The method for allocating a wasm::TryNote in MacroAssembler would
mark that an OOM had occurred, but still return a bogus index
into the try notes. This commit propagates the OOM to the caller
so that it knows that there is no valid try note index to use.
Differential Revision: https://phabricator.services.mozilla.com/D136755
This patch modifies stencil test cases to add the ability to turn the cache on
and to fill-up this cache prior running the code. The intent being that the
cached code should be used and behave without any differences.
Differential Revision: https://phabricator.services.mozilla.com/D136334
This patch adds a function which checks the cache and returns any cached result
from the StencilCache. This function is meant to short-cut the delazification by
looking up functions from the cache.
Differential Revision: https://phabricator.services.mozilla.com/D136333
This patch add a strucutre which encapsulate a HashMap used to map a single
function to its CompilationStencil. This HashMap is wrapped using an
ExclusiveData Mutex, to ensure that uses are consistent.
To prevent costly uses of Mutexes, when the cache is not meant to be used, a
boolean flag is added as well as a few changes to the ExclusiveData::Guard. It
is extended to allow having a no-op Guard which evaluates to false if the lock
is not taken. In addition, this allow to have an outside scope which wrap all
StencilCache calls, to avoid having a call to clearAndDisable() in the middle.
Differential Revision: https://phabricator.services.mozilla.com/D136332
With off-thread delazification, the parser created and destroyed its
CompilationInput. Thus we have to carry the compilation information to the
cloned ExtensibleCompilationStencil.
This patch adds a new constructor to ExtensibleCompilationStencil which can be
constructed with CompileOptions and a ScriptSource pointer.
Differential Revision: https://phabricator.services.mozilla.com/D136331
As we want to delazify functions, in addition of being able to instantiate the
top-level parsed content. We need an extra ExtensibleCompilationStencil for the
CompilationStencilMerger.
This patch adds cloneFrom functions to ExtensibleCompilationStencil, to clone
from either a CompilationStencil or from an ExtensibleCompilationStencil.
Differential Revision: https://phabricator.services.mozilla.com/D136330
When stealing content from a borrowed stencil, we copy everything over the the
new stencil. This is true except for SharedDataContainer, which is moved. When
moving the SharedDataContainer we empty the content from the borrowed stencil.
This can be problematic if the borrowed stencil content is used to instantiate
scripts.
This patch adds a new function named SharedDataContainer::cloneFrom, used to do
a deep copy of the inner content of SharedDataContainer, and incrementing the
counters of all SharedImmutableScriptData which are contained in it.
Differential Revision: https://phabricator.services.mozilla.com/D136329
This patchs extracts FunctionKey out of CompilationStencil and moves it to be
defined as part of the SourceExtent, as this is a condensed version of the
SourceExtent which can be used to uniquely identy a function qualified by a
SourceExtent.
Differential Revision: https://phabricator.services.mozilla.com/D136631
PathUtils is the only binding requires for this patch, but eventually we'll
have to migrate NativeManifests.jsm to IOUtils and then we will have to provide
it anyway.
Differential Revision: https://phabricator.services.mozilla.com/D136433
This adds a mechanism to permanently disable the JIT backend for the process. This
lets us improve the sandbox for the socket process.
Depends on D136723
Differential Revision: https://phabricator.services.mozilla.com/D136724
The next patch changes the shell to parse the shell flags before calling JS_Init.
This means we have to use the system malloc instead of JS malloc.
Differential Revision: https://phabricator.services.mozilla.com/D136722
This limits the growth rate based on the length of collection time, such that
size is proportionally reduced when the time is longer than 4ms.
The existing 'timeFraction' got renamed to 'dutyFactor' to disambiguate.
This doesn't happen during pageload so as not to blow up all our page load
benchmarks.
This is pretty much a wash on octane although it improves splay latency by 3.8%
for me.
This should drastically reduce the number of long minor GCs we see. I expect
we'll see a change in the telemetry.
Depends on D136636
Differential Revision: https://phabricator.services.mozilla.com/D136637
PathUtils.getTempDir() was failing in xpcshell tests for two reasons:
1. It was requesting NS_APP_CONTENT_PROCESS_TEMP_DIR, which resolves to
`ContentTmpD`, which the directory provider did not have an entry for.
2. By default, XPC shell tests do not have a profile set up, so when we request
the temporary directory and eagerly fetch the profile directory, we would fail.
We now only fetch the entry for the single directory that is requested to work
around these edge cases in tests. xpcshell has been modified so that requests
for the `ContentTmpD` are forwarded to requests for the regular OS temporary
directory.
Differential Revision: https://phabricator.services.mozilla.com/D134877
Looking at this code, I'm not sure why I did it like this. We hope that there
will be a single optimum nursery size that we can estimate, but the code tries
to estimate a growth rate instead. I think this leads to us over-growing the
nursery at the start of intensive workloads.
The patch changes this the code to estimate an optimum nursery size (in
smoothedTargetSize) based on the existing heuristics. This ended up with a
slower ramp up of nursery size so I changed it to weight clamped growth factors
more when calculating the smoothed value.
I tired hard to make this neutral on benchmark results, but I'll guess we'll
see.
Differential Revision: https://phabricator.services.mozilla.com/D136636
Goal of this patch is to allow disabling all JIT codegen in certain Firefox processes
to let us enable more security mitigations. The JS VM uses the atomic operation stubs
we compile at runtime so this patch converts those to inline assembly instead.
This adds a Python script to generate a header file that has all the inline assembly code.
The inline assembly instructions are based on the JIT-compiled trampoline code.
The generated header is used for all x86/x64/arm32/arm64 builds, so this now includes
no-JIT builds as well.
Differential Revision: https://phabricator.services.mozilla.com/D135984
We currently rely on this happening when compiling the atomic operation stubs,
but that will change with the next patch.
Depends on D135982
Differential Revision: https://phabricator.services.mozilla.com/D135983
Goal of this patch is to allow disabling all JIT codegen in certain Firefox processes
to let us enable more security mitigations. The JS VM uses the atomic operation stubs
we compile at runtime so this patch converts those to inline assembly instead.
This adds a Python script to generate a header file that has all the inline assembly code.
The inline assembly instructions are based on the JIT-compiled trampoline code.
The generated header is used for all x86/x64/arm32/arm64 builds, so this now includes
no-JIT builds as well.
Differential Revision: https://phabricator.services.mozilla.com/D135984
We currently rely on this happening when compiling the atomic operation stubs,
but that will change with the next patch.
Depends on D135982
Differential Revision: https://phabricator.services.mozilla.com/D135983
PathUtils.getTempDir() was failing in xpcshell tests for two reasons:
1. It was requesting NS_APP_CONTENT_PROCESS_TEMP_DIR, which resolves to
`ContentTmpD`, which the directory provider did not have an entry for.
2. By default, XPC shell tests do not have a profile set up, so when we request
the temporary directory and eagerly fetch the profile directory, we would fail.
We now only fetch the entry for the single directory that is requested to work
around these edge cases in tests. xpcshell has been modified so that requests
for the `ContentTmpD` are forwarded to requests for the regular OS temporary
directory.
Differential Revision: https://phabricator.services.mozilla.com/D134877
We minimize phi nodes when finishing a loop block. There is some
logic for ensuring all redundant phi node uses are updated correctly,
but it's missing logic for control flow patches added by throw/call
statements inside of try blocks
This commit extends the setLoopBackedge() code to fixup redundant
phi nodes that escape via landing pad patches to enclosing try
blocks.
Differential Revision: https://phabricator.services.mozilla.com/D135815
For large applications with multiple threads and large tables of
indirect functions and tiered compilation, the shared (per-module)
indirect stubs set can easily reach one million entries. However the
insert-one-at-a-time strategy for this set uses linear time, so
merging a new set of stubs into the set will tend to take quadratic
time. Furthermore, a lock is held by each thread during this slow
process, serializing all the threads. The result can be very slow
application startup.
As a stopgap (because we may remove the indirect stubs and don't need
to commit to a complex solution right now), we break the indirect
stubs set it into per-tls sets to avoid the very long insertion times
resulting from having one shared set per module. Set merging remains
quadratic but the since the sets are much smaller it matters much
less.
A followup bug will be filed for a better, permanent solution, should
we need it.
Differential Revision: https://phabricator.services.mozilla.com/D136470
- AC_HAVE_FUNCS is an alias to AC_CHECK_FUNCS, so it is covered.
- Nothing uses HAVE___CXA_DEMANGLE, so we don't explictly set it,
although we do need the result of whether __cxa_demangle is supported.
- No moz.build uses MOZ_DEMANGLE_SYMBOLS, so we only `set_define` it.
- We leave dladdr in old-configure because it needs to move along other
dl* things.
- The hotfix for AC_CHECK_FUNC is however not needed for dladdr, so we
remove it.
- We replace the forced HAVE_LOCALECONV on Windows with a check shared
with all platforms.
Differential Revision: https://phabricator.services.mozilla.com/D134858
Switch the internal representation of the time budget to use a TimeDuration
instead of an integer number of milliseconds. I experimented with changing the
timeBudget() getter but this introduced a bunch of churn without adding much.
Differential Revision: https://phabricator.services.mozilla.com/D136357
This test can be thrown off by zeal modes which result in a different current
heap size when the test starts. This patch makes us do shriking GCs which puts
into more a a known state before performing tests.
Differential Revision: https://phabricator.services.mozilla.com/D136249
The shell allocation metadata builder creates a bunch of objects for every
allocation, including a dummy representation of the stack at which the allocation
happened. This puts the stack frames into a JS array object. This would usually
use dense elements to store the indexed properties but the code uses property
attribute flags of zero which creates non-enumerable properties. This leads to
the object going in to dictionary mode instead which is much slower.
This causes a problem with the test
jit-test/tests/errors/overrecursed-double-fault-1.js which enables allocation
metadabta and then enters an infinite loop. The test can recurse ~40000 times
before throwing an overrecursion error. The error also contains a
representation of the stack, including a SavedFrame JS object for every frame.
The allocation metadata builder then tries to create metadata for each one of
these objects, and so this is quadratic in the number of frames. All of this
means that this test can easily time out.
The simplest solution for all this is to use the default attributes when
creating these properties which results in the faster dense element storage
being used.
Differential Revision: https://phabricator.services.mozilla.com/D136248
Adds GCStructPtr to hold pointers from GC things to malloc-allocated structures
containing GC things, adding a write barrier when the pointer is overwritten.
The set() method also takes a Zone pointer so that we can check whether
barriers are currently required.
The patch replaces use of such pointers with the abstraction.
Differential Revision: https://phabricator.services.mozilla.com/D136250
- AC_HAVE_FUNCS is an alias to AC_CHECK_FUNCS, so it is covered.
- Nothing uses HAVE___CXA_DEMANGLE, so we don't explictly set it,
although we do need the result of whether __cxa_demangle is supported.
- No moz.build uses MOZ_DEMANGLE_SYMBOLS, so we only `set_define` it.
- We leave dladdr in old-configure because it needs to move along other
dl* things.
- The hotfix for AC_CHECK_FUNC is however not needed for dladdr, so we
remove it.
- We replace the forced HAVE_LOCALECONV on Windows with a check shared
with all platforms.
Differential Revision: https://phabricator.services.mozilla.com/D134858
Split `cx->zone()->isAtomsZone()` branch into 2 functions, for atom case and
non-atom case.
Also removed reduncent steps (static string lookup, length validation,
deflation) from atom case, based on the atomization progress.
Differential Revision: https://phabricator.services.mozilla.com/D135101
To avoid duplicate steps through the atomization process:
* If the function assumes the input doesn't match static strings
(static strings case is already handled), append `NoStatic`
* If the function assumes the length is valid, append `ValidLength`
Differential Revision: https://phabricator.services.mozilla.com/D135100
Drive-by change to remove some code we no longer need after Stencil removed the
off-thread parse/XDR global.
Note that we still assert/check isUsedAsPrototype under getInitialOrPropMapShape.
Depends on D136146
Differential Revision: https://phabricator.services.mozilla.com/D136147
In bug 1738020 we moved the shape teleporting code into NativeObject::addProperty,
which we call from TryAssignPlain, so this should just work now.
Exception is the shape-reuse fast path, but the previous patch ensures we no longer
use that if the object is a prototype object, so we can just add an assertion there.
Differential Revision: https://phabricator.services.mozilla.com/D136146
We were checking the old and new shapes have the same object flags, but this was
(almost) never the case after we added the HasEnumerable flag in bug 1733075,
disabling the optimization in practice.
With this patch we hit the fast path again on Reddit.
Differential Revision: https://phabricator.services.mozilla.com/D136145
Split `cx->zone()->isAtomsZone()` branch into 2 functions, for atom case and
non-atom case.
Also removed reduncent steps (static string lookup, length validation,
deflation) from atom case, based on the atomization progress.
Differential Revision: https://phabricator.services.mozilla.com/D135101
To avoid duplicate steps through the atomization process:
* If the function assumes the input doesn't match static strings
(static strings case is already handled), append `NoStatic`
* If the function assumes the length is valid, append `ValidLength`
Differential Revision: https://phabricator.services.mozilla.com/D135100
This is a simple fix for a too-small field for the virtual register number on arm64,
where the field gets only 18 bits. This change expands the field to 21 bits. This
is enough to solve compilation problems on web.autocad.com.
Differential Revision: https://phabricator.services.mozilla.com/D136106
Previously the 'gray mark bits are valid state' was initially false, and set to
true after the first full GC. But there's no reason that the gray state is
invalid initially. The state is only marked as invalid when we abort gray
unmarking due to OOM, which does lead to an actually incorrect state where some
things are marked gray when they should be black. The initial state of cells
being marked white is not invalid, although cycles through white cells cannot
be collected at this time.
This patch has no impact on AWSY.
Differential Revision: https://phabricator.services.mozilla.com/D136026
Bug 1748700 shows a regression introduced by bug 1716580, which incorrectly
optimised some wasm compare-select cases. The underlying problem was
inadequate testing in the latter bug.
This bug adds comprehensive testing of compare-select for the following
cases:
```
compare in i32 i64
select in i32 i64
compare-op in eq ne lt_s lt_u gt_s gt_u le_s le_u ge_s ge_u
```
It is verified as able to detect the regression introduced by bug 1716580.
Differential Revision: https://phabricator.services.mozilla.com/D135919
The testcase triggers a bailout loop in the bigint case. It's not possible to write an equivalent testcase for string concatenation, because we don't attach a stub unless the concatenation succeeds.
I've also verified that this prints a message for the fuzzer in all the differential testcases I could find.
Differential Revision: https://phabricator.services.mozilla.com/D135619
DefineProperty on an arguments object doesn't have the same magic as SetProperty for updating the ArgumentsData array, so we have to make sure that no elements have been overridden in OptimizeArgumentsSpreadCall before calling ArrayFromArgumentsObject.
This is a regression from anba's patches in bug 1740737 to optimize `...arguments`. It's the rare bug that only fails in the interpreter. (In higher tiers, we already always guarded on the HasOverriddenElement flag.)
Differential Revision: https://phabricator.services.mozilla.com/D135770
Allows AVX SIMD instructions on x86/x64. Mostly as experiment for benchmarking --
if success, it will be on if available.
Differential Revision: https://phabricator.services.mozilla.com/D135561
In 1746231 the JS Exception stuff was moved from the
callback call site into the callback itself.
However, when it was moved, an exception could be
added even if we were going to permit the script
execution. This is wrong.
Move the exception stuff back to the callback site
and use the result of the callback to determine if
we add anything to the stack or not
Differential Revision: https://phabricator.services.mozilla.com/D135250
Prior to bug 1716580, Ion could in some cases merge a 32-bit wasm compare and
a 32-bit wasm select into just two machine instructions. Bug 1716580 expanded
that to include 64-bit operands on some targets. Unfortunately the resulting
code was incorrect for the case where the comparison is of unsigned-64-bit
values, and this was not adequately covered by testing.
This patch:
* fixes the problem, which is a missing test in JSOpToCondition().
* enhances existing test cases for the transformation so as to check for
correct handling of signedness in the comparisons.
Differential Revision: https://phabricator.services.mozilla.com/D135605
Centrally this introduces a static_assert that the stack map's
frame-offset-from-top field can hold the values it needs to hold.
This static_assert turns out to fail on x86-32 with SIMD enabled, and
we can also provoke a release assert that guards against overflow with
the enclosed test case, which is valid code.
To fix this, the field must be expanded by one bit, and it might as
well be expanded on all platforms.
Differential Revision: https://phabricator.services.mozilla.com/D135032
This records parallel task time as part of the current GC slice and reports it
in the JS_GC_PROFILE output, plus some misc tidyup.
Differential Revision: https://phabricator.services.mozilla.com/D135524
Ryan Hunt
Nicolas B. Pierron
Zhao Jiazhong
Yury Delendik
Mike Hommey
Cristian Tuns
Barret Rennie
Jan de Mooij
Jon Coppeard
criss
Caroline Cullen
Iulian Moraru
Butkovits Atila
Sandor Molnar
Steve Fink
Micah Tigley
Tom Schuster
Lars T Hansen
Noemi Erli
Marian-Vasile Laza
Tooru Fujisawa
Matthew Gaudet
Philip Chimento
Kagami Sascha Rosylight
Julian Seward
Andre Natal
Iain Ireland
Yulia Startsev
Tom Ritter
Sebastian Hengst
Andi-Bogdan Postelnicu
Rolf Martin Glomsrud
Csoregi Natalia