Closed Bug 919536 Opened 6 years ago Closed 6 years ago

GenerationalGC: JS reftest js1_5/GC/regress-203278-2.js fails in browser try build

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla27

People

(Reporter: jonco, Assigned: jonco)

References

Details

Attachments

(1 file, 1 obsolete file)

The test fails often in browser try builds, with the following log:

08:05:24     INFO -  REFTEST TEST-START | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=js1_5/GC/regress-203278-2.js
08:05:24     INFO -  REFTEST TEST-LOAD | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=js1_5/GC/regress-203278-2.js | 1610 / 6625 (24%)
08:05:24     INFO -  ++DOMWINDOW == 60 (0x12c595f98) [serial = 3068] [outer = 0x121917368]
08:05:24     INFO -  BUGNUMBER: 203278
08:05:24     INFO -  STATUS: Don't crash in recursive js_MarkGCThing
08:05:27     INFO -  STATUS: DSF is prepared
08:05:27     INFO -  STATUS: Linked list is prepared
08:05:29  WARNING -  TEST-UNEXPECTED-FAIL | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=js1_5/GC/regress-203278-2.js | Exited with code 1 during test run
08:05:29     INFO -  INFO | automation.py | Application ran for: 0:08:26.085480
08:05:29     INFO -  INFO | zombiecheck | Reading PID log: /var/folders/Y0/Y0kLa3o+Fwen0F6HlCHtIE+++-k/-Tmp-/tmp8BP0CApidlog
08:05:29     INFO -  /builds/slave/talos-slave/test/build/tools/breakpad/osx64/minidump_stackwalk /var/folders/Y0/Y0kLa3o+Fwen0F6HlCHtIE+++-k/-Tmp-/tmp6DgBDN.mozrunner/minidumps/B3C30559-9027-480F-97AF-E0EB3D6E79D2.dmp /builds/slave/talos-slave/test/build/symbols
08:05:48  WARNING -  PROCESS-CRASH | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=js1_5/GC/regress-203278-2.js | application crashed [@ js::gc::Cell::arenaHeader() const]
08:05:48     INFO -  Crash dump filename: /var/folders/Y0/Y0kLa3o+Fwen0F6HlCHtIE+++-k/-Tmp-/tmp6DgBDN.mozrunner/minidumps/B3C30559-9027-480F-97AF-E0EB3D6E79D2.dmp
08:05:48     INFO -  Operating system: Mac OS X
08:05:48     INFO -                    10.6.8 10K549
08:05:48     INFO -  CPU: amd64
08:05:48     INFO -       family 6 model 23 stepping 10
08:05:48     INFO -       2 CPUs
08:05:48     INFO -  Crash reason:  EXC_BAD_ACCESS / 0x0000000d
08:05:48     INFO -  Crash address: 0x0
08:05:48     INFO -  Thread 0 (crashed)
08:05:48     INFO -   0  XUL!js::gc::Cell::arenaHeader() const [HeapAPI.h:1c0336a54004 : 126 + 0x0]
08:05:48     INFO -      rbx = 0x2b2b2b2b2b2b2b2b   r12 = 0x0000000117d77400
08:05:48     INFO -      r13 = 0x000000014f000010   r14 = 0x00000001183b4590
08:05:48     INFO -      r15 = 0x000000014f000018   rip = 0x0000000103fed00f
08:05:48     INFO -      rsp = 0x00007fff5fbf8c00   rbp = 0x00007fff5fbf8c10
08:05:48     INFO -      Found by: given as instruction pointer in context
08:05:48     INFO -   1  XUL!js::gc::Cell::tenuredZone() const [Heap.h:1c0336a54004 : 1019 + 0x4]
08:05:48     INFO -      rbx = 0x2b2b2b2b2b2b2b2b   r12 = 0x0000000117d77400
08:05:48     INFO -      r13 = 0x000000014f000010   r14 = 0x00000001183b4590
08:05:48     INFO -      r15 = 0x000000014f000018   rip = 0x0000000103febdff
08:05:48     INFO -      rsp = 0x00007fff5fbf8c20   rbp = 0x00007fff5fbf8c30
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   2  XUL!js::GCMarker::processMarkStackTop(js::SliceBudget&) [Barrier.h:1c0336a54004 : 151 + 0x4]
08:05:48     INFO -      rbx = 0x00000001492d20e0   r12 = 0x0000000117d77400
08:05:48     INFO -      r13 = 0x000000014f000010   r14 = 0x00000001183b4590
08:05:48     INFO -      r15 = 0x000000014f000018   rip = 0x0000000103e5ec8f
08:05:48     INFO -      rsp = 0x00007fff5fbf8c40   rbp = 0x00007fff5fbf8c80
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   3  XUL!js::GCMarker::drainMarkStack(js::SliceBudget&) [Marking.cpp:1c0336a54004 : 1536 + 0xa]
08:05:48     INFO -      rbx = 0x0000000117d77400   r12 = 0x0000000117d77000
08:05:48     INFO -      r13 = 0x0000000000000000   r14 = 0x00007fff5fbf8d00
08:05:48     INFO -      r15 = 0x0000000117d77000   rip = 0x0000000103e5757b
08:05:48     INFO -      rsp = 0x00007fff5fbf8c90   rbp = 0x00007fff5fbf8cb0
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   4  XUL!IncrementalCollectSlice [jsgc.cpp:1c0336a54004 : 3845 + 0xb]
08:05:48     INFO -      rbx = 0x00007fff5fbf8d10   r12 = 0x0000000117d77000
08:05:48     INFO -      r13 = 0x0000000000000000   r14 = 0x0000000117d77520
08:05:48     INFO -      r15 = 0x0000000000000000   rip = 0x0000000104001dc7
08:05:48     INFO -      rsp = 0x00007fff5fbf8cc0   rbp = 0x00007fff5fbf8e60
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   5  XUL!GCCycle [jsgc.cpp:1c0336a54004 : 4507 + 0xd]
08:05:48     INFO -      rbx = 0x0000000000000000   r12 = 0x0000000000000023
08:05:48     INFO -      r13 = 0x0000000000000000   r14 = 0x00000001047d7ed6
08:05:48     INFO -      r15 = 0x0000000117d77000   rip = 0x0000000104000e0c
08:05:48     INFO -      rsp = 0x00007fff5fbf8e70   rbp = 0x00007fff5fbf8ed0
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   6  XUL!Collect [jsgc.cpp:1c0336a54004 : 4648 + 0x13]
08:05:48     INFO -      rbx = 0x0000000000000000   r12 = 0x0000000000000023
08:05:48     INFO -      r13 = 0x0000000117d77000   r14 = 0x0000000117d77520
08:05:48     INFO -      r15 = 0x0000000000000000   rip = 0x0000000103ffefb4
08:05:48     INFO -      rsp = 0x00007fff5fbf8ee0   rbp = 0x00007fff5fbf8f70
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   7  XUL!nsXPCComponents_Utils::ForceGC() [XPCComponents.cpp:1c0336a54004 : 2857 + 0xc]
08:05:48     INFO -      rbx = 0x0000000117d77000   r12 = 0x00007fff7000c5e0
08:05:48     INFO -      r13 = 0x00007fff5fbf90a0   r14 = 0x00007fff5fbf9000
08:05:48     INFO -      r15 = 0x00007fff5fbf9220   rip = 0x00000001029fd969
08:05:48     INFO -      rsp = 0x00007fff5fbf8f80   rbp = 0x00007fff5fbf8f90
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   8  XUL!NS_InvokeByIndex [xptcinvoke_x86_64_unix.cpp:1c0336a54004 : 162 + 0x3]
08:05:48     INFO -      rbx = 0x0000000100957140   r12 = 0x00007fff7000c5e0
08:05:48     INFO -      r13 = 0x00007fff5fbf90a0   r14 = 0x00007fff5fbf9000
08:05:48     INFO -      r15 = 0x00007fff5fbf9220   rip = 0x00000001035a829d
08:05:48     INFO -      rsp = 0x00007fff5fbf8fa0   rbp = 0x00007fff5fbf9030
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -   9  XUL!CallMethodHelper::Call() [XPCWrappedNative.cpp:1c0336a54004 : 2804 + 0x4]
08:05:48     INFO -      rbx = 0x0000000100957140   r12 = 0x00007fff7000c5e0
08:05:48     INFO -      r13 = 0x00007fff5fbf90a0   r14 = 0x00007fff5fbf9000
08:05:48     INFO -      r15 = 0x00007fff5fbf9220   rip = 0x0000000102a3dfd8
08:05:48     INFO -      rsp = 0x00007fff5fbf9040   rbp = 0x00007fff5fbf9070
08:05:48     INFO -      Found by: call frame info
08:05:48     INFO -  10  XUL!XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) [XPCWrappedNative.cpp:1c0336a54004 : 2110 + 0x7]
08:05:48     INFO -      rbx = 0x000000012164b900   r12 = 0x00007fff7000c5e0
08:05:48     INFO -      r13 = 0x00007fff5fbf9370   r14 = 0x00007fff5fbf90a0
08:05:48     INFO -      r15 = 0x00007fff5fbf9220   rip = 0x0000000102a3c2f2
08:05:48     INFO -      rsp = 0x00007fff5fbf9080   rbp = 0x00007fff5fbf91e0
08:05:48     INFO -      Found by: call frame info
Reduced test case that fails in the shell:

gczeal(2, 1000);

var a = new Array(10 * 1000);

var i = a.length;
while (i-- != 0) {
  switch (i % 3) {
    case 0:
      a[i] = { };
      break;
  }
}

gc();
Attached patch post-barrier-SetElementIC (obsolete) — Splinter Review
It appears the problem is that SetElementIC::attachDenseElement() does not post-barrier writes to the elements array.

This patch adds a post barrier to the generated code.

However, I notice that in CodeGenerator.cpp we use OutOfLineCallPostWriteBarrier to have the call the barrier out of line.  Maybe we should do that in this case too?  I'm unsure what the tradeoffs are for this.
Attachment #809102 - Flags: review?(terrence)
Comment on attachment 809102 [details] [diff] [review]
post-barrier-SetElementIC

Review of attachment 809102 [details] [diff] [review]:
-----------------------------------------------------------------

The tradeoff is inline code size vs raw performance. I don't know how much code or performance we're talking about, however, so I think this should get review by someone else.
Attachment #809102 - Flags: review?(terrence) → review?(bhackett1024)
Comment on attachment 809102 [details] [diff] [review]
post-barrier-SetElementIC

Review of attachment 809102 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the delay.

::: js/src/jit/IonCaches.cpp
@@ +3347,5 @@
>                  masm.callPreBarrier(target, MIRType_Value);
>          }
>  
> +#ifdef JSGC_GENERATIONAL
> +        JSRuntime *runtime = cx->runtime();

Can you make this code a utility method on IonMacroAssembler?
Attachment #809102 - Flags: review?(bhackett1024) → review+
I've moved this to MacroAssembler::maybeCallPostBarrier(), and also made it take account of the possibility that value is typed but not an object, or is a value.
Attachment #809102 - Attachment is obsolete: true
Attachment #810582 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/63db6c5e2b7a
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.