performance tab crashes in f12 on pages with asm.js #1

MikeHolman · 2016-01-05T20:05:42Z

Looks like some state is not changed correctly on debugger detach, so when reattaching debugger after the profiling completes, the asm.js->js frame conversion still happens.

Merge pull request #305 from pleath:released/1602 #1: Fix bugs with non-canonical NaNs in asm.js In asm.js, we don't canonicalize NaNs. We don't have vars in asm.js, so this is ok. But we DO need to make sure to check for NaN if we are creating a JavascriptNumber from it. However, we were not doing this, which was an issue for argouts in asm.js->js calls as well as return values from asm.js. It was also an issue in one helper call on x64, where we were converting to var before making the call. This was being done because there was no support for x64 calling convention. But with asm.js, I implemented that support, so I updated the helper call to use the standard API. Other places were also hacking around this limitation, so I updated them as well. #2: add check against length for memset #3: Issue: There was a code path where we protect pages with PAGE_EXECUTE without the PAGE_TARGETS_NO_UPDATE flag, which will control all the CFG bits in the page. Fix: Fixed and ensured that we don't use PAGE_EXECUTE directly in the virtual protect API. Instead #defines are used. Cleaned up some complex code path in CustomHeap Protect Allocation mechanism. Removed isReadWrite flag from PageAllocation class, as it is not required. Earlier, we were also letting RW pages to be added to the bucket list of pages in custom heap, which lead the hacker to add his own RW page to the list. Now it is made sure that only RX pages go into the bucket list. Tests: Unit tests passed. Exprgen, Web crawler - Reran the tests and they look fine..

…g ops. - Added Int32x4 min/max, shiftRight/LeftByScalar - For Int16x8, Uint32x4, Uint16x8, Uint8x16: * Enabled constructor/check calls, argument passing, returns, globals import, passing values to modules, return value from module. * Added opcodes, layouts, IRBuilders, Bytecode dumps. Implemented interpreter handlers. - Fixes in lowerer and adding new IRTypes to RegAlloc, Bailout records ... - Relaxed shuffle constraint to accept arbitrary in-range lane indices - Added lowerer support for the following ops of Uint32x4, Uint16x8, Uint8x16, and Int16x8: Constructors, replace/extractLane - Added shuffle/swizzle, load/store operations for all types except Int8x16 - Uint32x4/16x8/8x16 and Int16x8 conversion ops in lowerer - Asmjs support for SIMD bool types - Disabling CSE for new opcodes to accomodate the present opcode space for global opt. - Enabled anyTrue/allTrue coercion check, comparison and select ops for all types. - Several bug fixes in arguments passing/return values, and register allocation for bool types. - Fixed Comparison/select tests for Int32x4 and Float32x4. - Removed Float64x2 support from Asm.js front-end. Fixed tests accordingly. - Added comparison unit-tests for new types: Int16x8, and all unsigned ints. Enable AsmJs Lower support - Changed SIMD object, constructors, and their properties to be Configurable and Writeable. - AsmJs linker does a run timecheck for used SIMD ops - Cleaned up obsolete ops: scale, zero, bool, withFlag* and others, modified UTs. - Changed line endings on JavascriptSIMD*.cpp files to CRLF Added Unit-tests, and fixes to ASMJS link. Added Min/MaxNum. Minor fixes to UTs New SIMD Bool opearions. 1. Adding Constructor, splat, Extract/Replace lane for all SIMD bools. 2. Cleaning up D2 opcodes to make space for the new opcodes. 3. Adding tests. Fix code analysis failure in release build CR Fixes #1 Adding Neg operation for Uint32x4, Uint16x8, Uint8x16. Neg operation for unsigned types in Library, Interpreter and JIT. CR Fixes #2: - Avoid pinning opnds to byte-addressable reg. Copy to new TyInt8 sym instead. - Removed ununsed IRBuilder/BytecodeDumper functions. - SccLiveness will process dst of SHUFPS/D as a src - Minor nit fixes in LowererMDSharedSimd128 Fix copyright headers

This change does the following : - Eliminates stack probe for leaf functions with small stack footprint - Eliminates arg saves on stack for a leaf function with no arg usage - Eliminate redundant null store on stack ----------------------------------------------------------------------------- Empty function before : ----------------------------------------------------------------------------- Function empty ( (chakra-core#1.1), chakra-core#2) Instr Count:38 FunctionEntry (rax).i64 = MOV 0xXXXXXXXX (&StackLimit).u64 (rax).i64 = MOV [(rax).i64].i64 (rax).i64 = ADD (rax).i64, 0x000000001BD0.u64 JO $L4 CMP (rsp).i64, (rax).i64 JLE $L4 NOP 4 (0x4).i8 NOP 2 (0x2).i8 arg5(s8)<32>.i64 = MOV (r9).i64 arg4(s7)<24>.i64 = MOV (r8).i64 arg3(s6)<16>.i64 = MOV (rdx).i64 arg2(s5)<8>.i64 = MOV (rcx).i64 PrologStart PUSH (rbp).i64 (rbp).i64 = MOV (rsp).i64 (rsp).i64 = SUB (rsp).i64, 64 (0x40).i32 PrologEnd (rax).u32 = XOR (rax).u32, (rax).u32 s4<-8>.i64 = MOV (rax).i64 s3(rax).u64 = MOV 0xXXXXXXXX (&CallCount).u64 CMP [s3(rax).u64].u8, 255 (0xFF).u8 JEQ $L3 [s3(rax).u64].u8 = INC [s3(rax).u64].u8 $L3: s0(rax)[Undefined].var = MOV 0xXXXXXXXX (undefined)[Undefined].var Line 7: } Col 1: ^ StatementBoundary #0 StatementBoundary #-1 (rsp).i64 = MOV (rbp).i64 (rbp).i64 = POP RET 0 (0x0).i32, (rax).i64 FunctionExit $L4: [helper] (rdx).i64 = MOV 0xXXXXXXXX (ScriptContext).u64 (rcx).i64 = MOV 0x000000001BD0.u64 (rax).i64 = MOV ProbeCurrentStack.u64 JMP (rax).i64 StatementBoundary #- ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- Empty function after : ----------------------------------------------------------------------------- Function empty ( (chakra-core#1.1), chakra-core#2) Instr Count:18 FunctionEntry PrologStart PUSH (rbp).i64 (rbp).i64 = MOV (rsp).i64 (rsp).i64 = SUB (rsp).i64, 32 (0x20).i32 PrologEnd s3(rax).u64 = MOV 0xXXXXXXXX (&CallCount).u64 CMP [s3(rax).u64].u8, 255 (0xFF).u8 JEQ $L3 [s3(rax).u64].u8 = INC [s3(rax).u64].u8 $L3: s0(rax)[Undefined].var = MOV 0xXXXXXXXX (undefined)[Undefined].var Line 7: } Col 1: ^ StatementBoundary #0 StatementBoundary #-1 (rsp).i64 = MOV (rbp).i64 (rbp).i64 = POP RET 0 (0x0).i32, (rax).i64 FunctionExit -----------------------------------------------------------------------------

… chakra heap for tracing and finalizing Create macros that allow for CBase and other types of objects to use the templated ThreadAlloc's for allocation. Use the macro for WebGLActiveInfo. Convert AddRef/Release to RootAddRef/RootRelease calls Virtual all non-public ref counting methods on CBase and abandon if they are called neuter JSBind_* methods related to refcounting Implement a Trace that simply traces the Var (which we actually know will already be marked due to how this object is reachable) Add a basic leak detector to the new type (interim, more as a sanity check) Modify callers creating this type of object to just new into a raw pointer on the stack. Call Passivate (if exists) in Dispose Ensure pointer is 16-byte aligned so that it is marked from CEO Var Patch up the IRecyclerVisitedObject interface to not take Recycler, but instead encapsulate that inside FinalizableObject Remove assert that prevented interior marking when in parallel/concurrent and recycler state not set (recycler state currently only used by MemGC) Modify assert in CBase::Passivate that expects Var to be nullptr by opting out GC traced objects

…getting the wrong value We were using the wrong bytecode register when emitting LdHomeObjProto in the case of a lambda capturing super via a dot reference. Consider this Javascript: ```javascript class A { } class B extends A { foo() { const _s = () => super.constructor; console.log(_s().name); } } ``` The member function foo correctly stashes this and super but the lambda needs to load them from the environment and it was loading them into the same register. Here's the incorrect bytecode: ``` Function _s ( (chakra-core#1.5), chakra-core#6) (In0) (size: 8 [8]) 5 locals (2 temps from R3), 1 inline cache Constant Table: ======== ===== R1 LdRoot Line 13: super.constructor Col 26: ^ 0000 ProfiledLdEnvSlot R3 = [1][2] <0> 0006 ProfiledLdEnvSlot R3 = [1][3] <1> 000c LdHomeObjProto R4 R3 0011 ProfiledLdSuperFld R0 = R4(this=R3). #0 <0> 0019 Br x:001e ( 2) 001c LdUndef R0 ``` With the fix in this PR, here's the bytecode we get for _s: ``` Function _s ( (chakra-core#1.5), chakra-core#6) (In0) (size: 8 [8]) 6 locals (3 temps from R3), 1 inline cache Constant Table: ======== ===== R1 LdRoot Line 56: super.constructor Col 26: ^ 0000 ProfiledLdEnvSlot R3 = [1][2] <0> 0006 ProfiledLdEnvSlot R4 = [1][3] <1> 000c LdHomeObjProto R5 R3 0011 ProfiledLdSuperFld R0 = R5(this=R4). #0 <0> 0019 Br x:001e ( 2) 001c LdUndef R0 ```

…uper.constructor) end up getting the wrong value Merge pull request #5914 from boingoing:super_capture_ts Class members which capture super via dot (super.constructor) end up getting the wrong value We were using the wrong bytecode register when emitting LdHomeObjProto in the case of a lambda capturing super via a dot reference. Consider this Javascript: ```javascript class A { } class B extends A { foo() { const _s = () => super.constructor; console.log(_s().name); } } ``` The member function foo correctly stashes this and super but the lambda needs to load them from the environment and it was loading them into the same register. Here's the incorrect bytecode: ``` Function _s ( (#1.5), #6) (In0) (size: 8 [8]) 5 locals (2 temps from R3), 1 inline cache Constant Table: ======== ===== R1 LdRoot Line 13: super.constructor Col 26: ^ 0000 ProfiledLdEnvSlot R3 = [1][2] <0> 0006 ProfiledLdEnvSlot R3 = [1][3] <1> 000c LdHomeObjProto R4 R3 0011 ProfiledLdSuperFld R0 = R4(this=R3). #0 <0> 0019 Br x:001e ( 2) 001c LdUndef R0 ``` With the fix in this PR, here's the bytecode we get for _s: ``` Function _s ( (#1.5), #6) (In0) (size: 8 [8]) 6 locals (3 temps from R3), 1 inline cache Constant Table: ======== ===== R1 LdRoot Line 56: super.constructor Col 26: ^ 0000 ProfiledLdEnvSlot R3 = [1][2] <0> 0006 ProfiledLdEnvSlot R4 = [1][3] <1> 000c LdHomeObjProto R5 R3 0011 ProfiledLdSuperFld R0 = R5(this=R4). #0 <0> 0019 Br x:001e ( 2) 001c LdUndef R0 ```

Since bailing in happens in the jit'd code, we have to generate code to output the trace. If tracing is enabled, we will fill the array of bail-in symbols in the generator instance (`bailInSymbolsTraceArray`) with their ids and values and finally output them with a call to a runtime helper. `-trace:bailin` together with `-trace:bailout -verbose` can help us easily debug jit'd generators by comparing the values when bailing out for `yield` and bailing in: ``` BailOut: function: func68 ( (chakra-core#1.1), chakra-core#2) offset: #003f Opcode: Yield Kind: BailOutForGeneratorYield BailOut: Register # 0: Not live BailOut: Register # 1: Constant table BailOut: Register # 2: Register r15 16, value: 0x0000023CE132EEA0 (Yield Return Value) BailOut: Register # 3: Register r12 13, value: 0x0001000000000004 BailOut: Return Value: 0x0000023CE132EEA0 BailIn: function: func68 ( (chakra-core#1.1), chakra-core#2) offset: chakra-core#42 BailIn: Register # 3, value: 0x0001000000000004 ``` ``` BailOut: function: func68 ( (chakra-core#1.1), chakra-core#2) offset: #006b Opcode: Yield Kind: BailOutForGeneratorYield BailOut: Register # 0: Not live BailOut: Register # 1: Constant table BailOut: Register # 3: Register r15 16, value: 0x0000023CE133E060 (Yield Return Value) BailOut: Return Value: 0x0000023CE133E060 BailIn: function: func68 ( (chakra-core#1.1), chakra-core#2) offset: #006e BailIn: No symbols reloaded ```

…l-in Merge pull request #6183 from nhat-nguyen:trace Since bailing in happens in the jit'd code, we have to generate code to output the trace. If tracing is enabled, we will fill the array of bail-in symbols in the generator instance (`bailInSymbolsTraceArray`) with their ids and values and finally output them with a call to a runtime helper. `-trace:bailin` together with `-trace:bailout -verbose` can help us easily debug jit'd generators by comparing the values when bailing out for `yield` and bailing in: ``` BailOut: function: func68 ( (#1.1), #2) offset: #003f Opcode: Yield Kind: BailOutForGeneratorYield BailOut: Register # 0: Not live BailOut: Register # 1: Constant table BailOut: Register # 2: Register r15 16, value: 0x0000023CE132EEA0 (Yield Return Value) BailOut: Register # 3: Register r12 13, value: 0x0001000000000004 BailOut: Return Value: 0x0000023CE132EEA0 BailIn: function: func68 ( (#1.1), #2) offset: #42 BailIn: Register # 3, value: 0x0001000000000004 ``` ``` BailOut: function: func68 ( (#1.1), #2) offset: #006b Opcode: Yield Kind: BailOutForGeneratorYield BailOut: Register # 0: Not live BailOut: Register # 1: Constant table BailOut: Register # 3: Register r15 16, value: 0x0000023CE133E060 (Yield Return Value) BailOut: Return Value: 0x0000023CE133E060 BailIn: function: func68 ( (#1.1), #2) offset: #006e BailIn: No symbols reloaded ```

MikeHolman added the bug label Jan 5, 2016

MikeHolman self-assigned this Jan 5, 2016

ianwjhalliday removed the bug label Jan 6, 2016

MikeHolman added the Bug label Jan 6, 2016

MikeHolman mentioned this issue Jan 6, 2016

fix bug in reattaching debugger for asm.js #15

Merged

chakrabot closed this as completed in #15 Jan 9, 2016

MikeHolman added the Fixed label Jan 9, 2016

pleath mentioned this issue Feb 12, 2016

Updates for 16-02 #305

Merged

nmostafa referenced this issue in nmostafa/ChakraCore Mar 1, 2016

CR Fixes #1

a811709

WebReflection mentioned this issue Jul 28, 2016

ArchLinux undeclared identifier min / max #1352

Closed

djn3m0 mentioned this issue Mar 16, 2017

Chakra compiled with ASAN not working (in non-static builds) #2694

Closed

KarenHuang2016 mentioned this issue Mar 31, 2017

Test "NumberFormatOptionsImplSpecific-Win10.js" failed on Windows Server 2012 R2 #2769

Closed

LouisLaf mentioned this issue Jun 12, 2017

Profile data should get propagated from inliner to inlinees #3140

Closed

litian2025 mentioned this issue Jun 29, 2017

ChakraCore hello scenario generates segmentation fault on Linux Skylake server #3262

Closed

rajatd mentioned this issue Jul 26, 2017

Heap overflow in CreateTTDDirectoryAsNeeded #3434

Closed

This was referenced Feb 13, 2018

memory leak unexplained #4674

Closed

segfault when linking to unwind library #4675

Closed

zhunki mentioned this issue Jul 26, 2018

null pointer dereference in EmitBooleanExpression #5532

Closed

crdumoul mentioned this issue Aug 7, 2018

Seg fault when accessing Context from multiple threads #5577

Closed

ghost mentioned this issue Mar 21, 2019

chakracore throws an abort trap (or oom crash on edge) with an invalid length to String.prototype.repeat ... maybe just display an error massage? #6042

Closed

bird8693 mentioned this issue Mar 17, 2021

Segmentation fault #6643

Open

wangyue6761 mentioned this issue Feb 20, 2022

Segmentation fault #6789

Closed

bhmohanr-techie mentioned this issue Aug 26, 2024

Fixing CVE-2021-42279: Chakra Scripting Engine Memory Corruption Vulnerability #6996

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

performance tab crashes in f12 on pages with asm.js #1

performance tab crashes in f12 on pages with asm.js #1

MikeHolman commented Jan 5, 2016

performance tab crashes in f12 on pages with asm.js #1

performance tab crashes in f12 on pages with asm.js #1

Comments

MikeHolman commented Jan 5, 2016