Closed
Bug 1020834
Opened 10 years ago
Closed 10 years ago
IonMonkey: (ARM) Correct some poorly handled pool placement cases and improve test coverage for these issues.
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: dougc, Assigned: dougc)
References
Details
Attachments
(3 files, 6 obsolete files)
(deleted),
patch
|
dougc
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Sylvestre
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
For the ARM assembly, constant pools can be dumped between instructions unless inhibited. This can cause code references to point to the pool rather than the expected instruction and for code sequences to have a varying length.
This bug adds support to emit a given number of distinctive NOP instructions at all locations at which a pool might have been dumped, and this alone can help catch many issues. This test can be enabled via the a JS shell command line argument or an environment variable.
This testing reveals an number of issues and these are patched here.
Assignee | ||
Comment 2•10 years ago
|
||
The NOP fill is enabled via the js shell argument --arm-asm-nop-fill=<num> or by the environment variable ARM_ASM_NOP_FILL.
The function skipPool() has been added and is used when creating an InstructionIterator, and called directly in some instances. This code has been reworked to skip all the fill-NOPs and artificial pool guards.
A markAsBranch argument has been added to insertEntry() so that the branch positions are noted accurately. The function writeBranchInst() has been added, like writeInst() but it sets markAsBranch.
There were issues with the bailout table, and with the toggled calls, which have been addressed.
It passes jit-tests locally. Shall do some more testing, and make sure non-debug builds compile etc.
Attachment #8434882 -
Flags: feedback?(mrosenberg)
Assignee | ||
Comment 3•10 years ago
|
||
Would this test help with testing, and would it be usable?
Flags: needinfo?(choller)
Assignee | ||
Comment 4•10 years ago
|
||
Comment 5•10 years ago
|
||
I think this would help testing :) You just have to let us know what value to use for <num> typically.
Flags: needinfo?(choller)
Assignee | ||
Comment 6•10 years ago
|
||
Rebased. This was all split out from the asm buffer simplification patch. These are fixes that stand on their own. They will be needed for a solid 31 ESR and block the asm buffer simplification patch.
Attachment #8434882 -
Attachment is obsolete: true
Attachment #8434882 -
Flags: feedback?(mrosenberg)
Attachment #8441165 -
Flags: review?(jdemooij)
Assignee | ||
Comment 7•10 years ago
|
||
Backport for beta (31).
Comment 8•10 years ago
|
||
Comment on attachment 8441165 [details] [diff] [review]
Correct some poorly handled pool placement cases and improve test coverage for these issues.
Review of attachment 8441165 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks for adding this; when it lands we should inform the fuzzing people so they can use this flag. Some minor comments below.
::: js/src/jit/arm/Assembler-arm.cpp
@@ +1853,3 @@
> if (l->bound()) {
> + // Note only one instruction is emitted here, the NOP is overwritten.
> + BufferOffset ret = writeBranchInst(0xe320f000); // NOP
Can we use InstNOP here to avoid hardcoding this constant in multiple places?
@@ +1914,3 @@
> if (l->bound()) {
> + // Note only one instruction is emitted here, the NOP is overwritten.
> + BufferOffset ret = writeBranchInst(0xe320f000); // NOP
Same here.
@@ +2812,5 @@
> +
> +uint32_t Assembler::nopFill = 0;
> +
> +uint32_t
> +Assembler::getNopFill() {
This method can also be static right?
::: js/src/jit/arm/Assembler-arm.h
@@ +1235,5 @@
> uint32_t actualOffset(uint32_t) const;
> uint32_t actualIndex(uint32_t) const;
> static uint8_t *PatchableJumpAddress(JitCode *code, uint32_t index);
> BufferOffset actualOffset(BufferOffset) const;
> + static uint32_t nopFill;
Nit: it's static so NopFill
::: js/src/jit/arm/CodeGenerator-arm.cpp
@@ +213,5 @@
> JS_ASSERT_IF(frameClass_ != FrameSizeClass::None(),
> frameClass_.frameSize() == masm.framePushed());
>
> if (assignBailoutId(snapshot)) {
> + uint8_t *code = masm.BailoutTableStart(deoptTable_->raw()) + snapshot->bailoutId() * BAILOUT_TABLE_ENTRY_SIZE;
Nit: (Macro)Assembler::BailoutTableStart?
::: js/src/jit/shared/IonAssemblerBufferWithConstantPools.h
@@ +466,5 @@
> }
> }
> }
>
> + void InsertNopFill() {
Nit: insertNopFill as it's a non-static member.
Attachment #8441165 -
Flags: review?(jdemooij)
Assignee | ||
Comment 9•10 years ago
|
||
Address reviewer feedback. Thank you for the quick feedback.
Read through the style guide and looked for other issue. Sorry, it is still not 100% clear when to capitalize the first letter of names.
Attachment #8441165 -
Attachment is obsolete: true
Attachment #8441166 -
Attachment is obsolete: true
Attachment #8444226 -
Flags: review?(jdemooij)
Assignee | ||
Comment 10•10 years ago
|
||
Some rebasing and some small clean up.
Attachment #8444226 -
Attachment is obsolete: true
Attachment #8444226 -
Flags: review?(jdemooij)
Attachment #8445806 -
Flags: review?(jdemooij)
Comment 11•10 years ago
|
||
Comment on attachment 8445806 [details] [diff] [review]
Correct some poorly handled pool placement cases and improve test coverage for these issues.
Review of attachment 8445806 [details] [diff] [review]:
-----------------------------------------------------------------
Sorry for the delay. Just some style nits; most of them pre-existing, that makes it harder to pick it up so don't worry too much about it :)
(In reply to Douglas Crosher [:dougc] from comment #9)
> Read through the style guide and looked for other issue. Sorry, it is still
> not 100% clear when to capitalize the first letter of names.
Functions that are not class/struct members are always capitalized. Same for static class/struct members.
::: js/src/jit/arm/Assembler-arm.cpp
@@ +2803,5 @@
> // NOTE: we don't update the Auto Flush Cache! this function is currently only called from
> // within AsmJSModule::patchHeapAccesses, which does that for us. Don't call this!
> }
>
> InstructionIterator::InstructionIterator(Instruction *i_) : i(i_) {
Nit: { on its own line.
@@ +2812,5 @@
> +
> +uint32_t Assembler::NopFill = 0;
> +
> +uint32_t
> +Assembler::getNopFill() {
Same here.
::: js/src/jit/arm/Assembler-arm.h
@@ +1236,5 @@
> uint32_t actualIndex(uint32_t) const;
> static uint8_t *PatchableJumpAddress(JitCode *code, uint32_t index);
> BufferOffset actualOffset(BufferOffset) const;
> + static uint32_t NopFill;
> + static uint32_t getNopFill();
Nit: we capitalize the names of static methods: GetNopFill. At least in jit/*, code outside jit/* doesn't always do this...
@@ +1391,5 @@
> // instruction gets written into the instruction stream. If dest is not null
> // it is interpreted as a pointer to the location that we want the
> // instruction to be written.
> BufferOffset writeInst(uint32_t x, uint32_t *dest = nullptr);
> + // As above, but also mark the instruction as a branch.
Nit: blank line before this comment.
@@ +1397,1 @@
> // A static variant for the cases where we don't want to have an assembler
And here.
Attachment #8445806 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 12•10 years ago
|
||
Address reviewer feedback, thank you.
Attachment #8445806 -
Attachment is obsolete: true
Attachment #8446526 -
Flags: review+
Comment 14•10 years ago
|
||
You'll need a try server link in the bug for the sheriffs to check a patch in for you. This was announced on dev.platform a while ago: https://groups.google.com/forum/#!searchin/mozilla.dev.platform/checkin-needed/mozilla.dev.platform/9w0-Bh_3vVI/xWebYK64GdwJ
Flags: needinfo?(dtc-moz)
Keywords: checkin-needed
Assignee | ||
Comment 15•10 years ago
|
||
Rebase. Carrying forward r+.
https://tbpl.mozilla.org/?tree=Try&rev=5942dabfb4c3
Attachment #8446526 -
Attachment is obsolete: true
Attachment #8447072 -
Flags: review+
Flags: needinfo?(dtc-moz)
Assignee | ||
Comment 16•10 years ago
|
||
Assignee | ||
Comment 17•10 years ago
|
||
Assignee | ||
Comment 18•10 years ago
|
||
(In reply to Till Schneidereit [:till] from comment #14)
> You'll need a try server link in the bug for the sheriffs to check a patch
> in for you. This was announced on dev.platform a while ago:
> https://groups.google.com/forum/#!searchin/mozilla.dev.platform/checkin-
> needed/mozilla.dev.platform/9w0-Bh_3vVI/xWebYK64GdwJ
Thank you, I had not seen this.
Assignee | ||
Comment 19•10 years ago
|
||
Comment on attachment 8447074 [details] [diff] [review]
Backport to Aurora 32.
Approval Request Comment
[Feature/regressing bug #]: Long standing issues.
[User impact if declined]: Crashes, bad computation, maybe exploitable vulnerabilities. Asm.js code seems to tickle these issues, and they are more problematic on ARMv6 hardware, making this a show stopper for asm.js on ARMv6 devices.
[Describe test coverage new/current, TBPL]: This has been fuzz tested in bug 1026919, wrt m-c, with no reported issues. Tested locally on the Aurora 32 branch using the tbpl jit-tests and it passes all these tests for ARMv7 code generation, and it reduces the number of failures from 22 to 6 for ARMv6 code generation (the remaining failures are addressed in bug 1026919). Note that the moz tbpl testing of the ARMv6 Android builds tests on ARMv7 hardware so the JIT compiler is generation ARMv7 code, so these failures have been hidden! Tested on a range of large asm.js demos.
[Risks and why]: There is some risk, there is some complexity here, and this is a low level change. Fwiw the changes are isolated to the ARM backend. I ask you weight this up against the risks associated with the bugs this fixes.
[String/UUID change made/needed]: n/a
Attachment #8447074 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 20•10 years ago
|
||
Comment on attachment 8447075 [details] [diff] [review]
Backport for Beta 31.
Approval Request Comment
[Feature/regressing bug #]: Long standing issues.
[User impact if declined]: Crashes, bad computation, maybe exploitable vulnerabilities. Asm.js code seems to tickle these issues, and they are more problematic on ARMv6 hardware, making this a show stopper for asm.js on ARMv6 devices.
[Describe test coverage new/current, TBPL]: This has been fuzz tested in bug 1026919, wrt m-c, with no reported issues. Tested locally on the Beta 31 branch using the tbpl jit-tests and it passes all these tests for ARMv7 code generation, and it reduces the number of failures from 23 to 7 for ARMv6 code generation. Tested on a range of large asm.js demos.
[Risks and why]: There is some risk, there is some complexity here, and this is a low level change. Fwiw the changes are isolated to the ARM backend. I ask you weight this up against the risks associated with the bugs this fixes.
[String/UUID change made/needed]: n/a
Attachment #8447075 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 21•10 years ago
|
||
Repeating some try builds that had a little more orange than expected:
m-c: https://tbpl.mozilla.org/?tree=Try&rev=19234d62b4f6
Beta: https://tbpl.mozilla.org/?tree=Try&rev=403c695196d9
Updated•10 years ago
|
Updated•10 years ago
|
Attachment #8447074 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 22•10 years ago
|
||
Comment on attachment 8447075 [details] [diff] [review]
Backport for Beta 31.
Given that this bug has been in Firefox for a while and has risk, I prefer to let ride the 32 train.
Attachment #8447075 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Assignee | ||
Comment 23•10 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #22)
> Comment on attachment 8447075 [details] [diff] [review]
> Backport for Beta 31.
>
> Given that this bug has been in Firefox for a while and has risk, I prefer
> to let ride the 32 train.
I respect your decision. Hopefully many people will upgrade to 32 soon anyway, and as you note this is a long standing issue. Such a fresh change also has it's own unknown risks and some more testing on 32 and 33 would help reduce this risk. Deferring the 31 release would leave people using the un-patched code anyway.
However this decision will block bug 1026919 so 31 will have a somewhat fragile and potentially insecure JIT compiler backend.
ESR 31 will have a long ride to an upgrade so will it be possible in future to request approval to uplift to ESR 31? If not then are there any other processes I should be aware of for informing ESR builders and making patches available?
Flags: needinfo?(sledru)
Comment 24•10 years ago
|
||
OK. With the ESR in mind and bug 1026919, I could reconsider this choice.
However, I don't see a reviewed patch for bug 1026919 and the current patch seems quite big (and too big to be approved so late in the 31 cycle).
I propose that we skip it for 31. We approve both of them asap in 32 and we discuss about a potential approval in ESR 31.1.0 or 31.2.0.
Sounds good?
Flags: needinfo?(sledru)
Assignee | ||
Comment 25•10 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #24)
> OK. With the ESR in mind and bug 1026919, I could reconsider this choice.
> However, I don't see a reviewed patch for bug 1026919 and the current patch
> seems quite big (and too big to be approved so late in the 31 cycle).
> I propose that we skip it for 31. We approve both of them asap in 32 and we
> discuss about a potential approval in ESR 31.1.0 or 31.2.0.
> Sounds good?
Yes, thank you. I'll work towards this.
Comment 27•10 years ago
|
||
Wait, when did this land on m-c?
Assignee | ||
Comment 28•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #27)
> Wait, when did this land on m-c?
This has not landed on m-c. If it could be checked in when the ARM builds on m-c are stable it would be appreciated.
Comment 29•10 years ago
|
||
Is there any reason to land it on Aurora prior to that?
Updated•10 years ago
|
Assignee | ||
Comment 30•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #29)
> Is there any reason to land it on Aurora prior to that?
No, it does not seem that urgent. I defer to your judgement. It will need testing on Aurora soon, and it is unlikely that testing on m-c will show any problems about the other noise there, but it would be prudent to land on m-c first.
I brought forward the Aurora and Beta approval requests because we are playing catchup and these requests may have needed some discussion.
Comment 31•10 years ago
|
||
(In reply to Douglas Crosher [:dougc] from comment #28)
> This has not landed on m-c. If it could be checked in when the ARM builds on
> m-c are stable it would be appreciated.
I'm not sure exactly what you're referring to here. Please just put checkin-needed on the bug if you feel it's ready to land on m-c. The Try run looks green enough IMO.
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 32•10 years ago
|
||
Keywords: checkin-needed
Comment 33•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Comment 34•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/261407ec0ea7
Leaving status-firefox31 set to affected because there aren't esr31 flags to set yet and we're still tracking this bug for that.
status-b2g-v2.0:
--- → fixed
status-b2g-v2.1:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•