Closed
Bug 780653
Opened 12 years ago
Closed 12 years ago
CellIter on shapes/types is empty during incremental sweeping
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: bhackett1024, Assigned: billm)
References
Details
Attachments
(1 file)
|
6.16 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
This seems to be causing a crash with the patch in bug 778724. If I iterate over all type objects in a compartment outside of a GC, sometimes the iteration turns up empty (there are several hundred types in the compartment). If I break in gdb at a point where the iteration is empty, I see in cx->compartment->arenas that the freeLists and arenaLists for FINALIZE_TYPE_OBJECT are both empty, but that arenaListsToSweep[FINALIZE_TYPE_OBJECT] is non-NULL but ignored by CellIter. cx->runtime->gcIncrementalState is SWEEP. I'm guessing this is due to bug 729760.
|
Assignee | |
Comment 1•12 years ago
|
||
I think this should fix the problem. I need to work on a testcase, though.
|
||
Comment 2•12 years ago
|
||
Comment on attachment 649407 [details] [diff] [review] patch Review of attachment 649407 [details] [diff] [review]: ----------------------------------------------------------------- Ah yes, I didn't think of that. Cheers for fixing this. The patch looks fine, the only problem might be that we are handing out references to objects that are about to be finalized so hopefully CellIter is not used in a way that will cause any of these to become live again.
Attachment #649407 -
Flags: review?(jcoppeard) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/61037dd2fc68
|
||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/61037dd2fc68
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
You need to log in
before you can comment on or make changes to this bug.
Description
•