Enable strings in the nursery
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
People
(Reporter: sfink, Assigned: sfink)
References
(Depends on 1 open bug, Blocks 6 open bugs)
Details
Attachments
(8 files, 4 obsolete files)
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
jonco
:
review+
nbp
:
checkin+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jonco
:
review+
nbp
:
checkin+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jonco
:
review+
nbp
:
checkin+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jonco
:
review+
nbp
:
checkin+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
sfink
:
review+
nbp
:
checkin+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jandem
:
review+
nbp
:
checkin+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 1•7 years ago
|
||
Updated•7 years ago
|
Assignee | ||
Comment 2•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 3•7 years ago
|
||
Assignee | ||
Comment 4•7 years ago
|
||
Assignee | ||
Comment 5•7 years ago
|
||
Comment 6•7 years ago
|
||
Assignee | ||
Comment 7•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 8•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 9•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Comment 10•7 years ago
|
||
Assignee | ||
Comment 11•7 years ago
|
||
Assignee | ||
Comment 12•7 years ago
|
||
Assignee | ||
Comment 14•7 years ago
|
||
Comment 15•7 years ago
|
||
Comment 16•7 years ago
|
||
Comment 17•7 years ago
|
||
bugherder |
Assignee | ||
Comment 18•7 years ago
|
||
Updated•7 years ago
|
Assignee | ||
Comment 19•7 years ago
|
||
Assignee | ||
Comment 20•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Comment 22•7 years ago
|
||
Comment 23•7 years ago
|
||
Assignee | ||
Comment 24•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Comment 25•7 years ago
|
||
Comment 26•7 years ago
|
||
Comment 27•7 years ago
|
||
bugherder |
Updated•6 years ago
|
Comment 28•6 years ago
|
||
Assignee | ||
Comment 30•6 years ago
|
||
Comment 31•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 33•6 years ago
|
||
Updated•6 years ago
|
Comment 34•6 years ago
|
||
Assignee | ||
Comment 35•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
I manage to reproduce the crash, the stack is https://pastebin.com/wwwSAUqu
in frame 4, or https://searchfox.org/mozilla-central/source/js/src/gc/Marking.cpp#1774
v.toString() is 0xfffe2f2f2f2f2f2f, I guess it's JS_FRESH_NURSERY_PATTERN, still checking this.
Assignee | ||
Comment 37•6 years ago
|
||
I finally managed to get another rr recording of the crash too. In my case, it's a missing post-barrier in JIT code. It was omitted because the Zone's allocNurseryStrings is false. It was turned off because there were too many tenured strings in that zone.
So... the only way I can see this making sense is if we're allocating a string in the nursery, then disabling nursery strings, then passing that nursery string into code that is compiled without nursery handling. Which makes no sense, since nursery strings should only be disabled at the end of a minor GC, and at the end of a minor GC there won't be any strings left in the nursery. (I'm trying to reverse-continue to when the nursery strings were disabled for that zone, but it's taking a very long time. And unfortunately this recording is large enough that it takes an hour to run to the point where it crashes.)
Perhaps this means that the incoming nursery string was not updated to its tenured location during that (or an earlier) minor GC? I'll see if I can find where that nursery string came from, though it's happening in JITted code so my success depends on how well rr behaves with watchpoints and things.
Assignee | ||
Comment 38•6 years ago
|
||
Tracked it down. The problem was that the JitRealm was not calculating whether nursery strings were enabled properly. It was set to true if nursery strings were enabled, ignoring the flag that turned them off on the Zone. Though I'm not sure if that came in when rebasing on top of realms? I should look at the version before that.
It seemed like Yoshi's case, though, might not be in JIT code, in which case it would be something else?
Assignee | ||
Comment 39•6 years ago
|
||
Stupid implicit constructor mistake in that push. Much better:
The SM(r) red is bogus. It's from timeouts that are due to either some expensive checks that I have in my patch stack, or from some MOZ_NEVER_INLINEs I injected for better debugging; I'm not sure which. It doesn't really matter.
It seemed like Yoshi's case, though, might not be in JIT code, in which case it would be something else?
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=221914620&revision=2e0257b04bafb969ec9cbdcfc8d235bac905418e
I tried your patch and the try looks green now (with theexplicit
on the JitRealm cstor to fix the build error)
Assignee | ||
Comment 41•6 years ago
|
||
Comment 42•6 years ago
|
||
Comment 43•6 years ago
|
||
Comment 44•6 years ago
|
||
bugherder |
Updated•6 years ago
|
Updated•6 years ago
|
Description
•