Bug 154822 - [ARM] REGRESSION(197226): Removing the on demand executable allocator made 14 tests crash with OOM
Summary: [ARM] REGRESSION(197226): Removing the on demand executable allocator made 14...
Status: RESOLVED DUPLICATE of bug 154910
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 108645 154749
  Show dependency treegraph
 
Reported: 2016-02-29 09:50 PST by Csaba Osztrogonác
Modified: 2016-03-01 22:54 PST (History)
7 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Csaba Osztrogonác 2016-02-29 09:50:42 PST
http://trac.webkit.org/changeset/197226 removed the on demand executable allocator
which was used by 32 bit ARM Linux platforms. Since r197226, only fixed allocator
is available, which means only 16Mb RAM is available on 32 bit ARM devices.

Failing tests:
mozilla-tests.yaml/js1_5/Regress/regress-159334.js.mozilla-baseline
jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-float32array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-float64array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-int16array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-int32array-overflow-values.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-int32array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-int8array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-uint16array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-uint32array-overflow-values.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-uint32array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-uint8array.js.layout-no-llint
jsc-layout-tests.yaml/js/script-tests/dfg-uint8clampedarray.js.layout-no-llint
Comment 1 Csaba Osztrogonác 2016-02-29 09:56:32 PST
Apple already skipped these tests in http://trac.webkit.org/changeset/196625
and I unskipped them on Linux in http://trac.webkit.org/changeset/196762 .

But after http://trac.webkit.org/changeset/197226 these tests started to fail.

Is there a reason to remove the on demand executable allocator?
There weren't any explanation in the original bug report.
Comment 2 Csaba Osztrogonác 2016-02-29 10:29:44 PST
I tried to increase the memory size to 32Mb
(JSC_jitMemoryReservationSize=33554432), which
fixed these tests, but made 150 other tests fail.
Comment 3 Csaba Osztrogonác 2016-03-01 04:30:46 PST
Increasing jitMemoryReservationSize to 32Mb fixes the OOM issue with 
the ARMAssembler (ARM instruction set) and we don't get new crashes.

But with ARMv7Assembler (Thumb2 instruction set) we get ~150 crashes if
we increase the JIT memory above 16Mb (maximum jump with 24 bit address!)

Zoltán fixed a similar bug in ARMv7Assembler 3 years ago:
http://trac.webkit.org/changeset/146396
Comment 4 Oliver Hunt 2016-03-01 09:25:55 PST
Are these just timing out?

(In reply to comment #0)
> http://trac.webkit.org/changeset/197226 removed the on demand executable
> allocator
> which was used by 32 bit ARM Linux platforms. Since r197226, only fixed
> allocator
> is available, which means only 16Mb RAM is available on 32 bit ARM devices.
> 
> Failing tests:
> mozilla-tests.yaml/js1_5/Regress/regress-159334.js.mozilla-baseline
> jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-float32array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-float64array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-int16array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-int32array-overflow-values.js.
> layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-int32array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-int8array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-
> structure-check.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-uint16array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-uint32array-overflow-values.js.
> layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-uint32array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-uint8array.js.layout-no-llint
> jsc-layout-tests.yaml/js/script-tests/dfg-uint8clampedarray.js.layout-no-
> llint
Comment 5 Csaba Osztrogonác 2016-03-01 09:32:25 PST
(In reply to comment #4)
> Are these just timing out?

No, out of memory because of fixed 16Mb sized VM pool.

I already added my detailed investigation:

(In reply to comment #3)
> Increasing jitMemoryReservationSize to 32Mb fixes the OOM issue with 
> the ARMAssembler (ARM instruction set) and we don't get new crashes.
> 
> But with ARMv7Assembler (Thumb2 instruction set) we get ~150 crashes if
> we increase the JIT memory above 16Mb (maximum jump with 24 bit address!)
> 
> Zoltán fixed a similar bug in ARMv7Assembler 3 years ago:
> http://trac.webkit.org/changeset/146396

It's easy to fix this bug with ARMAssembler with increasing
jitMemoryReservationSize. But it would cause more problems
with ARMv7Assembler.
Comment 6 Oliver Hunt 2016-03-01 09:36:09 PST
Why is the ARM backend not falling back to the interpreter when it's out of executable memory?
Comment 7 Csaba Osztrogonác 2016-03-01 09:43:09 PST
(In reply to comment #6)
> Why is the ARM backend not falling back to the interpreter when it's out of
> executable memory?

These tests explicitly disable LLINT, I don't think 
if it is possible to fallback in this case.
Comment 8 Alexey Proskuryakov 2016-03-01 22:54:26 PST
Fixing by rollout.

*** This bug has been marked as a duplicate of bug 154910 ***