[amd64] fix tailcall insn size #5483
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
@akoeplinger can I trigger the acceptance tests for a PR? |
Contributor
Author
|
I should clarify that 9a634c1 does not introduce a regression, but makes another bug surface |
vargaz
reviewed
Aug 31, 2017
mono/mini/cpu-amd64.md
Outdated
Contributor
There was a problem hiding this comment.
Does this really need to be increased by a 100 bytes ?
Contributor
Author
There was a problem hiding this comment.
I determined it by printing the size diff between beginning of
Line 4484 in 078463f
Member
|
@monojenkins build acceptance tests |
9a858cf to
3da9d3a
Compare
Contributor
Author
|
if I revert the change and remove the I've updated the commit and removed it, because it doesn't make sense imho. @vargaz what do you think? |
Contributor
|
I think the problem is that OP_TAILCALL has an unlimited size due to the need to copy arguments. |
commit mono@9a634c1 introduces a regression for https://github.com/mono/coreclr/blob/mono/tests/src/JIT/Methodical/Invoke/25params/25param1c.il ``` Testing method of 25 parameters, all of int data type, tail.call mono-sgen(46435,0x7fff9d34b3c0) malloc: *** error for object 0x101045400: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Process 46435 stopped * thread #1, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff945c915f libsystem_malloc.dylib`malloc_error_break libsystem_malloc.dylib`malloc_error_break: -> 0x7fff945c915f <+0>: pushq %rbp 0x7fff945c9160 <+1>: movq %rsp, %rbp 0x7fff945c9163 <+4>: nop 0x7fff945c9164 <+5>: nopl (%rax) (lldb) mbt * thread #1 * frame #0: 0x00007fff945c915f libsystem_malloc.dylib`malloc_error_break frame #1: 0x00007fff945c5e81 libsystem_malloc.dylib`szone_error + 406 frame #2: 0x00007fff945c7925 libsystem_malloc.dylib`small_free_list_remove_ptr_no_clear + 766 frame mono#3: 0x00007fff945c7cb2 libsystem_malloc.dylib`free_small + 881 frame mono#4: 0x00000001004d2110 mono-sgen`monoeg_g_free(ptr=0x0000000101083c00) at gmem.c:66 frame mono#5: 0x0000000100007b64 mono-sgen`mono_codegen(cfg=0x000000010108c800) at mini.c:2300 frame mono#6: 0x000000010000aedf mono-sgen`mini_method_compile(method=0x0000000100910310, opts=370239999, domain=0x000000010090ebd0, flags=JIT_FLAG_RUN_CCTORS, parts=0, aot_method_index=-1) at mini.c:3829 frame mono#7: 0x000000010000edd0 mono-sgen`mono_jit_compile_method_inner(method=0x0000000100910310, target_domain=0x000000010090ebd0, opt=370239999, error=0x00007fff5fbfe048) at mini.c:4156 frame mono#8: 0x000000010001459e mono-sgen`mono_jit_compile_method_with_opt(method=0x0000000100910310, opt=370239999, jit_only=0, error=0x00007fff5fbfe048) at mini-runtime.c:2127 frame mono#9: 0x0000000100013e6d mono-sgen`mono_jit_compile_method(method=0x0000000100910310, error=0x00007fff5fbfe048) at mini-runtime.c:2173 frame mono#10: 0x0000000100131eea mono-sgen`common_call_trampoline(regs=0x00007fff5fbfe128, code="H\x8bй\x01", m=0x0000000100910310, vt=0x0000000000000000, vtable_slot=0x0000000000000000, error=0x00007fff5fbfe048) at mini-trampolines.c:704 frame mono#11: 0x00000001001313b7 mono-sgen`mono_magic_trampoline(regs=0x00007fff5fbfe128, code="H\x8bй\x01", arg=0x0000000100910310, tramp="����\b\x10\x03\x91") at mini-trampolines.c:835 ``` turns out we smashed our code buffer. Also, transform this comparison: ``` if (G_UNLIKELY (offset > (cfg->code_size - max_len - EXTRA_CODE_SPACE))) { if (G_UNLIKELY ((offset + max_len + EXTRA_CODE_SPACE) > cfg->code_size)) { ``` we deal with unsigned values here, and if `max_len` is bigger then `cfg->code_size`, we won't resize the buffer.
3da9d3a to
b3bf5e9
Compare
Contributor
Author
|
@vargaz I see, so I guess we should potentially resize the buffer inside of the tailcall op. I've updated the commit, what do you think now? |
Contributor
Author
|
@monojenkins build acceptance tests |
vargaz
approved these changes
Sep 4, 2017
Contributor
Author
|
@monojenkins rebase |
Contributor
|
cannot rebase:
|
6 similar comments
Contributor
|
cannot rebase:
|
Contributor
|
cannot rebase:
|
Contributor
|
cannot rebase:
|
Contributor
|
cannot rebase:
|
Contributor
|
cannot rebase:
|
Contributor
|
cannot rebase:
|
alexanderkyte
pushed a commit
to alexanderkyte/mono
that referenced
this pull request
Oct 26, 2017
commit mono@9a634c1 introduces a regression for https://github.com/mono/coreclr/blob/mono/tests/src/JIT/Methodical/Invoke/25params/25param1c.il ``` Testing method of 25 parameters, all of int data type, tail.call mono-sgen(46435,0x7fff9d34b3c0) malloc: *** error for object 0x101045400: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Process 46435 stopped * thread mono#1, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame #0: 0x00007fff945c915f libsystem_malloc.dylib`malloc_error_break libsystem_malloc.dylib`malloc_error_break: -> 0x7fff945c915f <+0>: pushq %rbp 0x7fff945c9160 <+1>: movq %rsp, %rbp 0x7fff945c9163 <+4>: nop 0x7fff945c9164 <+5>: nopl (%rax) (lldb) mbt * thread mono#1 * frame #0: 0x00007fff945c915f libsystem_malloc.dylib`malloc_error_break frame mono#1: 0x00007fff945c5e81 libsystem_malloc.dylib`szone_error + 406 frame mono#2: 0x00007fff945c7925 libsystem_malloc.dylib`small_free_list_remove_ptr_no_clear + 766 frame mono#3: 0x00007fff945c7cb2 libsystem_malloc.dylib`free_small + 881 frame mono#4: 0x00000001004d2110 mono-sgen`monoeg_g_free(ptr=0x0000000101083c00) at gmem.c:66 frame mono#5: 0x0000000100007b64 mono-sgen`mono_codegen(cfg=0x000000010108c800) at mini.c:2300 frame mono#6: 0x000000010000aedf mono-sgen`mini_method_compile(method=0x0000000100910310, opts=370239999, domain=0x000000010090ebd0, flags=JIT_FLAG_RUN_CCTORS, parts=0, aot_method_index=-1) at mini.c:3829 frame mono#7: 0x000000010000edd0 mono-sgen`mono_jit_compile_method_inner(method=0x0000000100910310, target_domain=0x000000010090ebd0, opt=370239999, error=0x00007fff5fbfe048) at mini.c:4156 frame mono#8: 0x000000010001459e mono-sgen`mono_jit_compile_method_with_opt(method=0x0000000100910310, opt=370239999, jit_only=0, error=0x00007fff5fbfe048) at mini-runtime.c:2127 frame mono#9: 0x0000000100013e6d mono-sgen`mono_jit_compile_method(method=0x0000000100910310, error=0x00007fff5fbfe048) at mini-runtime.c:2173 frame mono#10: 0x0000000100131eea mono-sgen`common_call_trampoline(regs=0x00007fff5fbfe128, code="H\x8bй\x01", m=0x0000000100910310, vt=0x0000000000000000, vtable_slot=0x0000000000000000, error=0x00007fff5fbfe048) at mini-trampolines.c:704 frame mono#11: 0x00000001001313b7 mono-sgen`mono_magic_trampoline(regs=0x00007fff5fbfe128, code="H\x8bй\x01", arg=0x0000000100910310, tramp="����\b\x10\x03\x91") at mini-trampolines.c:835 ``` turns out we smashed our code buffer. Also, transform this comparison: ``` if (G_UNLIKELY (offset > (cfg->code_size - max_len - EXTRA_CODE_SPACE))) { if (G_UNLIKELY ((offset + max_len + EXTRA_CODE_SPACE) > cfg->code_size)) { ``` we deal with unsigned values here, and if `max_len` is bigger then `cfg->code_size`, we won't resize the buffer.
picenka21
pushed a commit
to picenka21/runtime
that referenced
this pull request
Feb 18, 2022
commit https://github.com/mono/mono/commit/mono/mono@9a634c1810aad46d30a674f3a97ab263dcd4272e introduces a regression for https://github.com/mono/coreclr/blob/mono/tests/src/JIT/Methodical/Invoke/25params/25param1c.il ``` Testing method of 25 parameters, all of int data type, tail.call mono-sgen(46435,0x7fff9d34b3c0) malloc: *** error for object 0x101045400: incorrect checksum for freed object - object was probably modified after being freed. *** set a breakpoint in malloc_error_break to debug Process 46435 stopped * thread mono/mono#1, name = 'tid_307', queue = 'com.apple.main-thread', stop reason = breakpoint 1.1 frame mono/mono#0: 0x00007fff945c915f libsystem_malloc.dylib`malloc_error_break libsystem_malloc.dylib`malloc_error_break: -> 0x7fff945c915f <+0>: pushq %rbp 0x7fff945c9160 <+1>: movq %rsp, %rbp 0x7fff945c9163 <+4>: nop 0x7fff945c9164 <+5>: nopl (%rax) (lldb) mbt * thread mono/mono#1 * frame mono/mono#0: 0x00007fff945c915f libsystem_malloc.dylib`malloc_error_break frame mono/mono#1: 0x00007fff945c5e81 libsystem_malloc.dylib`szone_error + 406 frame mono/mono#2: 0x00007fff945c7925 libsystem_malloc.dylib`small_free_list_remove_ptr_no_clear + 766 frame mono/mono#3: 0x00007fff945c7cb2 libsystem_malloc.dylib`free_small + 881 frame mono/mono#4: 0x00000001004d2110 mono-sgen`monoeg_g_free(ptr=0x0000000101083c00) at gmem.c:66 frame mono/mono#5: 0x0000000100007b64 mono-sgen`mono_codegen(cfg=0x000000010108c800) at mini.c:2300 frame mono/mono#6: 0x000000010000aedf mono-sgen`mini_method_compile(method=0x0000000100910310, opts=370239999, domain=0x000000010090ebd0, flags=JIT_FLAG_RUN_CCTORS, parts=0, aot_method_index=-1) at mini.c:3829 frame mono/mono#7: 0x000000010000edd0 mono-sgen`mono_jit_compile_method_inner(method=0x0000000100910310, target_domain=0x000000010090ebd0, opt=370239999, error=0x00007fff5fbfe048) at mini.c:4156 frame mono/mono#8: 0x000000010001459e mono-sgen`mono_jit_compile_method_with_opt(method=0x0000000100910310, opt=370239999, jit_only=0, error=0x00007fff5fbfe048) at mini-runtime.c:2127 frame mono/mono#9: 0x0000000100013e6d mono-sgen`mono_jit_compile_method(method=0x0000000100910310, error=0x00007fff5fbfe048) at mini-runtime.c:2173 frame mono/mono#10: 0x0000000100131eea mono-sgen`common_call_trampoline(regs=0x00007fff5fbfe128, code="H\x8bй\x01", m=0x0000000100910310, vt=0x0000000000000000, vtable_slot=0x0000000000000000, error=0x00007fff5fbfe048) at mini-trampolines.c:704 frame mono/mono#11: 0x00000001001313b7 mono-sgen`mono_magic_trampoline(regs=0x00007fff5fbfe128, code="H\x8bй\x01", arg=0x0000000100910310, tramp="����\b\x10\x03\x91") at mini-trampolines.c:835 ``` turns out we smashed our code buffer. Also, transform this comparison: ``` if (G_UNLIKELY (offset > (cfg->code_size - max_len - EXTRA_CODE_SPACE))) { if (G_UNLIKELY ((offset + max_len + EXTRA_CODE_SPACE) > cfg->code_size)) { ``` we deal with unsigned values here, and if `max_len` is bigger then `cfg->code_size`, we won't resize the buffer. Commit migrated from mono/mono@79e94c4
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
commit 9a634c1
introduces a regression for https://github.com/mono/coreclr/blob/mono/tests/src/JIT/Methodical/Invoke/25params/25param1c.il
turns out we smashed our code buffer