186878 – JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary

RESOLVED FIXED 186878

JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary

https://bugs.webkit.org/show_bug.cgi?id=186878

Summary JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::...

Saam Barati

Reported 2018-06-20 23:39:43 PDT

This breaks our conservative marking of the object. Check out this code: HeapUtil::findGCObjectPointersForMarking( m_heap, markingVersion, newlyAllocatedVersion, filter, p, [&] (void* p, HeapCell::Kind cellKind) { if (cellKind == HeapCell::JSCell) markHook.markKnownJSCell(static_cast<JSCell*>(p)); if (m_size == m_capacity) grow(); m_roots[m_size++] = bitwise_cast<HeapCell*>(p); }); I think I'll also need to extend findGCObjectPointersForMarking a bit. It does some stuff conditionally on Auxiliary for butterflies, but here, we'll have a kind of Cell for JSImmutableButterfly. I wonder if we should change up how we use JSImmutableButterfly to act more like other butterflies, and obviate this having to be different than other butterflies.

Attachments
WIP (4.03 KB, patch) 2018-06-21 12:35 PDT, Saam Barati	ews-watchlist: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews100 for mac-sierra (2.41 MB, application/zip) 2018-06-21 13:39 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews106 for mac-sierra-wk2 (2.98 MB, application/zip) 2018-06-21 13:42 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews117 for mac-sierra (3.06 MB, application/zip) 2018-06-21 14:24 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (8.39 MB, application/zip) 2018-06-21 14:30 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews205 for win-future (12.78 MB, application/zip) 2018-06-21 14:42 PDT, EWS Watchlist	no flags	Details
patch (7.42 KB, patch) 2018-06-22 14:30 PDT, Saam Barati	mark.lam: review+ ews-watchlist: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews104 for mac-sierra-wk2 (2.81 MB, application/zip) 2018-06-22 16:03 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews102 for mac-sierra (2.29 MB, application/zip) 2018-06-22 16:04 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews117 for mac-sierra (3.04 MB, application/zip) 2018-06-22 16:07 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (2.34 MB, application/zip) 2018-06-22 16:22 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews200 for win-future (12.95 MB, application/zip) 2018-06-22 18:43 PDT, EWS Watchlist	no flags	Details
patch for landing if EWS passes (9.28 KB, patch) 2018-06-23 16:07 PDT, Saam Barati	ews-watchlist: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews114 for mac-sierra (3.02 MB, application/zip) 2018-06-23 18:45 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews205 for win-future (12.84 MB, application/zip) 2018-06-23 19:54 PDT, EWS Watchlist	no flags	Details
patch for landing if EWS passes #2 (14.53 KB, patch) 2018-06-24 20:01 PDT, Saam Barati	ews-watchlist: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews205 for win-future (12.78 MB, application/zip) 2018-06-24 21:55 PDT, EWS Watchlist	no flags	Details
Archive of layout-test-results from ews106 for mac-sierra-wk2 (2.77 MB, application/zip) 2018-06-25 00:06 PDT, EWS Watchlist	no flags	Details
patch for landing attempt #3 (15.54 KB, patch) 2018-06-25 12:09 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch for landing (17.50 KB, patch) 2018-06-25 15:06 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch for landing (17.90 KB, patch) 2018-06-25 16:16 PDT, Saam Barati	no flags	Details Formatted Diff Diff
WIP (26.88 KB, patch) 2018-06-26 15:10 PDT, Saam Barati	no flags	Details Formatted Diff Diff
patch (30.96 KB, patch) 2018-06-26 16:01 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (22) View All Add attachment proposed patch, testcase, etc.

Saam Barati

Comment 1 2018-06-20 23:40:54 PDT

<rdar://problem/40568659>

Saam Barati

Comment 2 2018-06-21 12:35:27 PDT

Created attachment 343258 [details] WIP Going to run some memory tests before landing this.

EWS Watchlist

Comment 3 2018-06-21 12:48:35 PDT

Attachment 343258 [details] did not pass style-queue: ERROR: Source/WebCore/page/FrameView.cpp:4134: Should have a space between // and comment [whitespace/comments] [4] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.

EWS Watchlist

Comment 4 2018-06-21 13:39:47 PDT

Comment on attachment 343258 [details] WIP Attachment 343258 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/8280282 New failing tests: editing/selection/navigation-clears-editor-state.html performance-api/performance-observer-no-document-leak.html fast/misc/test-observegc.html

EWS Watchlist

Comment 5 2018-06-21 13:39:49 PDT

Created attachment 343266 [details] Archive of layout-test-results from ews100 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 6 2018-06-21 13:42:17 PDT

Comment on attachment 343258 [details] WIP Attachment 343258 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/8280261 New failing tests: editing/selection/navigation-clears-editor-state.html performance-api/performance-observer-no-document-leak.html

EWS Watchlist

Comment 7 2018-06-21 13:42:19 PDT

Created attachment 343267 [details] Archive of layout-test-results from ews106 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 8 2018-06-21 14:24:58 PDT

Comment on attachment 343258 [details] WIP Attachment 343258 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/8280606 New failing tests: editing/selection/navigation-clears-editor-state.html performance-api/performance-observer-no-document-leak.html plugins/refcount-leaks.html fast/misc/test-observegc.html

EWS Watchlist

Comment 9 2018-06-21 14:24:59 PDT

Created attachment 343274 [details] Archive of layout-test-results from ews117 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 10 2018-06-21 14:30:18 PDT

Comment on attachment 343258 [details] WIP Attachment 343258 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/8280520 New failing tests: editing/selection/navigation-clears-editor-state.html performance-api/performance-observer-no-document-leak.html fast/misc/test-observegc.html

EWS Watchlist

Comment 11 2018-06-21 14:30:20 PDT

Created attachment 343275 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.4

EWS Watchlist

Comment 12 2018-06-21 14:41:57 PDT

Comment on attachment 343258 [details] WIP Attachment 343258 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8281106 New failing tests: fast/dom/reference-cycle-leaks.html performance-api/performance-observer-no-document-leak.html fast/misc/test-observegc.html

EWS Watchlist

Comment 13 2018-06-21 14:42:09 PDT

Created attachment 343277 [details] Archive of layout-test-results from ews205 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews205 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit

Saam Barati

Comment 14 2018-06-21 14:56:42 PDT

Seems like this is causing tests to fail that measure how many objects are left around. So it's probably an indication that the more conservative scan is keeping more around. I'm not sure how much we care about these layout test results. I'm going to look more at these tests. They seem like they are already prone to being flaky since some assert things about GC collecting objects.

Saam Barati

Comment 15 2018-06-22 14:30:08 PDT

Created attachment 343368 [details] patch

Mark Lam

Comment 16 2018-06-22 15:16:43 PDT

Comment on attachment 343368 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=343368&action=review r=me > Source/JavaScriptCore/ChangeLog:14 > + are Auxiliary. This means that if the stack were the only thing pointing to a /the stack were/the stack is/. "was" also works. > Source/JavaScriptCore/heap/HeapUtil.h:107 > + func(pointer, candidate->handle().cellKind()); Why re-compute the cellKind() every time here? The candidate doesn't change. Hence, the cellKind() shouldn't change either, no? Oh, I see, cellKind() is only used in here. I noticed that candidate->handle() is computed and used multiple times. Can you pre-compute and cache it above instead?

Mark Lam

Comment 17 2018-06-22 15:18:56 PDT

Comment on attachment 343368 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=343368&action=review >> Source/JavaScriptCore/heap/HeapUtil.h:107 >> + func(pointer, candidate->handle().cellKind()); > > Why re-compute the cellKind() every time here? The candidate doesn't change. Hence, the cellKind() shouldn't change either, no? > > Oh, I see, cellKind() is only used in here. I noticed that candidate->handle() is computed and used multiple times. Can you pre-compute and cache it above instead? nit: Oh wait, we still use this lambda in more than one place. I think we can still precache the cellKind.

EWS Watchlist

Comment 18 2018-06-22 16:03:52 PDT

Comment on attachment 343368 [details] patch Attachment 343368 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/8296440 New failing tests: editing/selection/navigation-clears-editor-state.html

EWS Watchlist

Comment 19 2018-06-22 16:03:54 PDT

Created attachment 343385 [details] Archive of layout-test-results from ews104 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 20 2018-06-22 16:04:01 PDT

Comment on attachment 343368 [details] patch Attachment 343368 [details] did not pass mac-ews (mac): Output: https://webkit-queues.webkit.org/results/8296513 New failing tests: editing/selection/navigation-clears-editor-state.html

EWS Watchlist

Comment 21 2018-06-22 16:04:03 PDT

Created attachment 343386 [details] Archive of layout-test-results from ews102 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 22 2018-06-22 16:07:34 PDT

Comment on attachment 343368 [details] patch Attachment 343368 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/8296256 New failing tests: editing/selection/navigation-clears-editor-state.html plugins/refcount-leaks.html

EWS Watchlist

Comment 23 2018-06-22 16:07:36 PDT

Created attachment 343388 [details] Archive of layout-test-results from ews117 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-sierra Platform: Mac OS X 10.12.6

Saam Barati

Comment 24 2018-06-22 16:13:09 PDT

(In reply to Build Bot from comment #20) > Comment on attachment 343368 [details] > patch > > Attachment 343368 [details] did not pass mac-ews (mac): > Output: https://webkit-queues.webkit.org/results/8296513 > > New failing tests: > editing/selection/navigation-clears-editor-state.html These tests are vulnerable to conservative roots skewing them

EWS Watchlist

Comment 25 2018-06-22 16:22:42 PDT

Comment on attachment 343368 [details] patch Attachment 343368 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/8296375 New failing tests: editing/selection/navigation-clears-editor-state.html

EWS Watchlist

Comment 26 2018-06-22 16:22:44 PDT

Created attachment 343391 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.4

EWS Watchlist

Comment 27 2018-06-22 18:43:06 PDT

Comment on attachment 343368 [details] patch Attachment 343368 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8299011 New failing tests: fast/dom/reference-cycle-leaks.html

EWS Watchlist

Comment 28 2018-06-22 18:43:17 PDT

Created attachment 343412 [details] Archive of layout-test-results from ews200 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews200 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit

Saam Barati

Comment 29 2018-06-23 16:07:36 PDT

Created attachment 343457 [details] patch for landing if EWS passes

EWS Watchlist

Comment 30 2018-06-23 18:45:46 PDT

Comment on attachment 343457 [details] patch for landing if EWS passes Attachment 343457 [details] did not pass mac-debug-ews (mac): Output: https://webkit-queues.webkit.org/results/8308669 New failing tests: plugins/refcount-leaks.html

EWS Watchlist

Comment 31 2018-06-23 18:45:48 PDT

Created attachment 343461 [details] Archive of layout-test-results from ews114 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-sierra Platform: Mac OS X 10.12.6

EWS Watchlist

Comment 32 2018-06-23 19:54:47 PDT

Comment on attachment 343457 [details] patch for landing if EWS passes Attachment 343457 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8309118 New failing tests: http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html

EWS Watchlist

Comment 33 2018-06-23 19:54:59 PDT

Created attachment 343464 [details] Archive of layout-test-results from ews205 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews205 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit

Saam Barati

Comment 34 2018-06-24 20:01:03 PDT

Created attachment 343477 [details] patch for landing if EWS passes #2

EWS Watchlist

Comment 35 2018-06-24 21:55:37 PDT

Comment on attachment 343477 [details] patch for landing if EWS passes #2 Attachment 343477 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/8320540 New failing tests: http/tests/security/video-poster-cross-origin-crash2.html

EWS Watchlist

Comment 36 2018-06-24 21:55:49 PDT

Created attachment 343484 [details] Archive of layout-test-results from ews205 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews205 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit

EWS Watchlist

Comment 37 2018-06-25 00:06:47 PDT

Comment on attachment 343477 [details] patch for landing if EWS passes #2 Attachment 343477 [details] did not pass mac-wk2-ews (mac-wk2): Output: https://webkit-queues.webkit.org/results/8325913 New failing tests: plugins/refcount-leaks.html

EWS Watchlist

Comment 38 2018-06-25 00:06:49 PDT

Created attachment 343489 [details] Archive of layout-test-results from ews106 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6

Saam Barati

Comment 39 2018-06-25 12:09:06 PDT

Created attachment 343523 [details] patch for landing attempt #3

Saam Barati

Comment 40 2018-06-25 15:06:18 PDT

Created attachment 343546 [details] patch for landing

Ryosuke Niwa

Comment 41 2018-06-25 15:18:06 PDT

Comment on attachment 343546 [details] patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=343546&action=review > LayoutTests/editing/selection/navigation-clears-editor-state.html:62 > + if (delta > 60) Maybe we should do count * 0.3 instead?

Ryosuke Niwa

Comment 42 2018-06-25 15:27:29 PDT

(In reply to Ryosuke Niwa from comment #41) > Comment on attachment 343546 [details] > patch for landing > > View in context: > https://bugs.webkit.org/attachment.cgi?id=343546&action=review > > > LayoutTests/editing/selection/navigation-clears-editor-state.html:62 > > + if (delta > 60) > > Maybe we should do count * 0.3 instead? Otherwise the change to this test looks good.

Saam Barati

Comment 43 2018-06-25 16:13:41 PDT

(In reply to Ryosuke Niwa from comment #42) > (In reply to Ryosuke Niwa from comment #41) > > Comment on attachment 343546 [details] > > patch for landing > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=343546&action=review > > > > > LayoutTests/editing/selection/navigation-clears-editor-state.html:62 > > > + if (delta > 60) > > > > Maybe we should do count * 0.3 instead? > > Otherwise the change to this test looks good. Sounds good. I'll make this change. I'm also going to bump the timeout up a bit.

Saam Barati

Comment 44 2018-06-25 16:16:32 PDT

Created attachment 343552 [details] patch for landing

WebKit Commit Bot

Comment 45 2018-06-25 16:56:41 PDT

Comment on attachment 343552 [details] patch for landing Clearing flags on attachment: 343552 Committed r233184: <https://trac.webkit.org/changeset/233184>

WebKit Commit Bot

Comment 46 2018-06-25 16:56:44 PDT

All reviewed patches have been landed. Closing bug.

WebKit Commit Bot

Comment 47 2018-06-26 12:01:54 PDT

Re-opened since this is blocked by bug 187059

Saam Barati

Comment 48 2018-06-26 12:30:18 PDT

Seems like I need to use our other approach of introducing a new HeapCell::Kind called something like JSCellWithInteriorPointers

Saam Barati

Comment 49 2018-06-26 15:10:36 PDT

Created attachment 343645 [details] WIP want to test it on EWS

Saam Barati

Comment 50 2018-06-26 16:01:55 PDT

Created attachment 343653 [details] patch

WebKit Commit Bot

Comment 51 2018-06-26 18:08:32 PDT

Comment on attachment 343653 [details] patch Clearing flags on attachment: 343653 Committed r233236: <https://trac.webkit.org/changeset/233236>

WebKit Commit Bot

Comment 52 2018-06-26 18:08:34 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Saam Barati

Reported

2018-06-20 23:39 PDT

Modified

2018-06-26 18:08 PDT History

CC List

17 users Show

URL

Keywords InRadar

Depends on

187059

Blocks

Dependencies

tree graph