Closed Bug 520498 Opened 15 years ago Closed 15 years ago

Recursion limit differs between jit and nonjit

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: dvander)

References

Details

(Keywords: testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.15 KB, patch
brendan
: review+
Details | Diff | Splinter Review
(function f(i) { print(i); f(i+1); })(1) With -j: 269675 InternalError: script stack space quota is exhausted Without -j: 3000 InternalError: too much recursion I don't know if this is actually a problem, but it surprised me. Will bad things happen if we fall off trace while thousands of stack frames deep?
Right now recursion in the JIT is only limited by its internal callstack limit (which is 500). It can keep hitting this limit and pushing interp frames until it runs out of stack space. Brendan: should the JIT be obeying the interpreter recursion limit?
(In reply to comment #1) > Brendan: should the JIT be obeying the interpreter recursion limit? Yes -- maybe one of Igor or me should review that code. /be
Attached patch fixSplinter Review
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #405152 - Flags: review?(brendan)
Comment on attachment 405152 [details] [diff] [review] fix Fun -- we were just missing the magic value sometimes, and going way beyond it till we hit some other limit, I take it (with a different exception)? /be
Attachment #405152 - Flags: review?(brendan) → review+
(In reply to comment #5) Yes, exactly. The limit still isn't identical (the test in comment #0 is 3010 JIT versus 3000 non-JIT) but it's no longer completely ignored. http://hg.mozilla.org/tracemonkey/rev/3a72a9e5ccd7
Whiteboard: fixed-in-tracemonkey
Hrmm. jsfunfuzz would be happier if the limits were identical. What causes them to differ by 10?
The JIT can construct as many frames as it wants and then push them onto the interpreter stack. So for example, the interpreter's inlineCallCount could be (MAX-1), and the JIT could push 500 frames (its internal limit). Next time the interpreter tries to make a call, it'll throw an exception, but there are ~500 frames over the internal limit. So the inaccuracy could be anywhere in that range. One way to make the limits identical would be to have the limit of the JIT callstack be MIN(JIT_LIMIT, INTERP_LIMIT - inlineCallCount). Maybe that's good idea - Brendan, any thoughts?
(In reply to comment #8) > One way to make the limits identical would be to have the limit of the JIT > callstack be MIN(JIT_LIMIT, INTERP_LIMIT - inlineCallCount). > > Maybe that's good idea - Brendan, any thoughts? That's smart, it avoids dropping JIT frames when converting to interpreter frames and hitting the exact limit (leaving uncommitted changes unflushed and changing the error model). Try it, if it works I'll review. /be
js/src/trace-test/tests/basic/bug520498.js
Flags: in-testsuite+
http://hg.mozilla.org/mozilla-central/rev/3a72a9e5ccd7
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
v 1.9.3
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: