: New feature! MozillaWiki is now mobile-friendly. Visit from a mobile device to see new mobile theme + try editing. Release details.

Javascript:Hazard Builds

From MozillaWiki
Jump to: navigation, search

Goal

The goal of this project is to know the exact locations of all GC Cell pointers stored on the stack. This will enable further development of compacting and generational GC modes.

Dynamic Rooting Analysis

Since a failure to root a stack variable properly will become a use-after-free error after we have moving GC's, it is vitally important that we catch and fix all rooting violations now, rather than later. To this end, we have enabled a dynamic correctness checker that runs on every push to mozilla-inbound. It verifies that no stack pointers are left unrooted. It is displayed on Treeherder under the name SM(r).

Static Rooting Analysis

Treeherder can run three static analysis builds: the full browser (linux64-br-haz), B2G (linux64-b2g-haz), and just the JS shell (linux64-sh-haz). They show up on treeherder as H (or SM(H)).

These builds are performed as follows:

  • run the mozharness script http://hg.mozilla.org/build/mozharness/scripts/spidermonkey_build.py, which sets up a mozilla_mock environment and runs the analysis within it, then uploads the resulting files
    • compile an optimized JS shell to later run the analysis
    • compile the browser with gcc, using a slightly modified version of the sixgill (http://svn.sixgill.org) gcc plugin, producing a set of .xdb files describing everything encountered during the compilation
    • analyze the .xdb files with scripts in js/src/devtools/rootAnalysis

Running the analysis

To run the browser analysis, you must be on linux64 and do:

 python testing/mozharness/scripts/spidermonkey_build.py -c developer_config.py -c hazards/common.py -c hazards/build_browser.py --source $SRCDIR

Or if your hazards are all contained within js/src, you could use hazards/build_shell.py in place of hazards/build_browser.py.

The easiest way to run an analysis is to push to try with the trychooser line |try: -b do -p linux64-br-haz| (or, if the hazards of interest are contained entirely within js/src, use |try: -b do -p linux64-sh-haz| for a much faster result). The expected turnaround time for linux64-br-haz is just under 2 hours. For b2g hazards, you can use -p linux64-b2g-haz.

The output will be uploaded and a link named "results" will be placed into the "job details" info pane on treeherder. If the analysis fails, you will see the number of failures. Navigate to the hazards.txt.gz file.

Analysis output

The main output file of interest is hazards.txt. Example snippet:

Function 'jsopcode.cpp:uint8 DecompileExpressionFromStack(JSContext*, int32, int32, class JS::Handle<JS::Value>, int8**)' has unrooted 'ed' of type 'ExpressionDecompiler' live across GC call 'uint8 ExpressionDecompiler::decompilePC(uint8*)' at js/src/jsopcode.cpp:1866
    js/src/jsopcode.cpp:1866: Assume(74,75, !__temp_23*, true)
    js/src/jsopcode.cpp:1867: Assign(75,76, return := 0)
    js/src/jsopcode.cpp:1867: Call(76,77, ed.~ExpressionDecompiler())
GC Function: uint8 ExpressionDecompiler::decompilePC(uint8*)
    JSString* js::ValueToSource(JSContext*, class JS::Handle<JS::Value>)
    uint8 js::Invoke(JSContext*, JS::Value*, JS::Value*, uint32, JS::Value*, class JS::MutableHandle<JS::Value>)
    uint8 js::Invoke(JSContext*, JS::CallArgs, uint32)
    JSScript* JSFunction::getOrCreateScript(JSContext*)
    uint8 JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, class JS::Handle<JSFunction*>)
    uint8 JSRuntime::cloneSelfHostedFunctionScript(JSContext*, class JS::Handle<js::PropertyName*>, class JS::Handle<JSFunction*>)
    JSScript* js::CloneScript(JSContext*, class JS::Handle<JSObject*>, class JS::Handle<JSFunction*>, const class JS::Handle<JSScript*>, uint32)
    JSObject* js::CloneStaticBlockObject(JSContext*, class JS::Handle<JSObject*>, class JS::Handle<js::StaticBlockObject*>)
    js::StaticBlockObject* js::StaticBlockObject::create(js::ExclusiveContext*)
    js::Shape* js::EmptyShape::getInitialShape(js::ExclusiveContext*, js::Class*, js::TaggedProto, JSObject*, JSObject*, uint32, uint32)
    js::Shape* js::EmptyShape::getInitialShape(js::ExclusiveContext*, js::Class*, js::TaggedProto, JSObject*, JSObject*, uint64, uint32)
    js::UnownedBaseShape* js::BaseShape::getUnowned(js::ExclusiveContext*, js::StackBaseShape*)
    js::BaseShape* js_NewGCBaseShape(js::ThreadSafeContext*) [with js::AllowGC allowGC = (js::AllowGC)1u]
    js::BaseShape* js::gc::NewGCThing(js::ThreadSafeContext*, uint32, uint64, uint32) [with T = js::BaseShape; js::AllowGC allowGC = (js::AllowGC)1u; size_t = long unsigned int]
    void js::gc::RunDebugGC(JSContext*)
    void js::MinorGC(JSRuntime*, uint32)
    GC

This means that a rooting hazard was discovered at js/src/jsopcode.cpp line 1866, in the function DecompileExpressionFromStack (it is prefixed with the filename because it's a static function.) The problem is that they're an unrooted variable 'ed' that holds an ExpressionDecompiler live across a call to decompilePC. "Live" means that the variable is used after the call to decompilePC returns. decompilePC may trigger a GC according to the static call stack given starting from the line beginning with "GC Function:". The hazard itself has some barely comprehensible Assume(...) and Call(...) gibberish that describes the exact path of the variable into the function call. That stuff is rarely useful -- usually, you'll only need to look at it if it's complaining about a temporary and you want to know where the temporary came from. The type 'ExpressionDecompiler' is believed to hold pointers to GC-controlled objects of some sort. The analysis currently does not describe the exact field it is worried about.

To unpack this a little, the analysis is saying the following can happen:

  • ExpressionDecompiler contains some pointer to a GC thing. For example, it might have a field 'obj' of type 'JSObject*'.
  • DecompileExpressionFromStack is called.
  • A pointer is stored in that field of the 'ed' variable.
  • decompilePC is invoked, which calls ValueToSource, which calls Invoke, which eventually calls js::MinorGC
  • during the resulting garbage collection, the object pointed to by ed.obj is moved to a different location. All pointers stored in the JS heap are updated automatically, as are all rooted pointers. ed.obj is not, because the GC doesn't know about it.
  • after decompilePC returns, something accesses ed.obj. This is now a stale pointer, and may refer to just about anything -- the wrong object, an invalid object, or whatever. Badness 10000, as TeX would say.

So you broke the analysis by adding a hazard. Now what?

Backout, fix the hazard, or (final resort) update the expected number of hazards in js/src/devtools/rootAnalysis/expect.browser.json.

The most common way to fix a hazard is to change the variable to be a Rooted type, as described in http://dxr.mozilla.org/mozilla-central/source/js/public/RootingAPI.h#l21

For more complicated cases, ask on #jsapi. If you don't get a response, ping sfink, terrence, or jonco.