Bug 1651037 part 2 - Add list of nursery objects to IonScript. r=iain,jonco

At this point the list is always empty. Depends on D82667 Differential Revision: https://phabricator.services.mozilla.com/D82668
2025-02-28 21:28:55 +00:00 · 2020-07-08 14:38:11 +00:00 · 2020-07-08 14:38:11 +00:00 · 3ba7af27c1
commit 3ba7af27c1
parent 4a7d563ddd
3 changed files with 53 additions and 11 deletions
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@ -11070,12 +11070,14 @@ bool CodeGenerator::link(JSContext* cx, CompilerConstraintList* constraints) {
    return false;
  }

+  size_t numNurseryObjects = 0;
+
  IonScript* ionScript = IonScript::New(
      cx, compilationId, graph.totalSlotCount(), argumentSlots, scriptFrameSize,
      snapshots_.listSize(), snapshots_.RVATableSize(), recovers_.size(),
-      bailouts_.length(), graph.numConstants(), safepointIndices_.length(),
-      osiIndices_.length(), icList_.length(), runtimeData_.length(),
-      safepoints_.size(), optimizationLevel);
+      bailouts_.length(), graph.numConstants(), numNurseryObjects,
+      safepointIndices_.length(), osiIndices_.length(), icList_.length(),
+      runtimeData_.length(), safepoints_.size(), optimizationLevel);
  if (!ionScript) {
    return false;
  }
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@ -608,9 +608,9 @@ IonScript* IonScript::New(JSContext* cx, IonCompilationId compilationId,
                          uint32_t frameSize, size_t snapshotsListSize,
                          size_t snapshotsRVATableSize, size_t recoversSize,
                          size_t bailoutEntries, size_t constants,
-                          size_t safepointIndices, size_t osiIndices,
-                          size_t icEntries, size_t runtimeSize,
-                          size_t safepointsSize,
+                          size_t nurseryObjects, size_t safepointIndices,
+                          size_t osiIndices, size_t icEntries,
+                          size_t runtimeSize, size_t safepointsSize,
                          OptimizationLevel optimizationLevel) {
  if (snapshotsListSize >= MAX_BUFFER_SIZE ||
      (bailoutEntries >= MAX_BUFFER_SIZE / sizeof(uint32_t))) {
@ -629,6 +629,7 @@ IonScript* IonScript::New(JSContext* cx, IonCompilationId compilationId,
  CheckedInt<Offset> allocSize = sizeof(IonScript);
  allocSize += CheckedInt<Offset>(constants) * sizeof(Value);
  allocSize += CheckedInt<Offset>(runtimeSize);
+  allocSize += CheckedInt<Offset>(nurseryObjects) * sizeof(HeapPtrObject);
  allocSize += CheckedInt<Offset>(osiIndices) * sizeof(OsiIndex);
  allocSize += CheckedInt<Offset>(safepointIndices) * sizeof(SafepointIndex);
  allocSize += CheckedInt<Offset>(bailoutEntries) * sizeof(SnapshotOffset);
@ -661,6 +662,11 @@ IonScript* IonScript::New(JSContext* cx, IonCompilationId compilationId,
  script->runtimeDataOffset_ = offsetCursor;
  offsetCursor += runtimeSize;

+  MOZ_ASSERT(offsetCursor % alignof(HeapPtrObject) == 0);
+  script->initElements<HeapPtrObject>(offsetCursor, nurseryObjects);
+  script->nurseryObjectsOffset_ = offsetCursor;
+  offsetCursor += nurseryObjects * sizeof(HeapPtrObject);
+
  MOZ_ASSERT(offsetCursor % alignof(OsiIndex) == 0);
  script->osiIndexOffset_ = offsetCursor;
  offsetCursor += osiIndices * sizeof(OsiIndex);
@ -693,6 +699,7 @@ IonScript* IonScript::New(JSContext* cx, IonCompilationId compilationId,

  MOZ_ASSERT(script->numConstants() == constants);
  MOZ_ASSERT(script->runtimeSize() == runtimeSize);
+  MOZ_ASSERT(script->numNurseryObjects() == nurseryObjects);
  MOZ_ASSERT(script->numOsiIndices() == osiIndices);
  MOZ_ASSERT(script->numSafepointIndices() == safepointIndices);
  MOZ_ASSERT(script->numBailoutEntries() == bailoutEntries);
@ -715,6 +722,10 @@ void IonScript::trace(JSTracer* trc) {
    TraceEdge(trc, &getConstant(i), "constant");
  }

+  for (size_t i = 0; i < numNurseryObjects(); i++) {
+    TraceEdge(trc, &nurseryObjects()[i], "nursery-object");
+  }
+
  // Trace caches so that the JSScript pointer can be updated if moved.
  for (size_t i = 0; i < numICs(); i++) {
    getICFromIndex(i).trace(trc, this);
@ -857,6 +868,22 @@ const OsiIndex* IonScript::getOsiIndex(uint8_t* retAddr) const {
 }

 void IonScript::Destroy(JSFreeOp* fop, IonScript* script) {
+  // Make sure there are no pointers into the IonScript's nursery objects list
+  // in the store buffer. Because this can be called during sweeping when
+  // discarding JIT code, we have to lock the store buffer when we find an
+  // object that's (still) in the nursery.
+  mozilla::Maybe<gc::AutoLockStoreBuffer> lock;
+  for (size_t i = 0, len = script->numNurseryObjects(); i < len; i++) {
+    JSObject* obj = script->nurseryObjects()[i];
+    if (!IsInsideNursery(obj)) {
+      continue;
+    }
+    if (lock.isNothing()) {
+      lock.emplace(&fop->runtime()->gc.storeBuffer());
+    }
+    script->nurseryObjects()[i] = HeapPtrObject();
+  }
+
  // This allocation is tracked by JSScript::setIonScriptImpl.
  fop->deleteUntracked(script);
 }
--- a/js/src/jit/IonScript.h
+++ b/js/src/jit/IonScript.h
@ -60,8 +60,9 @@ class alignas(8) IonScript final : public TrailingArray {
  // Offset (in bytes) from `this` to the start of each trailing array. Each
  // array ends where following one begins. There is no implicit padding (except
  // possible at very end).
-  Offset constantTableOffset_ = 0;  // JS::Value aligned
-  Offset runtimeDataOffset_ = 0;    // uint64_t aligned
+  Offset constantTableOffset_ = 0;   // JS::Value aligned
+  Offset runtimeDataOffset_ = 0;     // uint64_t aligned
+  Offset nurseryObjectsOffset_ = 0;  // pointer aligned
  Offset osiIndexOffset_ = 0;
  Offset safepointIndexOffset_ = 0;
  Offset bailoutTableOffset_ = 0;
@ -135,6 +136,7 @@ class alignas(8) IonScript final : public TrailingArray {
  // Layout helpers
  Offset constantTableOffset() const { return constantTableOffset_; }
  Offset runtimeDataOffset() const { return runtimeDataOffset_; }
+  Offset nurseryObjectsOffset() const { return nurseryObjectsOffset_; }
  Offset osiIndexOffset() const { return osiIndexOffset_; }
  Offset safepointIndexOffset() const { return safepointIndexOffset_; }
  Offset bailoutTableOffset() const { return bailoutTableOffset_; }
@ -171,7 +173,18 @@ class alignas(8) IonScript final : public TrailingArray {
    return offsetToPointer<uint8_t>(runtimeDataOffset());
  }
  size_t runtimeSize() const {
-    return numElements<uint8_t>(runtimeDataOffset(), osiIndexOffset());
+    return numElements<uint8_t>(runtimeDataOffset(), nurseryObjectsOffset());
+  }
+
+  //
+  // List of (originally) nursery-allocated objects referenced from JIT code.
+  // (JSObject* alignment)
+  //
+  HeapPtrObject* nurseryObjects() {
+    return offsetToPointer<HeapPtrObject>(nurseryObjectsOffset());
+  }
+  size_t numNurseryObjects() const {
+    return numElements<HeapPtrObject>(nurseryObjectsOffset(), osiIndexOffset());
  }

  //
@ -263,8 +276,8 @@ class alignas(8) IonScript final : public TrailingArray {
                        uint32_t frameSize, size_t snapshotsListSize,
                        size_t snapshotsRVATableSize, size_t recoversSize,
                        size_t bailoutEntries, size_t constants,
-                        size_t safepointIndices, size_t osiIndices,
-                        size_t icEntries, size_t runtimeSize,
+                        size_t nurseryObjects, size_t safepointIndices,
+                        size_t osiIndices, size_t icEntries, size_t runtimeSize,
                        size_t safepointsSize,
                        OptimizationLevel optimizationLevel);