Closed
Bug 909972
Opened 11 years ago
Closed 11 years ago
Fix the remaining hazards in AsmJS
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: terrence, Assigned: terrence)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file, 1 obsolete file)
8.84 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The three remaining hazards being reported in AsmJS are: Function 'AsmJS.cpp:uint8 CheckInternalCall(FunctionCompiler*, js::frontend::ParseNode*, js::PropertyName*, RetType, js::jit::MDefinition**, Type*)' has unrooted 'calleeName' of type 'js::PropertyName*' live across GC call 'AsmJS.cpp:uint8 CheckCallArgs(FunctionCompiler*, js::frontend::ParseNode*, (uint8)(FunctionCompiler*,js::frontend::ParseNode*,Type)*, FunctionCompiler::Call*)' at home/sfink/src/MI-upstream/js/src/jit/AsmJS.cpp:3395 Function 'AsmJS.cpp:uint8 CheckFuncPtrCall(FunctionCompiler*, js::frontend::ParseNode*, RetType, js::jit::MDefinition**, Type*)' has unrooted 'name' of type 'js::PropertyName*' live across GC call 'AsmJS.cpp:uint8 CheckCallArgs(FunctionCompiler*, js::frontend::ParseNode*, (uint8)(FunctionCompiler*,js::frontend::ParseNode*,Type)*, FunctionCompiler::Call*)' at home/sfink/src/MI-upstream/js/src/jit/AsmJS.cpp:3471 Function 'AsmJS.cpp:uint8 CheckFFICall(FunctionCompiler*, js::frontend::ParseNode*, uint32, RetType, js::jit::MDefinition**, Type*)' has unrooted 'calleeName' of type 'js::PropertyName*' live across GC call 'AsmJS.cpp:uint8 CheckCallArgs(FunctionCompiler*, js::frontend::ParseNode*, (uint8)(FunctionCompiler*,js::frontend::ParseNode*,Type)*, FunctionCompiler::Call*)' at home/sfink/src/MI-upstream/js/src/jit/AsmJS.cpp:3500 CheckCallArgs calls CheckExpr, which uses |JS_CHECK_RECURSION(f.cx(), return false);|, which calls |js_ReportOverRecursed|. This ends up calling |js_ExpandErrorArguments|, which calls through a function pointer for formatting. The format function we use cannot GC, but the analysis is not smart enough to follow this flow. Secondly, even if this did GC, it should not be a hazard: AsmJS immediately returns false and does not touch the property names again. The analysis seems to not be smart enough to unfold this data-flow either.
Assignee | ||
Comment 1•11 years ago
|
||
Later on, js_ReportErrorNumberVA calls ReportError, which will call the JSD1 hook, which will re-enter script, so this can actually trigger GC.
Comment 2•11 years ago
|
||
The error paths should return before any possible uses of those PropertyNames.
Assignee | ||
Comment 3•11 years ago
|
||
Yes indeed! We need to pursue the "Secondly" path from comment 0: data-dependent flow analysis or just add an annotation for CheckExpr.
Comment 4•11 years ago
|
||
Oops, I didn't see that the last paragraph was words, not spew :)
Assignee | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Comment 6•11 years ago
|
||
Note: the analysis in comment 0 is a bit wrong. js_ReportOverRecursed does GC, but not through the path indicated. Instead it calls the jsd1 hook which enters firebug.
Assignee | ||
Comment 7•11 years ago
|
||
Actually, it looks like this is going to be quite complicated to annotate our way out of, so lets just fix the code instead.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Assignee | ||
Comment 8•11 years ago
|
||
The strategy taken here is to delay reporting until the module compiler destructor. Since AsmJS already does this for all errors except over-recursion, this is trivial. Steve, does this fix the asm.js hazards that the analysis is reporting?
Attachment #817562 -
Flags: feedback?(sphink)
Assignee | ||
Comment 9•11 years ago
|
||
Comment on attachment 817562 [details] [diff] [review] hazard_AsmJS-v1.diff We can use try to test this now. Derp. https://tbpl.mozilla.org/?tree=Try&rev=d47e567f3205
Attachment #817562 -
Flags: feedback?(sphink)
Assignee | ||
Comment 10•11 years ago
|
||
And it will likely even work now: https://tbpl.mozilla.org/?tree=Try&rev=71cf21dcbe1b
Assignee | ||
Comment 11•11 years ago
|
||
Nope. The recent unrelated regressions triggered failure, which was killing the job before the upload. A more recent successful job showed us a new regression: fail(nullptr) calls Parser::peekToken, which will atomize, which may GC. This is why so many new asm.js hazards popped up a couple weeks ago. Since this is only when we are already probably in OOM, I think suppressing here is the right thing to do: it will delay the GC until the parser is off the stack, which should allow us to free more anyway. At long last, success: https://tbpl.mozilla.org/?tree=Try&rev=7db197c35663
Assignee | ||
Comment 12•11 years ago
|
||
Luke, this implements the technique we discussed above: moving the reporting of over-recursed to the top level to match our other reporting. It also addresses the problems found in the last comment by suppressing GC in fail(). With this patch in place, we have 4 remaining hazard reports in the shell.
Attachment #817562 -
Attachment is obsolete: true
Attachment #828199 -
Flags: review?(luke)
Updated•11 years ago
|
Attachment #828199 -
Flags: review?(luke) → review+
Assignee | ||
Comment 13•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e84bb9b38fa
https://hg.mozilla.org/mozilla-central/rev/4e84bb9b38fa
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Updated•10 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•