1552118 - Crash calling IsAboutToBeFinalized from a finalizer on a cell in the same sweep group

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Jon Coppeard (:jonco)]

During foreground finalization we currently release all empty arenas when we've finished sweeping the zone. However finalizers for cells in other zones in the same sweep group may not have been run yet. Trying to call IsAboutToBeFinalized from a finalizer on a cell in another zone in the same sweep group can fail if the cell is in an arena that we already released.

Bug 1546727 has a use case for doing this, to maintain a count of Debugger.Frame instances related to a JSScript by updating the script's count in the frame object's finalizer. These cells are in different zones in the same sweep group (debugger and debuggee respectively). This seems like a reasonable thing to want to do so we should support it.

Comment 1

[Jon Coppeard (:jonco)]

Ugh, I uploaded the patch to bug 1551907 by mistake, where it has been reviewed. I'll try and move it to here.

Comment 2

[Jon Coppeard (:jonco)]

Attachment: Bug 1552118 - Don't release foreground finalized arenas until the end of sweeping the zone group r=sfink

This releases all foreground finalized arenas at the end of sweeping the sweep group rather than at the end of sweeping the zone (for objects) or immediately (for everything else) as happens currently. This simplifies the code in a couple of places and I don't think it will have any noticeable effects.

Comment 3

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/87221d5fcb98
Don't release foreground finalized arenas until the end of sweeping the zone group r=sfink

Comment 4

[Razvan Maries]

https://hg.mozilla.org/mozilla-central/rev/87221d5fcb98