Closed Bug 508401 Opened 16 years ago Closed 4 years ago

Quantify imprecision of conservative stack scanning

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: gal, Assigned: wagnerg)

Details

Attachments

(3 files)

v0.1
8.61 KB, patch
Details | Diff | Splinter Review
Sample Output
17.08 KB, text/plain
Details
Detailed StackDump for GMail, Google Docs
1.51 MB, text/plain
Details
Conservative stack scanning during GC would allow us to eliminate the current rooting overhead (code writing time and runtime), while also being safer at the same time. As Brendan pointed out, JS is event-driven and hence there are frequent periods where we unwind the native stack and return to the DOM. Those points would be ideal to scan the stack, which would be very shallow then. The purpose of this bug is to implement a stack scanning and to measure its precision. With that data in hand we will evaluate the next steps.
Attached patch v0.1Splinter Review
A first (not multi-threaded) draft. I monitor the highest and lowest address of the GC Arenas. When the GC is triggered, I walk the stack of the current thread and count how many stack entries point within the GC Arena boundaries. The result is stored in /tmp/stackDump.txt
Attached file Sample Output
Sample results for SunSpider benchmars where a GC is triggered at the end.
First results from the browser. I monitored all GC events for a short Gmail, GDocs session. Patch from Bug 508707 for one big GC chunk is applied. Threads: 1 StackAddr1: 0xbfffcd14, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x595c000 Address in GC Arenas: 9 out of 3259 stack slots, 0.276158% Threads: 1 StackAddr1: 0xbfff9384, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5a6b000 Address in GC Arenas: 168 out of 6943, 2.419703% Threads: 1 StackAddr1: 0xbfffc2b4, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5c38000 Address in GC Arenas: 7 out of 3923, 0.178435% Threads: 1 StackAddr1: 0xbfff9384, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5c7d000 Address in GC Arenas: 82 out of 6943, 1.181046% Threads: 1 StackAddr1: 0xbfff9384, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5cc9000 Address in GC Arenas: 80 out of 6943, 1.152240% Threads: 1 StackAddr1: 0xbfffe5b4, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5ced000 Address in GC Arenas: 0 out of 1683, 0.000000% Threads: 1 StackAddr1: 0xbfffa554, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5ced000 Address in GC Arenas: 270 out of 5803, 4.652766% Threads: 1 StackAddr1: 0xbfffa554, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5ced000 Address in GC Arenas: 268 out of 5803, 4.618301% Threads: 1 StackAddr1: 0xbfffa554, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5ced000 Address in GC Arenas: 268 out of 5803, 4.618301% Threads: 1 StackAddr1: 0xbfffe4b4, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5ced000 Address in GC Arenas: 0 out of 1747, 0.000000% Threads: 1 StackAddr1: 0xbfffe154, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5ced000 Address in GC Arenas: 0 out of 1963, 0.000000% Threads: 1 StackAddr1: 0xbfffe1c4, StackAddr2: 0xc0000000 GC base: 0x574c000, max: 0x774c000, curr: 0x5ced000 Address in GC Arenas: 0 out of 1935, 0.000000%
Result for GMail and GDocs session: GC Events : 17 Stack slots : 90159 Pointers into GC Arenas (gcBase <= p <= gcPtr) : 1261, 1.39864% Pointers to ArenaInfo IS_ARENA_INFO_ADDRESS(p) : 0 Pointers into Objects ((p & GC_ARENA_MASK) % thingSize) > 0 : 205 "Valid" Pointers : 1056 Check flags between mark & sweep: flag & GCF_MARK : 799, 75.6629% flag & GCF_FINAL : 110, 10.4167% flag & GCF_LOCK : 0, 0% no flag : 147, 13.9205% switch (type) { case GCX_...: Objects: 964 Strings: 92 Doubles: 0 Unknown: 0 XML : 0 ext Str: 0
Result for a chrome experiment (canopy) that triggers GC almost every second: GC Events : 98 Stack slots: 353554 Pointers into GC Arenas (gcBase <= p <= gcPtr) : 5637, 1.59438% Pointers to ArenaInfo IS_ARENA_INFO_ADDRESS(p) : 87 Pointers into Objects ((p & GC_ARENA_MASK) % thingSize) > 0 : 298 Valid Pointers : 5252 flag & GCF_MARK : 4538, 86.4052% flag & GCF_FINAL: 106, 2.01828% flag & GCF_LOCK : 0, 0% no flag : 608, 11.5765% switch (type) { case GCX_...: Objects: 4468 Strings: 285 Doubles: 499 Unknown: 0 XML : 0 ext Str: 0
Random pages (CNN, MSNBC, Google Maps...) GC Events : 69 Stack slots: 366683 Pointers into GC Arenas (gcBase <= p <= gcPtr) : 6954, 1.89646% Pointers to ArenaInfo IS_ARENA_INFO_ADDRESS(p) : 18 Pointers into Objects ((p & GC_ARENA_MASK) % thingSize) > 0 : 875 "Valid" Pointers : 6061 flag & GCF_MARK : 5350, 88.2693% flag & GCF_FINAL: 163, 2.68933% flag & GCF_LOCK : 0, 0% no flag : 548, 9.04141% switch (type) { case GCX_...: Objects: 5368 Strings: 506 Doubles: 168 Unknown: 19 XML : 0 ext Str: 0 ~
In the previous results I counted multiple pointers to one object not as single pointer. Now I do :) These results only include MAYBE_GC events: MAYBE_GC Events : 16 Total Stack slots: 62676 Stack depth min: 2631, max: 6615 Pointers into GC Arenas (gcBase <= p <= gcPtr) : 221, 0.352607% Pointers to ArenaInfo IS_ARENA_INFO_ADDRESS(p) : 0 Pointers into Objects ((p & GC_ARENA_MASK) % thingSize) > 0 : 31 Valid Pointers(include already seen pointers) : 190 flag & GCF_MARK : 161, 84.7368% flag & GCF_FINAL: 0, 0% flag & GCF_LOCK : 0, 0% no flag : 29, 15.2632% switch (type) { case GCX_...: Objects: 152 Strings: 25 Doubles: 12 Unknown: 1 XML : 0 ext Str: 0 Pointers already seen in a previous GC event: 54 Overall Set of unique pointers: 126
As a comparison the stack-walk-depth from WebKit. The first 25 entries happen during start-up of safari. Found means a pointer to an object that gets added to the marking-stack. Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 46 Stack Depth: 9380, start: 0xbfffdb5c, end: 0xc0000000, found: 17 Stack Depth: 664, start: 0x8d0c000, end: 0x8d0c298, found: 28 Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 46 Stack Depth: 9684, start: 0xbfffda2c, end: 0xc0000000, found: 28 Stack Depth: 664, start: 0x8d0c000, end: 0x8d0c298, found: 30 Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 46 Stack Depth: 9380, start: 0xbfffdb5c, end: 0xc0000000, found: 18 Stack Depth: 664, start: 0x8d0c000, end: 0x8d0c298, found: 28 Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 49 Stack Depth: 9380, start: 0xbfffdb5c, end: 0xc0000000, found: 19 Stack Depth: 824, start: 0x8d0c000, end: 0x8d0c338, found: 42 Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 73 Stack Depth: 9540, start: 0xbfffdabc, end: 0xc0000000, found: 29 Stack Depth: 1088, start: 0x8d0c000, end: 0x8d0c440, found: 55 Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 93 Stack Depth: 11268, start: 0xbfffd3fc, end: 0xc0000000, found: 78 Stack Depth: 2040, start: 0x8d0c000, end: 0x8d0c7f8, found: 113 Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 93 Stack Depth: 10500, start: 0xbfffd6fc, end: 0xc0000000, found: 55 Stack Depth: 3360, start: 0x8d0c000, end: 0x8d0cd20, found: 177 Stack Depth: 832, start: 0x8d0bcc0, end: 0x8d0c000, found: 94 Stack Depth: 11492, start: 0xbfffd31c, end: 0xc0000000, found: 33 Stack Depth: 2000, start: 0x8d0c000, end: 0x8d0c7d0, found: 90 Stack Depth: 1256, start: 0x8d0bb18, end: 0x8d0c000, found: 114 Stack Depth: 7268, start: 0xbfffe39c, end: 0xc0000000, found: 17 Stack Depth: 11592, start: 0x8d0c000, end: 0x8d0ed48, found: 1047 Stack Depth: 1256, start: 0x8d0bb18, end: 0x8d0c000, found: 114 Stack Depth: 7268, start: 0xbfffe39c, end: 0xc0000000, found: 12 Stack Depth: 14224, start: 0x8d0c000, end: 0x8d0f790, found: 1242 Stack Depth: 1256, start: 0x8d0bb18, end: 0x8d0c000, found: 114 Stack Depth: 7924, start: 0xbfffe10c, end: 0xc0000000, found: 28 Stack Depth: 3384, start: 0x8d0c000, end: 0x8d0cd38, found: 135 Stack Depth: 1256, start: 0x8d0bb18, end: 0x8d0c000, found: 114 Stack Depth: 6340, start: 0xbfffe73c, end: 0xc0000000, found: 2 Stack Depth: 0, start: 0x8d0c000, end: 0x8d0c000, found: 0 Stack Depth: 88, start: 0x8d0bfa8, end: 0x8d0c000, found: 8 Stack Depth: 10724, start: 0xbfffd61c, end: 0xc0000000, found: 20
Another run with applied Bug 508707 and Bug 506125. MaybeGC-trigger is changed from 25% to 10% increase. "Pointer prev seen" means this pointer was also on the stack during the last GC. Normal GC: events: 27 scanned stack slots : 166461 relative stack depth: 6165 aligned pointers into heap: 704 marked Object : 377 not marked Obj: 189 outOfRange : 5 arenaInfoPtr : 0 into Obj : 133 Pointer prev seen: 101 MaybeGC: events: 16 scanned stack slots : 72072 relative stack depth : 4504 aligned pointers into heap: 276 marked Object : 219 not marked Obj: 14 outOfRange : 0 arenaInfoPtr : 0 into Obj : 43 Pointer prev seen: 3

Old bug, no longer valid.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: