Stop using conservative stack scanner for VM stack marking

RESOLVED FIXED in mozilla13

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: billm, Assigned: billm)

Tracking

unspecified
mozilla13
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:t])

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

5 years ago
Created attachment 593618 [details] [diff] [review]
patch

This is part of the long-term goal of conservative scanner removal. But I also need it to test incremental GC.
Attachment #593618 - Flags: review?(luke)
Attachment #593618 - Flags: review?(bhackett1024)
Comment on attachment 593618 [details] [diff] [review]
patch

Review of attachment 593618 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, though there is another problem I remembered where a script's analysis info can be cleared without triggering a GC, if the compartment's debug mode is changed.  See JSCompartment::updateForDebugMode.  Torn values might not then be cleared by the GC here, if debug mode is turned on with optimized frames on the stack.  Fortunately, that situation is currently impossible, so nothing needs to be done for this patch, but will become possible with bug 716647 so it would be good to ensure things don't subtly break after both land.

Ultimately bug 716647 will want a stack walk similar to this in updateForDebugMode which clears out the locals with dead values when turning debug mode on.  Putting this stuff here as a note for that bug.
Attachment #593618 - Flags: review?(bhackett1024) → review+
Blocks: 716647
(Assignee)

Comment 2

5 years ago
Created attachment 593703 [details] [diff] [review]
patch v2

This fixes a bug where it wasn't possible to get a StackSegment's regs().
Attachment #593618 - Attachment is obsolete: true
Attachment #593618 - Flags: review?(luke)
Attachment #593703 - Flags: review?(luke)
(Assignee)

Comment 3

5 years ago
Comment on attachment 593703 [details] [diff] [review]
patch v2

This is failing on Tinderbox.
Attachment #593703 - Flags: review?(luke)
(Assignee)

Comment 4

5 years ago
Comment on attachment 593703 [details] [diff] [review]
patch v2

The failure was caused by an unrelated bug.
Attachment #593703 - Flags: review?(luke)

Comment 5

5 years ago
Comment on attachment 593703 [details] [diff] [review]
patch v2

Nice patch.  I'm sorry for taking so long.
>+    if (!fp->isScriptFrame()) {
>+        gc::MarkRootRange(trc, slotsBegin, slotsEnd, "vm_stack");
>+        return;

Perhaps you already have found differently, but I would have thought you could JS_ASSERT(slotsBegin == slotsEnd).  Also JS_ASSERT(fp->isDummyFrame()) would be nice to explain why.

>+    if (!script->hasAnalysis() || !script->analysis()->ranLifetimes()) {
>+        gc::MarkRootRange(trc, slotsBegin, slotsEnd, "vm_stack");

If a shrinking gc throws away analysis results

>+     * slots considered not live. We need to avoid marking them. Additionally,
>+     * in case the analysis information is thrown out later, we overwrite these
>+     * dead slots with valid values so that future GCs won't crash.

Perhaps append "Analysis results are thrown away during the sweeping phase, so we always have at least one GC to do this." (unless you think its trivial :) ?

>+        jsbytecode *pc = seg->maybeRegs() ? seg->regs().pc : NULL;

Could you add/use seg->maybepc() similar to seg->maybefp() ?

>+            /* Mark from fp->slots() to slotsEnd. */
>+            markFrame(trc, fp, slotsEnd, pc);
>+
>             js_TraceStackFrame(trc, fp);

Perhaps markFrameSlots then?  (And, if you feel like it, s/js_TraceStackFrame/StackFrame::mark/ (and moved to Stack.cpp...))
Attachment #593703 - Flags: review?(luke) → review+

Comment 6

5 years ago
Ignore the "If a shrinking gc throws away" line, it was interrupted and ultimately supplanted by the following line :)
(Assignee)

Comment 7

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/dc0f6ad7eff3
Target Milestone: --- → mozilla13
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/71f5bf4df2f6 - one of the six in that push was crashing in js::gc::Mark<JSString>
Target Milestone: mozilla13 → ---
(Assignee)

Comment 9

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/fbef6a165cf8
Target Milestone: --- → mozilla13
https://hg.mozilla.org/mozilla-central/rev/fbef6a165cf8
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Depends on: 727921
Depends on: 728086
Depends on: 728190
Depends on: 732087
Depends on: 738841
Depends on: 738846
Depends on: 747926
Depends on: 749039
(Assignee)

Updated

5 years ago
Duplicate of this bug: 714619
Whiteboard: [js:t]
You need to log in before you can comment on or make changes to this bug.