Closed Bug 1607186 Opened 6 years ago Closed 5 years ago

Cell memory tracking for BigInt digits can be off by four bytes on 32-bit

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox73 --- affected

People

(Reporter: anba, Unassigned)

Details

BigInt::Digit is pointer-sized, so four bytes on 32-bits platforms, but when allocating the digits through AllocateBigIntDigits, the storage size needs to be Value-sized (*) for Nursery::allocateBuffer. So for example when requesting 20 bytes for digits storage, AllocateBigIntDigits will round it up to 24 bytes, but AddCellMemory will only track 20 bytes.

To fix this bug, we could either pass two size_t parameters to Nursery::allocateBuffer (for nursery and non-nursery allocation), or alternatively move the alignment code into Nursery::allocateBuffer.

(*) Actually ´CellAlignBytes-sized, but the code uses sizeof(Value)and relies on it being the same asCellAlignBytes`.

Priority: -- → P3
Severity: normal → S4

This is correct, however the exact size tracked doesn't need to be exact. It must balance, and should be close to give us the best chance of triggering GC at appropriate times.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.