Closed Bug 711165 Opened 13 years ago Closed 13 years ago

GC: DenseArrays are missing some barrier calls

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11

People

(Reporter: terrence, Assigned: terrence)

References

Details

Attachments

(1 file)

v1: Replacing all uses of memcpy
1.56 KB, patch
billm
: review+
Details | Diff | Splinter Review 
When we do memcpy and memset on the elements array, we miss calling some important barriers.  The one I know about specifically is JSObject::initDenseArrayElements.  If we init array elements of an object in the long-lived heap with a GCThing in the nursery and miss this barrier, then we miss an important cross-generation pointer.
This has no measurable effect on v8 performance.

I only updated places where we used memcpy on elements.  If you know of others, I can add them to this patch, or we can wait for the verifier to catch more later.
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #582118 - Flags: review?(wmccloskey)
Comment on attachment 582118 [details] [diff] [review]
v1: Replacing all uses of memcpy

Cool, thanks.
Attachment #582118 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/fd9444ecf9a1
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: