| MasterDuke | i reset to 68031489deb3ba456990f4f88233664d2e079a61, since the next one touched that section of frame.c | 00:06 | |
| now instead of a segv i get `Cannot invoke this object (REPR: P6opaque; NQPMu)` | 00:07 | ||
| `at gen/moar/stage2/QRegex.nqp:2324 (/home/dan/Source/perl6/install/share/nqp/lib/QRegex.moarvm:parse)` | |||
| #1 0x00007ffff77d5748 in MVM_6model_invoke_default (tc=<optimized out>, invokee=<optimized out>, callsite=<optimized out>, args=<optimized out>) at src/6model/6model.c:451 | |||
| #2 0x00007ffff7773ca5 in MVM_interp_run (tc=tc@entry=0x555555758950, initial_invoke=0x0, invoke_data=0x7ffff786b64d) at src/core/interp.c:950 | 00:08 | ||
| which is actually the same line of invoke_o as causes the segv at HEAD | 00:09 | ||
|
00:35
http_GK1wmSU joined
00:36
http_GK1wmSU left
00:58
yoleaux joined
01:52
ilbot3 joined
|
|||
| harrisi | jnthn: that is interesting. I hadn't actually thought about that, but that could make things slightly easier. it really then just goes back to translating the semantics, which is awfully annoying. | 02:53 | |
| jnthn: but also the most interesting part, I think. :) | |||
|
03:28
camelia joined
|
|||
| Geth | MoarVM: MasterDuke17++ created pull request #623: JIT pow_I |
03:44 | |
|
05:59
brrt joined
06:09
camelia joined
|
|||
| brrt | ohai #moarvm | 06:17 | |
| yoleaux | 2 Aug 2017 19:45Z <nwc10> brrt: ASAN finds even-moar-jit very exciting: paste.scsys.co.uk/564761 | ||
| 2 Aug 2017 20:28Z <nwc10> brrt: first bad commit is 2dbb62f9cade2, "Add sp_decont op" - as the only non comment change in that is to add a template, I guess it reveals a latent bug | |||
| brrt | nwc10, i guess so too | ||
| fortunately, i'm sure jit-bisect will tell me | |||
| Geth | MoarVM/even-moar-jit: 30 commits pushed by (Timo Paulssen)++, (Samantha McVey)++, (Jonathan Worthington)++, (Bart Wiegmans)++ review: github.com/MoarVM/MoarVM/compare/1...b72a544f98 |
06:26 | |
| brrt | if you keep on updating NQP_VERSION in this rate, then i'm going to have to merge every other day | 06:27 | |
| also, ASAN is decidely not as informative on os x, which is really frustrating | 06:29 | ||
| anyway, let's see what jit-bisect says | 06:30 | ||
|
06:36
brrt joined
|
|||
| brrt | openbsd-archive.7691.n7.nabble.com/...12186.html | 06:41 | |
| or, "I'm wrong, but I'm famous, so who cares" | 06:42 | ||
| fuuuuuuuu | |||
| anyway. what if we try setting it to PROT_NONE before setting it to PROT_EXEC | 06:46 | ||
| luajit does the exact same thing we do... | 06:48 | ||
| nwc10 | I did wonder if the kernel keeps any state on the region. hence whether one can side step all this "you can't get there from here" by simply going via a boring state | 06:50 | |
| brrt | well, apparently you can sidestep the issue by writing to a file, then mmapping that file as executable | 06:51 | |
| so the kernel isn't that clever | |||
|
07:13
brrt joined
|
|||
| brrt | CORE.setting with ASAN under bisect is on the slowest bisect i'v seen | 07:34 | |
|
07:52
zakharyas joined
|
|||
| nwc10 | brrt: what does jit-bisect do? | 08:02 | |
| brrt | are you coming to my talk at TPC, i'll explain all about it :-P | 08:19 | |
| jit-bisect runs a command and bisects on frame number and subsequently on basic block number to pinpoint the broken piece of code | 08:20 | ||
| so the two envionment variables MVM_JIT_EXPR_LAST_FRAME and MVM_JIT_EXPR_LAST_BB act as 'brakes' on the expr JIT so that it doesn't do anything beyond those | 08:21 | ||
| with MVM_SPESH_BLOCKING I ensure that - in a single threaded application - the order of spesh and JIT compilation is deterministic | 08:22 | ||
| it occured to me that we could do the same thing with spesh | |||
| jnthn | moarning o/ | 09:02 | |
| brrt | moarning | ||
| jnthn, a spesh-bisector, that seems like a decent idea, wouldn't it? | |||
| jnthn | grr, hot weather = crappy sleep | ||
| brrt: Yeah, it'd save some hand work | |||
| brrt | (the null-case for the bisect being to not optimize) | ||
| jnthn | Though the one I hunted down last night woulda been tricky, the application just started spitting out wrong results at some point rather than crashing | 09:04 | |
|
09:04
zostay joined
|
|||
| jnthn | Uff, some lag on this connection :S | 09:07 | |
| brrt | you can do it with any reproducible test case, just have a script that exits nonzero on the wrong ouptput | 09:14 | |
| but yeah, crashes are definitively easier | |||
| jnthn | Aww | 09:15 | |
| A stress test of my current invoke branch blows up just after CORE.setting build | |||
| oh, in loading CORE.setting even | |||
| "Unknown string encoding 'utf8'" | 09:16 | ||
| huh | |||
| Sadly, wasn't the one I fixed last night | 09:17 | ||
| aww, also it seems it's a mis-compile of something | 09:18 | ||
| brrt | ouch | ||
| metacircular systems do have their disadvantages... | |||
| jnthn | Yeah... | 09:19 | |
| Well, otoh it means we test our stuff against at least one significant size application :P | |||
| brrt | that is very true | 09:20 | |
| jnthn | My hope is that I can provoke the crash in tsets | ||
| make test doesn't; time for make spectest | |||
| ah, good, seems like some spectests will | 09:21 | ||
| oh wow, SEGV | 09:24 | ||
| Curious, it's a crash inside of eliminate_dead in graph building | 09:30 | ||
| But it's when we're making a graph from an existing spesh candidate for the purpose of inlining | |||
| It's a bit surprising such a graph would have dead BBs | |||
| Huh, and yeah, we get a spesh fixup error | 09:35 | ||
| nwc10 | brrt: yes, was planning to go to your talk at the TPC formarlly known as YAPC::Europe | 09:44 | |
| jnthn | ah, oops | 09:49 | |
| Turns out that we do an inline | |||
| But we do it inside of a basic block that dies | |||
| (Due to other optimizations) | 09:50 | ||
|
09:52
robertle joined
|
|||
| jnthn | This isn't new, but we have gotten much better at inlining | 09:52 | |
| Or much more capable of inlining | |||
| So I guess it stayed well hidden | |||
| Geth | MoarVM/spesh-invoke: 5 commits pushed by (Jonathan Worthington)++ | 09:55 | |
| jnthn | That was just a rebase on master fwiw | 09:56 | |
| Geth | MoarVM/spesh-invoke: 079dc9e962 | (Jonathan Worthington)++ | 2 files Avoid walking of end of BBs linked list. Could happen when the last block was unreachable. |
||
| brrt | nwc10: awesome :-) | 10:06 | |
| dogbert17 | jnthn: if you're bored I have a gist which might be of interest: gist.github.com/dogbert17/04de6ec9...04a0339c03 | 11:06 | |
| jnthn | I'm quite un-bored (though a bit frustrated I'm bug-hunting in spesh rather than putting more opts in...) | 11:08 | |
| dogbert17 | more opts ++, was merely wondering if this is something 'new' | 11:11 | |
| jnthn | I don't think so | ||
| It looks like a data race | |||
| On SC lookup | 11:12 | ||
| dogbert17 | I had to run the script many times before the problem showed up in ASAN | ||
| perhaps I should do some callgrinding instead | 11:13 | ||
| a week ago I made a gist containing callgrind results for a small program showing results for the then current camelia and the merged spesh-worker branch | 11:28 | ||
| I have now added a new run to the gist, this it's the current spesh-invoke branch. gist.github.com/dogbert17/6bb3eeb5...c7ab6f31a7 | 11:29 | ||
| *this time it's | |||
| jnthn | huh, dunno what's going on with that | 11:33 | |
| It should be resolving the multi candidates again now | |||
| lunch & | |||
|
11:45
markmont joined
|
|||
| markmont | brrt: "what if we try setting it to PROT_NONE before setting it to PROT_EXEC" -- I don't think so. It looks like the Linux kernel won't allow PROT_EXEC unless the mapping is backed by a file, see github.com/torvalds/linux/blob/mas...ks.c#L3610 | 11:53 | |
| brrt: "you can sidestep the issue by writing to a file, then mmapping that file as executable" -- yes, but this isn't sidestepping, it is the recommended practice. | 11:54 | ||
| brrt | i disagree, that's still very much sidestepping | 11:55 | |
| if that's what selinux does, then selinux is doing it wrong | |||
| markmont | brrt: The reasoning is that if you have the same file mapped twice, once as writable and once as executable, then code executing in the region won't be able to find the writable address. | ||
| brrt | .. come again? | 11:56 | |
| i don't parse | |||
| ā¦ okay | |||
| so | |||
| no | |||
| markmont | brrt: I don't like this "solution" either; I'm just reporting what I found. Many people in the Mozilla bug agree with us. But, currently, SELinux with deny_execmem and NetBSD 8.0_BETA won't allow anything else. | ||
| brrt | okay, suppose i have a mmap'ed file, and once i've mmapped it writeable, and once i've mmapped it execable | 11:57 | |
| then i have a bit of writeable-executable memory, do i not? | |||
| markmont | brrt: A bunch of projects, including Chrome V8, are just sticking with mmap()/mprotect() and saying that you have to have deny_execmem off or mark the NetBSD executable as wx-okay. | 11:58 | |
| brrt | and just saying 'well ASLR will make sure that an exploit will not be able to use that fact', then that's just nuts | ||
| what about luajit? i heard theo de raadt thought luajit was doing it right, and luajit is doing just what we do | 11:59 | ||
| markmont | Like I said, that's what people in the Mozilla bug said, and I think they are right. But Firefox's nanojit went ahead with the temporary file mapping. | ||
| I haven't looked at luajit yet, but I have looked at OpenBSD 6.1 and it allows mmap()/mprotect(). | 12:00 | ||
| brrt | i see | ||
| o.O | |||
| okay, at this point it seems legit just to push back to selinux | |||
| and/or netbsd | |||
| wrong things are just wrong | |||
| markmont | That's what Chrome V8 is doing, as well as, I think, Java. | 12:01 | |
| brrt | okay | ||
| can't say i understand the full implications of that linux bit of code | 12:02 | ||
| anywayā¦ i f you *do* want to implement a temporary-file-mmapping-solution, i'd be okay with that, but it'd be very nice if we could make it conditionally-compileable | 12:03 | ||
| so that people that aren't on 'secured' systems don't have their.. .security compromised | |||
| along with a configure flag that says āwith-jit-security-theater | 12:04 | ||
| markmont | Well, if the file is opened with O_TMPFILE, it never is linked into the filesystem tree and hence "shouldn't" be able to be compromised. | ||
| brrt | hmmm | ||
| i'm not even going to ask why we have a distinction between MAP_ANON and O_TMPLFILE | 12:05 | ||
| :-) | |||
| markmont | But that assumes that the underlying filesystem supports O_TMPFILE, which many do not. The Mozilla nanojit code (and the libfficode based upon it) try O_TMPFILE first but then fall back to a regular open() followed by unlink() | ||
| brrt | okay, that makes me chuckle | 12:06 | |
| markmont | On the Linux side, I don't see this as a big deal. RedHat and Fedora currently ship with deny_execmem turned off by default and people who want to turn it on can either not run programs which do JIT or they can write a local policy to allow it just for the program(s) they want to whitelist. | 12:09 | |
| jnthn back | |||
| markmont | On the NetBSD side, mprotect() will fail unless the moar binary gets installed with a special flag that permits it. People on NetBSD systems should know this command and running it should be no big deal. | 12:10 | |
| lizmat | jnthn: will it continue to make sense to bind attributes to lexicals for hot loops (like a push-all) ? | ||
| jnthn | lizmat: Yes | 12:11 | |
| timotimo | if you have an information disclosure vulnerability, which seems somewhat common as far as exploits go i suppose, then you can find the writable chunk that goes with an executable chunk very easily | ||
| lizmat | jnthn: check | ||
| jnthn | *sigh* We've really piled up the workarounds in spesh in the past, for lack of time to do things righter | ||
| What started out as an inline bug turned out to be in part 'cus we didn't really delete basic blocks from an inline that we then decided was unreachable anyway (workaround 1). Fixing that revealed that we weren't so aggressive in deleting basic blocks (workaround 2). Fixing that reveals that we don't delete blocks that have exception handler annotations in them (workaround 3) | 12:14 | ||
| lizmat | the very definition of technical debt, I guess :-( | 12:16 | |
| jnthn | Yeah | ||
| It's good to clear these things up and we'll get better/smaller code as a result | 12:17 | ||
| Just means I'll end up spending a good chunk of the day on this instead of the invocation opts I expected | 12:18 | ||
| lizmat | sometimes you have to take a step back before can take 3 steps forward :-) | 12:19 | |
| jnthn | True | ||
| And the problems are tricky | |||
| [Coke] | jnthn++ | 12:51 | |
| Geth | MoarVM/spesh-invoke: 34b6e590be | (Jonathan Worthington)++ | src/spesh/codegen.c Validate range of branch target in spesh code-gen. |
13:22 | |
| MoarVM/spesh-invoke: 4c919f0905 | (Jonathan Worthington)++ | 3 files Anchor inlinee handlers to inliner entry. So that they will be considered reachable and not eliminated once we start to apply more aggressive dead basic block removal. |
|||
| jnthn | Those are two in theory independent parts of a larger local set of patches, fwiw. | 13:23 | |
| Phew, think I'm about there | 13:35 | ||
|
13:41
AlexDaniel joined
|
|||
| Geth | MoarVM/spesh-invoke: 309da4c8dd | (Jonathan Worthington)++ | 6 files Fix and expand dead basic block removal. The specialization graph builder does dead basic block removal before it computes the dominance tree, to avoid problems in the calculation. In some cases, however, it was finding and removing basic blocks in spesh graphs formed from previously optimized code. This was because the basic block removal was deliberately incomplete, to work around a ... (8 more lines) |
13:44 | |
MoarVM/master: 9 commits pushed by (Jonathan Worthington)++
|
13:51 | ||
| jnthn | There we go, merged. | ||
| The main thing we're missing now is the whole rw container checking/guarding that multi-dispatch also wants, which is why I think we miss out on some of them still | 13:52 | ||
| Also there's a few other fixes needed to the frame simulation done wiht logs | |||
| lizmat | time to bump NQP and Rakudo ? | 13:59 | |
| jnthn | Mebbe, though I've got more improvements coming | 14:00 | |
| Those were in a branch because for a while they made things worse rather than better. :) | |||
| lizmat | but sooner the better wrt to testing, no | 14:02 | |
| or would that create too much noise atm ? | |||
| Geth | MoarVM: 67f92011c0 | (Jonathan Worthington)++ | src/core/args.c Toss duplicate use of named arg checking. There's no way to hit this from either NQP or Perl 6, it's totally harmless if it happens anyway, but having to support it gets in the way of a simpler, cheaper, handling of named arg flags in the event of a deopt, which will let us remove something that frustrates inlining. |
14:03 | |
| jnthn | lizmat: Can bump a bit later on today :) | 14:04 | |
| Well, can now if you want, just may as well get evening/overnight testing of all my changes :) | |||
| lizmat | I'll wait | 14:05 | |
| it's not like I don't have other things on my mind atm :-( | |||
| jnthn | Impending TPC? | 14:06 | |
| lizmat | yeah :-( | 14:07 | |
|
14:51
brrt joined
15:06
brrt joined
|
|||
| brrt | jnthn; is sp_decont actually invokish, as far as you know? | 15:16 | |
| jnthn | brrt: Yeah, it's just decont without logging | 15:18 | |
| So they'd JIT exactly the same | |||
| Currently working on argument spesh fwiw | 15:22 | ||
| Trying to elimiante the need to track what args are used at all in a specialized frame | |||
| Which has taken me to specializing named slurpy args into the code to build the hash | 15:23 | ||
| brrt | okay (a noninvokish variant would be cool, but probably too much to ask :-)) | ||
| jnthn | "It depends" :) | ||
| Ideally we can spesh noninvokish deconts we know enough about into something better than decont :) | 15:24 | ||
| brrt | aye | 15:26 | |
| ideally, we can specialize them in the JIT further, for those were it isn't practical to do in the interpreter :-) | |||
| timotimo | i had started a tiny bit on devirtualizing decont for the guard tree | 15:32 | |
| but it turns out we have to follow two pointers in a row for rakudo scalars | 15:33 | ||
| wasn't sure if it'd make sense making all tree nodes bigger to support that, and also wasn't sure how to store this in a sufficiently generic way into the container spec or repr or what | |||
|
15:37
AlexDaniel joined
|
|||
| jnthn | yay, got the slurpy named hash thing working | 15:46 | |
| On the callee side it now just turns into ops to build the hash | 15:47 | ||
|
16:29
robertle_ joined
|
|||
| timotimo | cool, so a nqp::create and a few bindkeys with static strings for keys | 16:29 | |
| Geth | MoarVM: baaf8b6dfe | (Jonathan Worthington)++ | 16 files More sophisticated named arg handling in spesh. Previously, we would keep track of them using the bit field used by unspecialized named argument handling. Since in an inline the use of that could conflict, the op to do the tracking was `:noinline`. Thus an attempt was made to not include them if we had no slurpy args and no deopt points. However, recent spesh changes have introduced more ... (10 more lines) |
16:33 | |
| lizmat | further lowering++ :-) | 16:35 | |
| jnthn | No regressions from that, or so my stressing of builds and spectest tell me | 16:37 | |
| Geth | MoarVM: 0df98ee0e7 | (Jonathan Worthington)++ | 8 files Remove unused sp_namedarg_used op. |
||
| jnthn | And yes, it does nail the inline that I mentioned in the commit message now :) | 16:40 | |
| Alright, enough for now I think | 16:45 | ||
| timotimo | fantastic | 17:13 | |
|
17:31
zakharyas joined
20:10
vendethiel joined
20:17
AlexDaniel joined
21:05
brrt joined
21:07
AlexDaniel joined
21:08
AlexDaniel joined
21:19
AlexDani` joined
|
|||
| Geth | MoarVM: af52fca88b | MasterDuke17++ | src/jit/graph.c JIT pow_I It's slightly faster to call this from the JIT. |
22:35 | |
| MoarVM: f1bfca0317 | (Jonathan Worthington)++ (committed using GitHub Web editor) | src/jit/graph.c Merge pull request #623 from MasterDuke17/jit_pow_I JIT pow_I |
|||
| MasterDuke | jnthn: did you see my comments last night about trying to track down the --profile stuff? irclog.perlgeek.de/moarvm/2017-08-02#i_14960192 and a little after | 22:37 | |
| i'm not sure that i found anything helpful though | 22:38 | ||
| jnthn | Yeah, I fear the problem is happening "further back" though and that's just the upshot of it | 22:39 | |
| MasterDuke | that's kind of what i suspected, but lost the energy last night to keep going farther back | 22:40 | |
|
23:01
markmont joined
|
|||
| Geth | MoarVM: c8eb5c9ce7 | (Jonathan Worthington)++ | src/io/asyncsocket.c Make it possible to cancel an async socket reader. |
23:02 | |