Bug 154822

Summary:	[ARM] REGRESSION(197226): Removing the on demand executable allocator made 14 tests crash with OOM
Product:	WebKit	Reporter:	Csaba Osztrogonác <ossy>
Component:	JavaScriptCore	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED DUPLICATE
Severity:	Normal	CC:	cgarcia, clopez, ggaren, gyuyoung.kim, jh718.park, oliver, ossy
Priority:	P2
Version:	Other
Hardware:	Unspecified
OS:	Unspecified
Bug Depends on:
Bug Blocks:	108645, 154749

Csaba Osztrogonác

Reported 2016-02-29 09:50:42 PST

http://trac.webkit.org/changeset/197226 removed the on demand executable allocator which was used by 32 bit ARM Linux platforms. Since r197226, only fixed allocator is available, which means only 16Mb RAM is available on 32 bit ARM devices. Failing tests: mozilla-tests.yaml/js1_5/Regress/regress-159334.js.mozilla-baseline jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-float32array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-float64array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int16array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int32array-overflow-values.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int32array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int8array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint16array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint32array-overflow-values.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint32array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint8array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint8clampedarray.js.layout-no-llint

Attachments
Add attachment proposed patch, testcase, etc.

Csaba Osztrogonác

Comment 1 2016-02-29 09:56:32 PST

Apple already skipped these tests in http://trac.webkit.org/changeset/196625 and I unskipped them on Linux in http://trac.webkit.org/changeset/196762 . But after http://trac.webkit.org/changeset/197226 these tests started to fail. Is there a reason to remove the on demand executable allocator? There weren't any explanation in the original bug report.

Csaba Osztrogonác

Comment 2 2016-02-29 10:29:44 PST

I tried to increase the memory size to 32Mb (JSC_jitMemoryReservationSize=33554432), which fixed these tests, but made 150 other tests fail.

Csaba Osztrogonác

Comment 3 2016-03-01 04:30:46 PST

Increasing jitMemoryReservationSize to 32Mb fixes the OOM issue with the ARMAssembler (ARM instruction set) and we don't get new crashes. But with ARMv7Assembler (Thumb2 instruction set) we get ~150 crashes if we increase the JIT memory above 16Mb (maximum jump with 24 bit address!) Zoltán fixed a similar bug in ARMv7Assembler 3 years ago: http://trac.webkit.org/changeset/146396

Oliver Hunt

Comment 4 2016-03-01 09:25:55 PST

Are these just timing out? (In reply to comment #0) > http://trac.webkit.org/changeset/197226 removed the on demand executable > allocator > which was used by 32 bit ARM Linux platforms. Since r197226, only fixed > allocator > is available, which means only 16Mb RAM is available on 32 bit ARM devices. > > Failing tests: > mozilla-tests.yaml/js1_5/Regress/regress-159334.js.mozilla-baseline > jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-float32array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-float64array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int16array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int32array-overflow-values.js. > layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int32array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int8array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered- > structure-check.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint16array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint32array-overflow-values.js. > layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint32array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint8array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint8clampedarray.js.layout-no- > llint

Csaba Osztrogonác

Comment 5 2016-03-01 09:32:25 PST

(In reply to comment #4) > Are these just timing out? No, out of memory because of fixed 16Mb sized VM pool. I already added my detailed investigation: (In reply to comment #3) > Increasing jitMemoryReservationSize to 32Mb fixes the OOM issue with > the ARMAssembler (ARM instruction set) and we don't get new crashes. > > But with ARMv7Assembler (Thumb2 instruction set) we get ~150 crashes if > we increase the JIT memory above 16Mb (maximum jump with 24 bit address!) > > Zoltán fixed a similar bug in ARMv7Assembler 3 years ago: > http://trac.webkit.org/changeset/146396 It's easy to fix this bug with ARMAssembler with increasing jitMemoryReservationSize. But it would cause more problems with ARMv7Assembler.

Oliver Hunt

Comment 6 2016-03-01 09:36:09 PST

Why is the ARM backend not falling back to the interpreter when it's out of executable memory?

Csaba Osztrogonác

Comment 7 2016-03-01 09:43:09 PST

(In reply to comment #6) > Why is the ARM backend not falling back to the interpreter when it's out of > executable memory? These tests explicitly disable LLINT, I don't think if it is possible to fallback in this case.

Alexey Proskuryakov

Comment 8 2016-03-01 22:54:26 PST

Fixing by rollout. *** This bug has been marked as a duplicate of bug 154910 ***

Note You need to log in before you can comment on or make changes to this bug.