Closed Bug 462042 Opened 16 years ago Closed 16 years ago

TM: Allow GC with traced machine code on stack

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jorendorff, Assigned: jorendorff)

References

Details

(Keywords: fixed1.9.1)

Attachments

(1 file, 5 obsolete files)

v6 - unbitrotted again
5.25 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
If we allow reentering the VM as discussed in bug 462027, we need to cope with stacks like js_Interpret -> js_ExecuteTree -> (traced code) -> Array_p_join -> js_ValueToString -> js_Invoke -> js_Interpret -> ... -> js_GC Currently this will do js_GC -> js_FlushJITCache -> Fragmento::clearFrags, which would free the traced code. We will eventually return to that code, so we need to keep it around, or something.
Can you just suppress GC while on trace?
No longer blocks: deepbail
Blocks: deepbail
We do suppress GC on trace. Trick here is GC'ing after reconstructing stack frames and otherwise making sure everything created on trace is rooted, and unwinding carefully. We also need to stop flushing the JIT cache from the GC. David recently added a generation number to the code cache, which paves the way for not flushing the JIT cache from the GC. /be
Jason and I were talking, and I wondered if you could flush the JIT code during GC: then simply bypass it when walking back up the stack by returning/jumping back to js_ExecuteTree (using assembly) and skipping the native code entirely.
Bug 458288 fixed this in the simple case: we don't flush the trace cache at GC, we wait until it unwinds and starts tracing again. However, what will happen in the following case?: js_Interpret -> js_ExecuteTree -> (traced code) -> Array_p_join -> js_ValueToString -> js_Invoke -> js_Interpret -> ... -> js_GC Continue in js_Interpret... will tracing (and perhaps JIT) resume immediately? if so, won't that destroy the outer traced code?
(In reply to comment #4) > Bug 458288 fixed this in the simple case: we don't flush the trace cache at GC, > we wait until it unwinds and starts tracing again. However, what will happen in > the following case?: > > js_Interpret -> js_ExecuteTree -> (traced code) -> Array_p_join -> > js_ValueToString -> js_Invoke -> js_Interpret -> ... -> js_GC > > Continue in js_Interpret... You mean the second js_Interpret -> ... (I'm pretty sure). > will tracing (and perhaps JIT) resume immediately? Yes. > if so, won't that destroy the outer traced code? Yes, that's a hole in the current scheme (danderson says). Nevertheless we probably want to avoid longjmp or equivalent just to get out of GC hell. Also, js_GC does bails out early with JS_ON_TRACE(cx). Is there a problem here for sure? We might have memory-pressure-induced OOMs, at worst. /be
(In reply to comment #5) > Also, js_GC does bails out early with JS_ON_TRACE(cx). Is there a problem here > for sure? We might have memory-pressure-induced OOMs, at worst. Hmm. I filed this because I wanted to change that behavior: instead of refusing to GC and staying on trace, bail off trace and proceed with GC. I'll try it without and see how bad it is.
as long we have a reserve pool to guarantee that we can bail out we should be fine
Attached patch v1 (obsolete) — Splinter Review
This patch applies on top of the one in bug 462027. The problem is introduced in that patch. The fix is yet another flag. We could instead go to a status enum.
Assignee: general → jorendorff
Attachment #353321 - Flags: review?(brendan)
JSPackedBools all in a row if not an enum. What are the valid state combos? /be
Valid state combos are listed in the bug; I'll switch to JSPackedBools. It seems like someone cleaned out JSTraceMonitor, so the words "yet another" no longer apply.
Sorry, "listed in a comment in the patch", not "in the bug".
Attached patch v2 (obsolete) — Splinter Review
Updated with JSPackedBool.
Attachment #353321 - Attachment is obsolete: true
Attachment #356264 - Flags: review?(brendan)
Attachment #353321 - Flags: review?(brendan)
Comment on attachment 356264 [details] [diff] [review] v2 Looks good, thanks. /be
Attachment #356264 - Flags: review?(brendan) → review+
Attached patch v3 - updated (obsolete) — Splinter Review
The same as v2 but updated to apply cleanly over the much-revised patch in bug 462027. Carrying over brendan's review.
Attachment #356264 - Attachment is obsolete: true
Attachment #357499 - Flags: review+
Attached patch v4 (obsolete) — Splinter Review
Rebased, and fixed a silly bug introduced in v3 by my failure to review hg's handiwork when it says "hunk 32 succeeded at offset 1799 lines with fuzz 2". Carrying forward r+ again.
Attachment #357840 - Flags: review+
Blocks: 474771
Attached patch v5 - updated (obsolete) — Splinter Review
And rebased to tip once again.
Attachment #357499 - Attachment is obsolete: true
Attachment #357840 - Attachment is obsolete: true
Attachment #359130 - Flags: review+
Attachment #359130 - Attachment is obsolete: true
Attachment #360184 - Flags: review+
http://hg.mozilla.org/mozilla-central/rev/2b3e64603943
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: