Closed Bug 723313 Opened 8 years ago Closed 8 years ago

Stop using conservative stack scanner for VM stack marking

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla13

People

(Reporter: billm, Assigned: billm)

References

Details

(Whiteboard: [js:t])

Attachments

(1 file, 1 obsolete file)

Attached patch patch (obsolete) — Splinter Review
This is part of the long-term goal of conservative scanner removal. But I also need it to test incremental GC.
Attachment #593618 - Flags: review?(luke)
Attachment #593618 - Flags: review?(bhackett1024)
Comment on attachment 593618 [details] [diff] [review]
patch

Review of attachment 593618 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, though there is another problem I remembered where a script's analysis info can be cleared without triggering a GC, if the compartment's debug mode is changed.  See JSCompartment::updateForDebugMode.  Torn values might not then be cleared by the GC here, if debug mode is turned on with optimized frames on the stack.  Fortunately, that situation is currently impossible, so nothing needs to be done for this patch, but will become possible with bug 716647 so it would be good to ensure things don't subtly break after both land.

Ultimately bug 716647 will want a stack walk similar to this in updateForDebugMode which clears out the locals with dead values when turning debug mode on.  Putting this stuff here as a note for that bug.
Attachment #593618 - Flags: review?(bhackett1024) → review+
Blocks: 716647
Attached patch patch v2Splinter Review
This fixes a bug where it wasn't possible to get a StackSegment's regs().
Attachment #593618 - Attachment is obsolete: true
Attachment #593618 - Flags: review?(luke)
Attachment #593703 - Flags: review?(luke)
Comment on attachment 593703 [details] [diff] [review]
patch v2

This is failing on Tinderbox.
Attachment #593703 - Flags: review?(luke)
Comment on attachment 593703 [details] [diff] [review]
patch v2

The failure was caused by an unrelated bug.
Attachment #593703 - Flags: review?(luke)
Comment on attachment 593703 [details] [diff] [review]
patch v2

Nice patch.  I'm sorry for taking so long.
>+    if (!fp->isScriptFrame()) {
>+        gc::MarkRootRange(trc, slotsBegin, slotsEnd, "vm_stack");
>+        return;

Perhaps you already have found differently, but I would have thought you could JS_ASSERT(slotsBegin == slotsEnd).  Also JS_ASSERT(fp->isDummyFrame()) would be nice to explain why.

>+    if (!script->hasAnalysis() || !script->analysis()->ranLifetimes()) {
>+        gc::MarkRootRange(trc, slotsBegin, slotsEnd, "vm_stack");

If a shrinking gc throws away analysis results

>+     * slots considered not live. We need to avoid marking them. Additionally,
>+     * in case the analysis information is thrown out later, we overwrite these
>+     * dead slots with valid values so that future GCs won't crash.

Perhaps append "Analysis results are thrown away during the sweeping phase, so we always have at least one GC to do this." (unless you think its trivial :) ?

>+        jsbytecode *pc = seg->maybeRegs() ? seg->regs().pc : NULL;

Could you add/use seg->maybepc() similar to seg->maybefp() ?

>+            /* Mark from fp->slots() to slotsEnd. */
>+            markFrame(trc, fp, slotsEnd, pc);
>+
>             js_TraceStackFrame(trc, fp);

Perhaps markFrameSlots then?  (And, if you feel like it, s/js_TraceStackFrame/StackFrame::mark/ (and moved to Stack.cpp...))
Attachment #593703 - Flags: review?(luke) → review+
Ignore the "If a shrinking gc throws away" line, it was interrupted and ultimately supplanted by the following line :)
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/71f5bf4df2f6 - one of the six in that push was crashing in js::gc::Mark<JSString>
Target Milestone: mozilla13 → ---
https://hg.mozilla.org/mozilla-central/rev/fbef6a165cf8
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Depends on: 727921
Depends on: 728086
Depends on: 728190
Depends on: 732087
Depends on: 738841
Depends on: 738846
Depends on: 747926
Depends on: 749039
Duplicate of this bug: 714619
Whiteboard: [js:t]
You need to log in before you can comment on or make changes to this bug.