Closed Bug 523370 Opened 16 years ago Closed 16 years ago

bogus OOM with empty double free lists

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1

People

(Reporter: igor, Assigned: igor)

References

Details

(Keywords: crash, regression, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

fix v2
2.73 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
With changes from the bug 504797 jstracer.cpp NativeToValueBase contains: if (JS_THREAD_DATA(cx)->gcFreeLists.doubles) { ... js_NewDoubleInRootedValue(cx, d, &v); JS_ASSERT(ok); return true; } return E::handleDoubleOOM(cx, d, v); This implies that when E is FailDoubleOOMHandler an empty double free list will be treated as OOM error. This is not correct since an empty free list just means that a particular GC arena is exhausted, not that it is impossible to find or allocate more GC arenas.
The original reason for that code was to create a boxing function |js_NativeToValue| that can be called from trace. At that time, it was not possible to allocate doubles while on trace, so it had to simply fail. If this is no longer the case, then allowing |js_NativeToValue| to handle this case makes sense.
Attached patch fix v1 (obsolete) — Splinter Review
The fix avoids OOM reporting in js_NewDoubleInRooted but delegates that to FailDoubleOOMHandler. That is still not good as it would report OOM even if the GC heap is full of garbage. But at least it fixes the bug in question delegating the full solution until we can run the GC from the trace.
Attachment #407525 - Flags: review?(dmandelin)
(In reply to comment #1) > The original reason for that code was to create a boxing function > |js_NativeToValue| that can be called from trace. At that time, it was not > possible to allocate doubles while on trace, so it had to simply fail. If this > is no longer the case, then allowing |js_NativeToValue| to handle this case > makes sense. The code before changes from bug 504797 cannot fail since it uses the reserve pool. Now, that was suboptimal since it would use the pool on the empty pool condition. But at least that was just an optimization bug, not a bogus oom.
Attached patch fix v2Splinter Review
Here is the right patch without typos.
Attachment #407525 - Attachment is obsolete: true
Attachment #407550 - Flags: review?(dmandelin)
Attachment #407525 - Flags: review?(dmandelin)
Comment on attachment 407550 [details] [diff] [review] fix v2 This bug confused me at first but after reading the patch I think I understand. r+ assuming the following makes sense (if not, then apparently I don't know what I'm talking about): As of now, we have never been able to run an GC on trace. The old code tried to protect itself against that by calling js_NewDoubleInRootedValue only if that would not cause a GC (thus embedding details of allocator operation in NativeToValue). But at least now, js_NewDoubleInRootedValue (actually RefillDoubleFreeList) will refuse to do a GC if on trace. So the trace code can just call js_NewDoubleInRootedValue, and report OOM if it fails. We still have 2 trait classes because the recorder can use the reserved pool if it wants. This new scheme is simpler, will report a (false) OOM less, and doesn't depend on allocator implementation details.
Attachment #407550 - Flags: review?(dmandelin) → review+
(In reply to comment #5) > As of now, we have never been able to run an GC on trace. The old code tried to > protect itself against that by calling js_NewDoubleInRootedValue only if that > would not cause a GC (thus embedding details of allocator operation in > NativeToValue). But at least now, js_NewDoubleInRootedValue (actually > RefillDoubleFreeList) will refuse to do a GC if on trace. So the trace code can > just call js_NewDoubleInRootedValue, and report OOM if it fails. That is a nice summary.
(In reply to comment #5) > This new scheme is simpler, will report a (false) OOM less, and doesn't depend > on allocator implementation details. Note that currently even with the disabled JIT a bogus OOM report can still happen. When malloc returns null it does not indicate that there is no memory since we do not attempt to run a GC cycle and try malloc again to see if any memory was reclaimed. Such last-ditch GC would almost certainly introduce a lot of GC hazards due to assumptions in the code that malloc never runs a GC. Now, with the no-GC-under-the-trace policy the situation is slightly worse than OOM-reporting in JSContext::malloc. The allocator currently refuses to allocate beyond JSRuntime::maxGCBytes. So with the last-ditch GC disabled we will report OOM when the GC simply hits that limit when in theory we could try to use malloc to allocate more GC arenas. This suggests to ignore gcMaxBytes limit when on trace. This will make the traced code on pair with the rest of code dealing with the failed malloc.
Blocks: 523701
I filed a (In reply to comment #7) > This suggests to ignore gcMaxBytes limit when on trace. I filed bug 523701 about this.
https://hg.mozilla.org/tracemonkey/rev/a389613bd931
Whiteboard: fixed-in-tracemonkey
This landed on 1.9.2 already? The flags seem to be marked as such.
no, this didn't land
Keywords: verified1.9.2
Looks like those flags were set while this bug has been cloned.
URL: http://docs.google.com
Keywords: testcase
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.3a1
http://hg.mozilla.org/mozilla-central/rev/a389613bd931
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: