Flags: review?(gal)
Assignee | ||
Comment 31•16 years ago
|
||
BTW, bugzilla interdiff works (it didn't whine this time, did for a previous pair of patches -- yet still worked properly). /be
Assignee | ||
Updated•16 years ago
|
Flags: blocking1.9.1?
Priority: P2 → P1
Assignee | ||
Updated•16 years ago
|
Attachment #347552 -
Flags: review+
Assignee | ||
Comment 32•16 years ago
|
||
Oops, silly null deref on testcase for bug 461307 (lucky I retested that one -- just saw bclary put it in the suite, so a retest tehre would have found it too). New patch anon. /be
Assignee | ||
Comment 33•16 years ago
|
||
Attachment #347612 -
Attachment is obsolete: true
Attachment #347616 -
Flags: review?(gal)
Attachment #347612 -
Flags: review?(gal)
Comment 34•16 years ago
|
||
Assertion failure: fp->slots + fp->script->nfixed + js_ReconstructStackDepth(cx, fp->script, fp->imacpc ? fp->imacpc : fp->regs->pc) == fp->regs->sp, at ../jstracer.cpp:3565
Assignee | ||
Comment 35•16 years ago
|
||
That assertion is bogus for imacros (without excessive work to compute the imacro stack budget, which is easy enough to eyeball -- I will regret these words, some day!), but it did show up a bad assumption on my part (that adjacent static byte arrays will not be reordered). /be
Attachment #347616 -
Attachment is obsolete: true
Attachment #347700 -
Flags: review?(gal)
Attachment #347616 -
Flags: review?(gal)
Assignee | ||
Comment 36•16 years ago
|
||
Sorry, failed to invert the condition in that JS_ASSERT_IF. /be
Attachment #347700 -
Attachment is obsolete: true
Attachment #347701 -
Flags: review?(gal)
Attachment #347700 -
Flags: review?(gal)
Updated•16 years ago
|
Attachment #347701 -
Flags: review?(gal) → review+
Comment 37•16 years ago
|
||
During js_FinishJIT, triggers: Assertion failed: _stats.freePages == _stats.pages (../nanojit/Fragmento.cpp:99)
Comment 38•16 years ago
|
||
Thats a bit scary. ccing David.
Comment 39•16 years ago
|
||
Has a regexp. Maybe its the other jit?
Assignee | ||
Comment 40•16 years ago
|
||
Not this patch. With attachment 347712 [details] I could not crash my patched build, until I qpopped, pulled and updated to get this much new stuff: pulling from http://hg.mozilla.org/tracemonkey searching for changes adding changesets adding manifests adding file changes added 26 changesets with 80 changes to 76 files 76 files updated, 0 files merged, 0 files removed, 0 files unresolved and rebuilt. Now I see the assertbotch from comment 37, with or without this bug's imacros patch. Jesse, please file a separate bug -- looks like dmandelin (please cc: the usual crew). Thanks, /be
Comment 41•16 years ago
|
||
Oops! Filed bug 464413 for that issue. I'll do the rest of my testing tonight with this patch applied against rev 7aa86a0d3f80 (just before the regression).
Assignee | ||
Comment 42•16 years ago
|
||
Attachment #347701 -
Attachment is obsolete: true
Attachment #347732 -
Flags: review+
Assignee | ||
Comment 43•16 years ago
|
||
Jesse, this should give you a build. /be
Attachment #347732 -
Attachment is obsolete: true
Attachment #347739 -
Flags: review+
Comment 44•16 years ago
|
||
This patch results in the most stable js shell I can remember.
Comment 45•16 years ago
|
||
pushing in the patch for testing
Comment 46•16 years ago
|
||
Backed out. Producing massive failures. http://hg.mozilla.org/tracemonkey/rev/a40f2117bcc0
Assignee | ||
Comment 47•16 years ago
|
||
Obvious, silly mistake (copy/paste thinko, really). This passes Tp and Mochitests. I'm going to commit now, for testing when the infrastructure comes back online tomorrow morning. /be
Attachment #347739 -
Attachment is obsolete: true
Attachment #347934 -
Flags: review+
Assignee | ||
Comment 48•16 years ago
|
||
Fixed in tm: http://hg.mozilla.org/tracemonkey/rev/51afdade0e86 /be
Assignee | ||
Comment 49•16 years ago
|
||
Noticed this earlier but forgot to fix it till this followup cset: http://hg.mozilla.org/tracemonkey/rev/0b1f14dfd9cd /be
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Assignee | ||
Comment 50•16 years ago
|
||
This is on m-c now too, with followups: http://hg.mozilla.org/mozilla-central/rev/51afdade0e86 http://hg.mozilla.org/mozilla-central/rev/0b1f14dfd9cd http://hg.mozilla.org/mozilla-central/rev/5804f5597d3d /be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•16 years ago
|
Comment 51•16 years ago
|
||
tests already in js1_8_1/trace/trace-test.js
Flags: in-testsuite+
Flags: in-litmus-
Updated•16 years ago
|
Keywords: fixed1.9.1
Comment 52•15 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•