Closed Bug 1570161 Opened 2 years ago Closed 2 years ago

OOM can result in strings being pushed on the delayed gray marking list

Categories

(Core :: JavaScript: GC, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox70 --- fixed

People

(Reporter: sfink, Assigned: sfink)

Details

Attachments

(1 file)

If you are gray marking an object and find a string field, and when pushing that string onto the mark stack you hit OOM and it fails, then the string's arena will be placed on the delayed marking list for gray. Which makes no sense, since strings are not gray markable, and this will result in an assertion.

I found this when calling clearAndFree() between GCs, though in a buggy way that resulted in more OOMs than it should have. But the bug seems like it could happen independent of that.

I think the correct behavior in this case is to mark the string (or any non-gray-markable thing) black. We don't know whether the owning object is truly live or not, but we have to treat it as if it were.

Oh interesting, yes we would want to mark the string black in this case.

Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/da0209399b71
do not attempt to mark things gray if they cannot be marked gray r=jonco
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
You need to log in before you can comment on or make changes to this bug.