REOPENED Bug 233379
Structures should be allocated out of an aligned pool of memory so StructureID->Structure* is fast. 
https://bugs.webkit.org/show_bug.cgi?id=233379
Summary Structures should be allocated out of an aligned pool of memory so StructureI...
Keith Miller
Reported 2021-11-19 12:56:25 PST
Structures should be allocated out of an aligned pool of memory so StructureID->Structure* is fast.
Attachments
Patch (206.25 KB, patch)
2021-11-19 14:03 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (206.25 KB, patch)
2021-11-19 15:13 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (207.55 KB, patch)
2021-11-22 06:36 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (206.90 KB, patch)
2021-11-22 14:47 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch for landing (206.98 KB, patch)
2021-11-25 10:22 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch for landing (204.53 KB, patch)
2021-11-25 10:24 PST, Keith Miller 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (204.53 KB, patch)
2021-11-25 10:36 PST, Keith Miller 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (204.54 KB, patch)
2021-11-25 10:46 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (205.21 KB, patch)
2021-11-25 10:58 PST, Keith Miller 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (205.24 KB, patch)
2021-11-25 11:50 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (205.12 KB, patch)
2021-11-26 09:32 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (208.95 KB, patch)
2021-11-30 10:05 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (209.29 KB, patch)
2021-11-30 10:27 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
layout-test-results (WinCairo WK1 Debug) (70.54 KB, application/x-zip-compressed)
2021-11-30 13:46 PST, Fujii Hironori 		no flags
Details
Patch for landing (209.38 KB, patch)
2021-11-30 16:31 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch for landing (209.38 KB, patch)
2021-11-30 16:36 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch for landing (209.41 KB, patch)
2021-11-30 17:23 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Full backtrace (2.91 MB, text/plain)
2021-12-01 09:14 PST, Michael Catanzaro 		no flags
Details
Show Obsolete (15) View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2021-11-19 14:03:58 PST
Created attachment 444852 [details] Patch
Keith Miller
Comment 2 2021-11-19 15:13:37 PST
Created attachment 444863 [details] Patch
Yusuke Suzuki
Comment 3 2021-11-19 23:19:21 PST
Comment on attachment 444863 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444863&action=review > Source/JavaScriptCore/runtime/JSCConfig.h:43 > +constexpr uintptr_t structureHeapAddressSize = 256 * MB; In old days, our # of StructureIDs are https://trac.webkit.org/changeset/281319/webkit => 1 << 24. And since each Structure has 112 bytes, maximum size was 1879048192, 1792MB. And it was too small and we extended it to 1 << 26, which is 7168MB. So, 256MB is too small. Maybe, 2 or 4GB is better?
Keith Miller
Comment 4 2021-11-22 06:36:11 PST
Created attachment 444962 [details] Patch
Keith Miller
Comment 5 2021-11-22 14:47:25 PST
Created attachment 444986 [details] Patch
Yusuke Suzuki
Comment 6 2021-11-22 22:03:27 PST
Comment on attachment 444986 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=444986&action=review r=me with 32bit and WIndows fixes. And please monitor performance / schedule A-B test of (Speedometer2, JetStream2) / memory change after landing to ensure that this does not cause the regression. > Source/JavaScriptCore/heap/StructureAllignedMemoryAllocator.h:1 > +/* This file is duplicate to Struc tureAlignedMemoryAllocator.h This is mis-typed "Alligned".
Keith Miller
Comment 7 2021-11-25 10:22:52 PST
Created attachment 445142 [details] Patch for landing
Keith Miller
Comment 8 2021-11-25 10:24:07 PST
Created attachment 445143 [details] Patch for landing
Keith Miller
Comment 9 2021-11-25 10:36:17 PST
Created attachment 445145 [details] Patch
Keith Miller
Comment 10 2021-11-25 10:46:35 PST
Created attachment 445146 [details] Patch
Keith Miller
Comment 11 2021-11-25 10:58:04 PST
Created attachment 445147 [details] Patch
Keith Miller
Comment 12 2021-11-25 11:50:07 PST
Created attachment 445150 [details] Patch
Keith Miller
Comment 13 2021-11-26 09:32:29 PST
Created attachment 445204 [details] Patch
Radar WebKit Bug Importer
Comment 14 2021-11-26 12:57:23 PST
<rdar://problem/85771775>
Fujii Hironori
Comment 15 2021-11-30 00:12:29 PST
WTF.dll!abort() Line 77 C++ WTF.dll!WTF::OSAllocator::releaseDecommitted(void * address, unsigned __int64 bytes) Line 91 C++ JavaScriptCore.dll!JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace() Line 140 C++ [Inline Frame] JavaScriptCore.dll!JSC::initialize::__l2::<lambda_1>::operator()() Line 69 C++ [Inline Frame] JavaScriptCore.dll!std::invoke(JSC::initialize::__l2::<lambda_1> &&) Line 1585 C++ [Inline Frame] JavaScriptCore.dll!std::call_once(std::once_flag &) Line 568 C++ JavaScriptCore.dll!JSC::initialize() Line 58 C++ WebKit.dll!WebKitClassFactory::WebKitClassFactory(_GUID targetClass) Line 68 C++ WebKit.dll!DllGetClassObject(const _GUID & rclsid, const _GUID & riid, void * * ppv) Line 122 C++ [Inline Frame] WebKit.dll!classFactory(const _GUID &) Line 61 C++ WebKit.dll!WebKitCreateInstance(const _GUID & rclsid, IUnknown * pUnkOuter, const _GUID & riid, void * * ppvObject) Line 72 C++ MiniBrowserLib.dll!WebKitLegacyBrowserWindow::init() Line 79 C++ MiniBrowserLib.dll!MainWindow::init(std::function<WTF::Ref<BrowserWindow,WTF::RawPtrTraits<BrowserWindow>> __cdecl(BrowserWindowClient &,HWND__ *,bool)> factory, HINSTANCE__ * hInstance, bool usesLayeredWebView) Line 226 C++ MiniBrowserLib.dll!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 93 C++ MiniBrowser.exe!wWinMain(HINSTANCE__ * hInstance, HINSTANCE__ * hPrevInstance, wchar_t * lpstrCmdLine, int nCmdShow) Line 225 C++ [Inline Frame] MiniBrowser.exe!invoke_main() Line 118 C++ MiniBrowser.exe!__scrt_common_main_seh() Line 288 C++ kernel32.dll!00007ffd87f67034() Unknown ntdll.dll!00007ffd89442651() Unknown
Keith Miller
Comment 16 2021-11-30 10:05:53 PST
Created attachment 445431 [details] Patch
Keith Miller
Comment 17 2021-11-30 10:27:42 PST
Created attachment 445436 [details] Patch
Fujii Hironori
Comment 18 2021-11-30 13:19:12 PST
This patch can't compile for Windows Debug builds. AppleWin and WinCairo don't have Debug build EWS bots. > Source\WTF\wtf\win\OSAllocatorWin.cpp(52): error C3861: 'pageSize': identifier not found
Fujii Hironori
Comment 19 2021-11-30 13:46:23 PST
Created attachment 445466 [details] layout-test-results (WinCairo WK1 Debug) python3.exe ./Tools/Scripts/run-webkit-tests --wincairo --debug --no-new-test-results --no-retry-failures -1 --test-list=test.txt ASSERTION FAILED: reinterpret_cast<void*>(roundUpToMultipleOf(bytes, reinterpret_cast<uintptr_t>(result))) == result C:\home\webkit\gc\Source\WTF\wtf\win\OSAllocatorWin.cpp(54) : WTF::OSAllocator::reserveUncommittedAligned 1 00007FFD470A217B WTFCrash 2 00007FFD470A52ED WTFCrashWithInfo 3 00007FFD4721C91E WTF::OSAllocator::reserveUncommittedAligned 4 00007FFD2A0FBAD6 JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace 5 00007FFD2A785AFE `JSC::initialize'::`2'::<lambda_1>::operator() 6 00007FFD2A79BAC4 std::invoke<`JSC::initialize'::`2'::<lambda_1> > 7 00007FFD2A798ED0 std::call_once<`JSC::initialize'::`2'::<lambda_1> > 8 00007FFD2A785A98 JSC::initialize 9 00007FFCF906425F WebKitClassFactory::WebKitClassFactory 10 00007FFCF90651D4 DllGetClassObject 11 00007FFCF9061513 classFactory 12 00007FFCF9061311 WebKitCreateInstance 13 00007FFD3917B355 initialize 14 00007FFD39182096 main 15 00007FFD3918274C dllLauncherEntryPoint 16 00007FF648161A0C main 17 00007FF648165494 __scrt_common_main_seh 18 00007FFD87F67034 BaseThreadInitThunk 19 00007FFD89442651 RtlUserThreadStart
Keith Miller
Comment 20 2021-11-30 16:31:43 PST
Created attachment 445487 [details] Patch for landing
EWS
Comment 21 2021-11-30 16:32:46 PST
ChangeLog entry in Source/WTF/ChangeLog contains OOPS!.
Keith Miller
Comment 22 2021-11-30 16:36:33 PST
Created attachment 445488 [details] Patch for landing
Fujii Hironori
Comment 23 2021-11-30 17:18:12 PST
This patch can't compile. C:\home\webkit\gc\Source\WTF\wtf\win\OSAllocatorWin.cpp(52): error C3861: 'pageSize': identifier not found C:\home\webkit\gc\Source\WTF\wtf\win\OSAllocatorWin.cpp(56): error C2065: 'mapped': undeclared identifier
Keith Miller
Comment 24 2021-11-30 17:23:40 PST
Created attachment 445493 [details] Patch for landing
Fujii Hironori
Comment 25 2021-11-30 18:15:13 PST
Comment on attachment 445493 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=445493&action=review > Source/WTF/wtf/win/OSAllocatorWin.cpp:54 > + // FIXME: Is there a way to do this where we can either release the excess reservation or not reserve it at all? Filed: Bug 233674 – [Win] OSAllocator::reserveUncommittedAligned should use aligned allocation
EWS
Comment 26 2021-11-30 18:32:53 PST
Committed r286345 (244704@main): <https://commits.webkit.org/244704@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 445493 [details].
Saam Barati
Comment 27 2021-12-01 08:52:51 PST
Comment on attachment 445493 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=445493&action=review > Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp:91 > + MarkedBlock* block = reinterpret_cast<MarkedBlock*>(g_jscConfig.startOfStructureHeap) + freeIndex * MarkedBlock::blockSize; Why “* markedBlockSize”? Doesn’t pointer arithmetic already take that into account? Or maybe do arithmetic on char*?
Michael Catanzaro
Comment 28 2021-12-01 09:09:33 PST
This patch broke cloop on Linux, there are lots of crashes in JSC::LLInt::CLoop::execute: #0 0x00007f42933f159f in JSC::LLInt::CLoop::execute(JSC::OpcodeID, void*, JSC::VM*, JSC::ProtoCallFrame*, bool) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #1 0x00007f429369b78a in vmEntryToJavaScript () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #2 0x00007f429366cf9f in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #3 0x00007f42939c4956 in JSC::Walker::callReviver(JSC::JSObject*, JSC::JSValue, JSC::JSValue) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #4 0x00007f42939bdac3 in JSC::Walker::walk(JSC::JSValue) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #5 0x00007f42939be3cd in JSC::jsonProtoFuncParse(JSC::JSGlobalObject*, JSC::CallFrame*) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #6 0x00007f42933ea0c8 in JSC::LLInt::CLoop::execute(JSC::OpcodeID, void*, JSC::VM*, JSC::ProtoCallFrame*, bool) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #7 0x00007f429369b78a in vmEntryToJavaScript () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #8 0x00007f429366a080 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #9 0x00007f4293848dc1 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Release/lib/libJavaScriptCore.so.1 #10 0x00000000004168ac in jscmain(int, char**) () #11 0x000000000040a1ab in main () I'm going to see if I can get a better backtrace.
Michael Catanzaro
Comment 29 2021-12-01 09:14:02 PST
Crash is here: Program terminated with signal SIGSEGV, Segmentation fault. #0 JSC::LLInt::CLoop::execute (entryOpcodeID=JSC::llint_vm_entry_to_javascript, executableAddress=0x7f93e5fba23d <JSC::LLInt::CLoop::execute(JSC::OpcodeID, void*, JSC::VM*, JSC::ProtoCallFrame*, bool)+44059>, vm=0x168ae30, protoCallFrame=0x7fff3b91abe0, isInitializationPass=false) at /home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/JavaScriptCore/DerivedSources/LLIntAssembly.h:8918 8918 t2 = *CAST<int64_t*>(t2.i8p() + 32); // LowLevelInterpreter64.asm:1670 I will attach a full backtrace, but it's pretty intense because each frame is huge.
Michael Catanzaro
Comment 30 2021-12-01 09:14:24 PST
Created attachment 445583 [details] Full backtrace
Michael Catanzaro
Comment 31 2021-12-01 09:26:41 PST
(In reply to Michael Catanzaro from comment #28) > This patch broke cloop on Linux, there are lots of crashes in > JSC::LLInt::CLoop::execute: I checked first with USE_SYSTEM_MALLOC=ON, but it's also broken without.
Yusuke Suzuki
Comment 32 2021-12-01 09:35:44 PST
Comment on attachment 445493 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=445493&action=review >> Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp:91 >> + MarkedBlock* block = reinterpret_cast<MarkedBlock*>(g_jscConfig.startOfStructureHeap) + freeIndex * MarkedBlock::blockSize; > > Why “* markedBlockSize”? Doesn’t pointer arithmetic already take that into account? Or maybe do arithmetic on char*? I think sizeof(MarkedBlock) == 1 since it does not have any fields actually. But I think this looks misleading. bitwise_cast<MarkedBlock*>(g_jscConfig.startOfStructureHeap + freeIndex * MarkedBlock::blockSize) is better.
Yusuke Suzuki
Comment 33 2021-12-01 11:07:33 PST
Committed r286372 (244731@main): <https://commits.webkit.org/244731@main>
Michael Catanzaro
Comment 34 2021-12-01 12:01:52 PST
(In reply to Yusuke Suzuki from comment #33) > Committed r286372 (244731@main): <https://commits.webkit.org/244731@main> Confirmed fixed, thanks Yusuke!
Michael Catanzaro
Comment 35 2021-12-01 12:08:53 PST
One more thing. Previously StructureID was just a uint32_t, but now it's a struct with a nontrivial constructor. It introduced a GCC warning: [943/1704] Building CXX object Source/JavaScriptCore/CMake...vedSources/unified-sources/UnifiedSource-f2e18ffc-36.cpp.o In file included from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-f2e18ffc-36.cpp:3: /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/StructureChain.cpp: In static member function ‘static JSC::StructureChain* JSC::StructureChain::create(JSC::VM&, JSC::JSObject*)’: /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/StructureChain.cpp:52:11: warning: ‘void* memset(void*, int, size_t)’ clearing an object of non-trivial type ‘class JSC::StructureID’; use assignment or value-initialization instead [-Wclass-memaccess] 52 | memset(vector, 0, bytes); | ~~~~~~^~~~~~~~~~~~~~~~~~ In file included from /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/heap/Heap.h:46, from /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/JSCell.h:29, from /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/JSCast.h:28, from /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/ClassInfo.h:26, from /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/Structure.h:28, from /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/Structure.cpp:28, from /home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-f2e18ffc-36.cpp:1: /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/StructureID.h:37:7: note: ‘class JSC::StructureID’ declared here 37 | class StructureID { | ^~~~~~~~~~~ This is one of the rare cases where GCC is better at warning than Clang. Anyway, if I'm reading the code correctly, I think this memset() can be safely deleted, yes? It was previously required to initialize the vector of StructureIDs, but now that StructureID is a struct, that's handled by its constructor.
Keith Miller
Comment 36 2021-12-01 12:11:44 PST
(In reply to Michael Catanzaro from comment #35) > One more thing. Previously StructureID was just a uint32_t, but now it's a > struct with a nontrivial constructor. It introduced a GCC warning: > > [943/1704] Building CXX object > Source/JavaScriptCore/CMake...vedSources/unified-sources/UnifiedSource- > f2e18ffc-36.cpp.o > In file included from > /home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/JavaScriptCore/ > DerivedSources/unified-sources/UnifiedSource-f2e18ffc-36.cpp:3: > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/ > StructureChain.cpp: In static member function ‘static JSC::StructureChain* > JSC::StructureChain::create(JSC::VM&, JSC::JSObject*)’: > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/ > StructureChain.cpp:52:11: warning: ‘void* memset(void*, int, size_t)’ > clearing an object of non-trivial type ‘class JSC::StructureID’; use > assignment or value-initialization instead [-Wclass-memaccess] > 52 | memset(vector, 0, bytes); > | ~~~~~~^~~~~~~~~~~~~~~~~~ > In file included from > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/heap/Heap.h:46, > from > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/JSCell.h:29, > from > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/JSCast.h:28, > from > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/ClassInfo.h: > 26, > from > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/Structure.h: > 28, > from > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/Structure.cpp: > 28, > from > /home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/JavaScriptCore/ > DerivedSources/unified-sources/UnifiedSource-f2e18ffc-36.cpp:1: > /home/mcatanzaro/Projects/WebKit/Source/JavaScriptCore/runtime/StructureID.h: > 37:7: note: ‘class JSC::StructureID’ declared here > 37 | class StructureID { > | ^~~~~~~~~~~ > > This is one of the rare cases where GCC is better at warning than Clang. > Anyway, if I'm reading the code correctly, I think this memset() can be > safely deleted, yes? It was previously required to initialize the vector of > StructureIDs, but now that StructureID is a struct, that's handled by its > constructor. No the memset is needed since we don't initialize the memory of that buffer without it.
Michael Catanzaro
Comment 37 2021-12-01 13:03:23 PST
(In reply to Keith Miller from comment #36) > No the memset is needed since we don't initialize the memory of that buffer > without it. Ah, right... I think in this case we can just suppress the warning wicth static_cast<void*>(vector), but that's fragile because if the StructureID constructor starts doing something else in the future, it will be broken and we won't get another warning. So it would be better to rewrite this IMO.
Yusuke Suzuki
Comment 38 2021-12-01 13:12:02 PST
I think void* is the best fix. It is extremely unlikely that StructureID constructor does something meaningful.
Yusuke Suzuki
Comment 39 2021-12-01 13:25:29 PST
Committed r286382 (244741@main): <https://commits.webkit.org/244741@main>
Saam Barati
Comment 40 2021-12-13 15:50:20 PST
Will roll out in https://bugs.webkit.org/show_bug.cgi?id=234268
Note You need to log in before you can comment on or make changes to this bug.