RESOLVED DUPLICATE of bug 154910 154822
[ARM] REGRESSION(197226): Removing the on demand executable allocator made 14 tests crash with OOM 
https://bugs.webkit.org/show_bug.cgi?id=154822
Summary [ARM] REGRESSION(197226): Removing the on demand executable allocator made 14...
Csaba Osztrogonác
Reported 2016-02-29 09:50:42 PST
http://trac.webkit.org/changeset/197226 removed the on demand executable allocator which was used by 32 bit ARM Linux platforms. Since r197226, only fixed allocator is available, which means only 16Mb RAM is available on 32 bit ARM devices. Failing tests: mozilla-tests.yaml/js1_5/Regress/regress-159334.js.mozilla-baseline jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-float32array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-float64array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int16array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int32array-overflow-values.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int32array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-int8array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered-structure-check.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint16array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint32array-overflow-values.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint32array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint8array.js.layout-no-llint jsc-layout-tests.yaml/js/script-tests/dfg-uint8clampedarray.js.layout-no-llint
Attachments
Add attachment proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 1 2016-02-29 09:56:32 PST
Apple already skipped these tests in http://trac.webkit.org/changeset/196625 and I unskipped them on Linux in http://trac.webkit.org/changeset/196762 . But after http://trac.webkit.org/changeset/197226 these tests started to fail. Is there a reason to remove the on demand executable allocator? There weren't any explanation in the original bug report.
Csaba Osztrogonác
Comment 2 2016-02-29 10:29:44 PST
I tried to increase the memory size to 32Mb (JSC_jitMemoryReservationSize=33554432), which fixed these tests, but made 150 other tests fail.
Csaba Osztrogonác
Comment 3 2016-03-01 04:30:46 PST
Increasing jitMemoryReservationSize to 32Mb fixes the OOM issue with the ARMAssembler (ARM instruction set) and we don't get new crashes. But with ARMv7Assembler (Thumb2 instruction set) we get ~150 crashes if we increase the JIT memory above 16Mb (maximum jump with 24 bit address!) Zoltán fixed a similar bug in ARMv7Assembler 3 years ago: http://trac.webkit.org/changeset/146396
Oliver Hunt
Comment 4 2016-03-01 09:25:55 PST
Are these just timing out? (In reply to comment #0) > http://trac.webkit.org/changeset/197226 removed the on demand executable > allocator > which was used by 32 bit ARM Linux platforms. Since r197226, only fixed > allocator > is available, which means only 16Mb RAM is available on 32 bit ARM devices. > > Failing tests: > mozilla-tests.yaml/js1_5/Regress/regress-159334.js.mozilla-baseline > jsc-layout-tests.yaml/js/script-tests/regress-141098.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-float32array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-float64array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int16array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int32array-overflow-values.js. > layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int32array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-int8array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-osr-entry-hoisted-clobbered- > structure-check.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint16array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint32array-overflow-values.js. > layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint32array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint8array.js.layout-no-llint > jsc-layout-tests.yaml/js/script-tests/dfg-uint8clampedarray.js.layout-no- > llint
Csaba Osztrogonác
Comment 5 2016-03-01 09:32:25 PST
(In reply to comment #4) > Are these just timing out? No, out of memory because of fixed 16Mb sized VM pool. I already added my detailed investigation: (In reply to comment #3) > Increasing jitMemoryReservationSize to 32Mb fixes the OOM issue with > the ARMAssembler (ARM instruction set) and we don't get new crashes. > > But with ARMv7Assembler (Thumb2 instruction set) we get ~150 crashes if > we increase the JIT memory above 16Mb (maximum jump with 24 bit address!) > > Zoltán fixed a similar bug in ARMv7Assembler 3 years ago: > http://trac.webkit.org/changeset/146396 It's easy to fix this bug with ARMAssembler with increasing jitMemoryReservationSize. But it would cause more problems with ARMv7Assembler.
Oliver Hunt
Comment 6 2016-03-01 09:36:09 PST
Why is the ARM backend not falling back to the interpreter when it's out of executable memory?
Csaba Osztrogonác
Comment 7 2016-03-01 09:43:09 PST
(In reply to comment #6) > Why is the ARM backend not falling back to the interpreter when it's out of > executable memory? These tests explicitly disable LLINT, I don't think if it is possible to fallback in this case.
Alexey Proskuryakov
Comment 8 2016-03-01 22:54:26 PST
Fixing by rollout. *** This bug has been marked as a duplicate of bug 154910 ***
Note You need to log in before you can comment on or make changes to this bug.