1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-10-24 10:42:34 +00:00
Commit graph

172 commits

Author SHA1 Message Date
Andreas Kling
ee3d09f225 LibJS: Show class in SerenityOS mmap name for type-specific allocators 2023-12-31 15:35:56 +01:00
Andreas Kling
b6d4eea7ac LibJS: Never give back virtual memory once it belongs to a cell type
Instead of returning HeapBlock memory to the kernel (or a non-type
specific shared cache), we now keep a BlockAllocator per CellAllocator
and implement "deallocation" by basically informing the kernel that we
don't need the physical memory right now.

This is done with MADV_FREE or MADV_DONTNEED if available, but for other
platforms (including SerenityOS) we munmap and then re-mmap the memory
to achieve the same effect. It's definitely clunky, so I've added a
FIXME about implementing the madvise options on SerenityOS too.

The important outcome of this change is that GC types that use a
type-specific allocator become immune to use-after-free type confusion
attacks, since their virtual addresses will only ever be re-used for
the same exact type again and again.

Fixes #22274
2023-12-31 15:35:56 +01:00
Andreas Kling
6c1fcc5f7e LibJS: Actually invoke the type-isolating cell allocators
Due to a `requires` mistake, we were always using the fallback
size-based cell allocators.

Also, now that we start using them, make them NeverDestroyed so
we don't try to deallocate them on program exit.
2023-12-23 23:02:10 +01:00
Andreas Kling
11c968fa1f LibJS: Make Heap aware of all CellAllocators
Also add a link from HeapBlock to their owning CellAllocator.
This fixes an issue where the Heap would skip over non-size-based
cell allocators.
2023-12-23 23:02:10 +01:00
Ali Mohammad Pur
5e1499d104 Everywhere: Rename {Deprecated => Byte}String
This commit un-deprecates DeprecatedString, and repurposes it as a byte
string.
As the null state has already been removed, there are no other
particularly hairy blockers in repurposing this type as a byte string
(what it _really_ is).

This commit is auto-generated:
  $ xs=$(ack -l \bDeprecatedString\b\|deprecated_string AK Userland \
    Meta Ports Ladybird Tests Kernel)
  $ perl -pie 's/\bDeprecatedString\b/ByteString/g;
    s/deprecated_string/byte_string/g' $xs
  $ clang-format --style=file -i \
    $(git diff --name-only | grep \.cpp\|\.h)
  $ gn format $(git ls-files '*.gn' '*.gni')
2023-12-17 18:25:10 +03:30
Aliaksandr Kalenik
b108d51c5b LibJS: Only consider VM-accessible execution contexts as strong roots
Partially reverts 3dc5f467a8 to fix
GC memory leak that happens because we treated all execution contexts
as strong roots.
2023-12-13 11:19:13 +01:00
Aliaksandr Kalenik
57e5abae92 LibJS+LibWebView+WebContent+Ladybird: Output GC-graph into a file
Instead of displaying a massive JSON in stdout, it's more practical
to save the GC-graph to a file.
2023-12-12 15:35:35 +01:00
Dan Klishch
96d44b1572 Userland: Make bit-fields compatible with MSVC C++ ABI 2023-12-07 10:28:19 -07:00
Andreas Kling
3dc5f467a8 LibJS: Always allocate ExecutionContext objects on the malloc heap
Instead of allocating these in a mixture of ways, we now always put
them on the malloc heap, and keep an intrusive linked list of them
that we can iterate for GC marking purposes.
2023-11-29 09:48:18 +01:00
Andreas Kling
3c74dc9f4d LibJS: Segregate GC-allocated objects by type
This patch adds two macros to declare per-type allocators:

- JS_DECLARE_ALLOCATOR(TypeName)
- JS_DEFINE_ALLOCATOR(TypeName)

When used, they add a type-specific CellAllocator that the Heap will
delegate allocation requests to.

The result of this is that GC objects of the same type always end up
within the same HeapBlock, drastically reducing the ability to perform
type confusion attacks.

It also improves HeapBlock utilization, since each block now has cells
sized exactly to the type used within that block. (Previously we only
had a handful of block sizes available, and most GC allocations ended
up with a large amount of slack in their tails.)

There is a small performance hit from this, but I'm sure we can make
up for it elsewhere.

Note that the old size-based allocators still exist, and we fall back
to them for any type that doesn't have its own CellAllocator.
2023-11-19 12:10:31 +01:00
Andreas Kling
84a8ee01e1 LibJS: Lower HeapBlock size to 4 KiB
This is to prepare for making per-type allocators, since we'll have a
*lot* more HeapBlocks in that world.
2023-11-19 12:10:31 +01:00
Tim Schumacher
a2f60911fe AK: Rename GenericTraits to DefaultTraits
This feels like a more fitting name for something that provides the
default values for Traits.
2023-11-09 10:05:51 -05:00
Andreas Kling
8a727abd23 LibJS: Move Heap intrusive list manipulation inline
The functions for registering and unregistering MarkedVector, Handle,
etc. were quite prominent in benchmark profiles.

4% speed-up on the entire Kraken benchmark :^)
(including: 7% speed-up on Kraken/imaging-gaussian-blur.js, the current
slowest subtest)
2023-10-07 11:36:28 +02:00
Andreas Kling
a54e283901 LibJS: Fix two bugs in the GC fast rejection of possible pointers
- Convert to FlatPtr instead of doing pointer arithmetic on a too-large
  pointer type in find_min_and_max_block_addresses(). This makes the
  range more accurate.

- Untag possible cell pointers in add_possible_value() before doing the
  rejection. Otherwise we end up rejecting most pointers since the tags
  sit in the highest bits!

This fixes a crash when running the Speedometer benchmark.
2023-09-30 09:50:55 +02:00
Aliaksandr Kalenik
e79d4f3462 LibJS: Early reject pointers outside of allocated blocks range in GC
This change adds a check to discard pointers that are lower than the
minimum address of all allocated blocks or higher than the maximum
address of all blocks. By doing this we avoid executing plenty of set()
operations on the HashMap in the add_possible_value().

With this change gather_conservative_roots() run 10x times faster in
Speedometer React-Redux-TodoMVC test.
2023-09-30 08:07:12 +02:00
Aliaksandr Kalenik
c46ce53ce3 LibJS: Declare HeapFunction::function() with [[nodiscard]] 2023-09-26 19:42:59 +02:00
Hendiadyoin1
12c6692611 LibJS: Defer GC during cell construction
This stops us from trying to collect not fully constructed Cells,
which's vtables are not fully initialized, which would cause issues
during GC.
2023-09-25 13:19:25 +02:00
Hendiadyoin1
87e063db65 LibJS: Make GC deferral friendship based 2023-09-25 13:19:25 +02:00
Aliaksandr Kalenik
719a00df3a LibJS: Add source location for Handle nodes in GC graph dumper output
With this change JS::Handle root nodes will contain source location
where they were constructed like:
```
    "94675029575744": {
        "root": "Handle activate_event_handler \
           serenity/Userland/Libraries/LibWeb/DOM/EventTarget.cpp:564",
        "class_name": "HTMLButtonElement",
        "edges": [
            "94675025955904",
            "94675026899520",
            "94675030831168",
```
2023-09-24 14:55:32 +02:00
Andreas Kling
9220c68408 LibJS: Avoid pointless HashTable copying during GC mark phase
for_each_cell_among_possible_pointers() was taking HashTable by value
instead of by const reference for no reason.

The copying was soaking up ~4% of CPU time while loading https://x.com/
2023-09-15 12:12:54 +02:00
Andrew Kaster
96600e77c2 LibJS: Enable storing Value and Handle<Value> in HashMaps
We have the right conversions to make this work, so let's make it
possible to have a `HashMap<JS::Handle<T>, V>` and look for a specific
T inside it without having to create a temporary handle.

This involves adding some operator== implementations, and some
specializations of AK::Traits.
2023-08-22 13:08:08 +02:00
Aliaksandr Kalenik
469aea5a5b AK+LibJS: Introduce JS::HeapFunction
This change introduces HeapFunction, which is intended to be used as a
replacement for SafeFunction. The new type behaves like a regular
GC-allocated object, which means it needs to be visited from
visit_edges, and unlike SafeFunction, it does not create new roots for
captured parameters.

Co-Authored-By: Andreas Kling <kling@serenityos.org>
2023-08-19 05:03:17 +02:00
Aliaksandr Kalenik
0ff29349e6 LibJS: Add GC graph dumper
This change introduces a very basic GC graph dumper. The `dump_graph()`
function outputs JSON data that contains information about all nodes in
the graph, including their class types and edges.

Root nodes will have a property indicating their root type or source
location if the root is captured by a SafeFunction. It would be useful
to add source location for other types of roots in the future.

Output JSON dump have following format:
```json
    "4908721208": {
        "class_name": "Accessor",
        "edges": [
            "4909298232",
            "4909297976"
        ]
    },
    "4907520440": {
        "root": "SafeFunction Optional Optional.h:137",
        "class_name": "Realm",
        "edges": [
            "4908269624",
            "4924821560",
            "4908409240",
            "4908483960",
            "4924527672"
        ]
    },
    "4908251320": {
        "class_name": "CSSStyleRule",
        "edges": [
            "4908302648",
            "4925101656",
            "4908251192"
        ]
    },
```
2023-08-17 18:27:02 +02:00
Daniel Bertalan
65232b6681 LibJS: Mark classes and virtual functions final where possible
These cases were found with GCC's `-Wsuggest-final-{types,methods}`
warnings, which catch calls that could have been devirtualized had we
declared the functions `final` in the source.

To reproduce, Link Time Optimization needs to be enabled. The easiest
way to achieve this is to set the `CMAKE_INTERPROCEDURAL_OPTIMIZATION`
cache variable to `ON`. The `.incbin` directive in LibCompress' Brotli
decompressor might needs to be changed to an absolute path for this to
work.

This commit also removes a pair of unused virtual functions.
2023-08-13 18:05:09 +02:00
Andreas Kling
72c9f56c66 LibJS: Make Heap::allocate<T>() infallible
Stop worrying about tiny OOMs. Work towards #20449.

While going through these, I also changed the function signature in many
places where returning ThrowCompletionOr<T> is no longer necessary.
2023-08-13 15:38:42 +02:00
Aliaksandr Kalenik
d978c762bc LibJS: Remove usage of bytecode_interpreter_if_exists()
There is no need to check if bytecode interpreter exists after we
switched away from AST interpreter.
2023-08-12 08:46:35 +02:00
flofriday
a2abc5b824 LibJS: Improve garbage collection trigger condition
This patch triggers the collector when allocated memory doubles instead
of every 100k allocations. Which can almost half (reduce by ~48%) the
time spent on collection when loading google-maps.

This dynamic approach is inspired by some other GCs like Golang's and
Lua's and improves performance in memory heavy applications because
marking must visit old objects which will dominate the marking phase if
the GC is invoked too often.

This commit also improves the Octane Splay benchmark and almost
doubles it :^)
2023-08-09 18:32:19 +02:00
Andreas Kling
2eaa528a0e LibJS: Rip out the AST interpreter :^)
This has been superseded by the bytecode VM, which is both faster
and more capable.
2023-08-08 13:07:13 +02:00
Andreas Kling
18c54d8d40 LibJS: Make Cell::initialize() return void
Stop worrying about tiny OOMs.

Work towards #20405
2023-08-08 07:39:11 +02:00
Daniel Bertalan
66645cdc94 LibJS+LibWeb: Mark NonnullGCPtr::ptr() as returns_nonnull
This invariant is enforced by the fact that `NonnullGCPtr` can only be
constructed from references.

This commit fixes an instance where we compared a pointer to null after
we have already dereferenced it.
2023-08-07 22:20:03 -04:00
Daniel Bertalan
9feb1ce39f LibJS+LibWeb: Apply the Rule of Zero to {Nonnull,}GCPtr<T>
The compiler-generated copy constructor and copy assignment operator
already do the right thing (which is to simply copy the underlying
pointer).

The [Itanium C++ ABI][1] treats any class with non-trivial copy/move
constructors and destructors as non-trivial for the purposes of calls --
even if they are functionally identical to the compiler-generated ones.
If a class is non-trivial, it cannot be passed or returned in registers,
only via an invisible reference, which is worse for codegen. This commit
makes `{Nonnull,}GCPtr` trivial.

As the compiler can be sure that capturing a `GCPtr` by value has no
side effects, a few `-Wunused-lambda-capture` warnings had to be
addressed in LibWeb.

GCC seems to have a bug that prevents `ExceptionOr<Variant<GCPtr<T>>>`
from being implicitly constructed from `GCPtr<T>` after this change. A
non-invasive workaround is to explicitly construct the inner Variant
type.

[1]: https://itanium-cxx-abi.github.io/cxx-abi/abi.html#non-trivial
2023-08-07 22:20:03 -04:00
Andreas Kling
1768d70823 Revert "LibJS: Remove "uprooting" mechanism from garbage collector"
This reverts commit 6232ad3a0d.

Unfortunately this introduced some flakiness on CI, so it wasn't
quite this simple.
2023-07-22 06:53:26 +02:00
Andreas Kling
6232ad3a0d LibJS: Remove "uprooting" mechanism from garbage collector
The Heap::uproot_cell() API was used to implement markAsGarbage() which
was used in 3 tests to forcibly destroy a value, even if it had
references on the stack or elsewhere.

This patch rewrites the 3 tests that used this mechanism to be
structured in a way that allows garbage collection to collect the values
as intended without hacks. And now that the uprooting mechanism is no
longer needed, it's uprooted as well.

This fixes 3 test-js tests in bytecode mode. :^)
2023-07-21 14:14:00 +02:00
Ali Mohammad Pur
06c6c40df9 LibWeb+LibJS: Move some code around to make CSS/Parser parse faster
This makes it possible to include fewer full definitions of things,
which makes the file about 30% faster to compile.
2023-07-11 09:38:37 +03:30
Ali Mohammad Pur
392b5c3b19 LibJS: Resolve a circular include problem between HeapBlock and Cell
Cell::heap() and Cell::vm() needed to access member functions from
HeapBlock, and wanted to be inline, so they were moved to VM.h.
That approach will no longer work with VM.h not being included in every
file (starting from the next commit), so this commit fixes that circular
import issue by introducing secondary base classes to host the
references to Heap and VM, respectively.
2023-07-11 09:38:37 +03:30
Timothy Flynn
c911781c21 Everywhere: Remove needless trailing semi-colons after functions
This is a new option in clang-format-16.
2023-07-08 10:32:56 +01:00
Andreas Kling
fb979dcf34 LibJS/Bytecode: Make Bytecode::Interpreter participate in GC marking
Since the relationship between VM and Bytecode::Interpreter is now
clear, we can have VM ask the Interpreter for roots in the GC marking
pass. This avoids having to register and unregister handles and
MarkedVectors over and over.

Since GeneratorObject can also own a RegisterWindow, we share the code
in a RegisterWindow::visit_edges() helper.

~4% speed-up on Kraken/stanford-crypto-ccm.js :^)
2023-07-02 14:50:02 +02:00
Andrew Kaster
31440687a3 LibJS: Check the ASAN fake stack for heap pointers when ASAN is enabled
This is a similar strategy to what v8 does. Use the ASAN API function
__asan_addr_is_in_fake_stack to check any fake stack frames associated
with each stack address we scan. This fully allows running test-js -g
with the option detect_stack_use_after_return turned on.
2023-07-01 07:03:11 +02:00
MacDue
130ec7e5b4 LibJS: Align HeapBlock cell storage to __BIGGEST_ALIGNMENT__
alignas(Cell) is just the alignment requirement for the base class
(which resolves to 8-bytes). This does not necessarily hold for all
subclasses.
2023-06-19 21:59:35 +02:00
kleines Filmröllchen
213025f210 AK: Rename Time to Duration
That's what this class really is; in fact that's what the first line of
the comment says it is.

This commit does not rename the main files, since those will contain
other time-related classes in a little bit.
2023-05-24 23:18:07 +02:00
Matthew Olsson
a9d192e882 LibJS+LibWeb: Explicitly mark ignored members in visit_edges methods 2023-04-30 06:04:33 +02:00
Matthew Olsson
7c0c1c8f49 LibJS+LibWeb: Wrap raw JS::Cell*/& fields in GCPtr/NonnullGCPtr 2023-03-15 08:48:49 +01:00
Matthew Olsson
1df3652e27 LibJS: Allow constructing a Handle<T> from a {Nonnull,}GCPtr<T> 2023-03-15 08:48:49 +01:00
Matthew Olsson
5094dcf615 LibJS: Allow constructing a GCPtr from another GCPtr of convertible type 2023-03-15 08:48:49 +01:00
Matthew Olsson
93a5a54927 LibJS: Allow GCPtr and NonnullGCPtr to be hashed 2023-03-15 08:48:49 +01:00
Andreas Kling
d21d1d99bd LibJS: Don't skip CPU registers when gathering conservative roots
We were accidentally skipping over most of the CPU registers by
incrementing the register index by sizeof(FlatPtr) instead of 1.

This fixes a long-standing issue where live objects could still get
garbage-collected if they were only pointed to by an unlucky register.
2023-03-13 20:50:38 +01:00
Matthew Olsson
176beeb08e LibJS: Enforce proper const-propogation with {Nonnull,}GCPtr 2023-03-06 13:05:43 +00:00
Matthew Olsson
70a2ca7fc0 LibJS: Handle both const and non-const Ts in Handle<T>::create()
Again, the const-ness only really involves Heap-internal metadata, so
the callers shouldn't care about mutations here.
2023-03-06 13:05:43 +00:00
Matthew Olsson
5f0ccfb499 LibJS: Accept const GCPtrs in Cell::Visitor
The const_cast in these methods should be fine since the object really
only needs to be mutable so it's Heap-internal metadata can be altered.
2023-03-06 13:05:43 +00:00
Matthew Olsson
17a528c49e LibJS: Temporarily disambiguate const-ness of GCPtr constructors
Without this change, using {Nonnull,}GCPtr<T const> would complain that
there are multiple constructors which resolve to the same type (T& and
T const&). This removes that disambiguation and allows us to slowly fix
all of the constness issues surrounding GCPtrs. This change will not be
necessary in the future as we will be able to remove all of the const
qualifiers from the Ptr classes (they'll be in the template type
instead).
2023-03-06 13:05:43 +00:00