Closed
Bug 464676
Opened 16 years ago
Closed 15 years ago
Cycle collector sometimes unlinks live cycles
Categories
(Core :: XPConnect, defect, P2)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla1.9.1
People
(Reporter: peterv, Assigned: peterv)
Details
(Keywords: fixed1.9.1)
Attachments
(2 files, 3 obsolete files)
4.55 KB,
patch
|
bent.mozilla
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
4.91 KB,
patch
|
bent.mozilla
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
We currently only add the JS objects of XPCWrappedNatives to the cycle collector if they are marked as main-thread-only. We really should be adding all the JS objects of XPCWrappedNatives, but not traverse to the XPCWrappedNatives themselves. With the current code we do not detect if a cycle is held by a JS object of a non-main-thread-only wrapper and so we try to unlink that cycle, even though it's still 'live'. Anything held by the XPCWrappedNative will be marked black if we don't traverse to it (because it'll have a missing refcount).
Flags: blocking1.9.1?
Sounds like this can cause random crashers in multi-threaded JS code then? Like the new places code?
Assignee | ||
Comment 2•16 years ago
|
||
I don't think it'll cause crashes, unless the unlinking makes us access nulled out members (but that could then happen without this bug too). We'll still mark all the live JS objects once cycle collection is done, because we never set the "unlink" bit on the non-main-thread-only XPCWrappedNatives and they're the ones holding everything else alive.
Comment 3•16 years ago
|
||
Sounds like this should be fixed for 1.9.1.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Assignee | ||
Comment 4•16 years ago
|
||
Assignee | ||
Updated•16 years ago
|
Attachment #355816 -
Flags: superreview?(jst)
Attachment #355816 -
Flags: review?(bent.mozilla)
Comment on attachment 355816 [details] [diff] [review] v1 Waiting on a new patch. >+ if(IS_PROTO_CLASS(clazz)) We chatted on IRC and this should probably become: if(IS_WRAPPER_CLASS(clazz) || IS_TEAROFF_CLASS(clazz)) >+ else { nit: separate line for that '{' (I <3 xpconnect).
Attachment #355816 -
Attachment is obsolete: true
Attachment #355816 -
Flags: superreview?(jst)
Attachment #355816 -
Flags: review?(bent.mozilla)
Assignee | ||
Comment 6•16 years ago
|
||
This ended up slightly different, since we were already dealing with tearoffs separately in nsXPConnect::Traverse. Also decided to not call GetWrappedNativeOfJSObject since we don't need most of that function.
Assignee | ||
Comment 7•16 years ago
|
||
Comment on attachment 357075 [details] [diff] [review] v2 Verified in the debugger that it works ok. No leaks on mochitest.
Attachment #357075 -
Flags: superreview?(jst)
Attachment #357075 -
Flags: review?(bent.mozilla)
Updated•16 years ago
|
Attachment #357075 -
Flags: review?(bent.mozilla) → review+
Comment on attachment 357075 [details] [diff] [review] v2 This looks good!
Assignee | ||
Comment 9•16 years ago
|
||
This is the right thing to do, but thinking this over I think it doesn't completely solve the problem. We need to add the JS objects of non-main thread only wrappers that have external references to the cycle collector as marked, since if we don't traverse to those wrappers the wrappers themselves can't mark the JS objects as black.
Assignee | ||
Comment 10•16 years ago
|
||
Ben: sorry for the third review request in a row, I don't think I'll come up with more issues ;-).
Attachment #357075 -
Attachment is obsolete: true
Attachment #357383 -
Flags: superreview?(jst)
Attachment #357383 -
Flags: review?(bent.mozilla)
Attachment #357075 -
Flags: superreview?(jst)
Assignee | ||
Updated•16 years ago
|
Attachment #357383 -
Attachment is obsolete: true
Attachment #357383 -
Flags: superreview?(jst)
Attachment #357383 -
Flags: review?(bent.mozilla)
Assignee | ||
Comment 11•16 years ago
|
||
Comment on attachment 357383 [details] [diff] [review] v3 Ugh, this isn't right either.
Assignee | ||
Comment 12•16 years ago
|
||
Attachment #357422 -
Flags: superreview?(jst)
Attachment #357422 -
Flags: review?(bent.mozilla)
Comment on attachment 357422 [details] [diff] [review] v3.1 Cool, that makes sense. r=me.
Attachment #357422 -
Flags: review?(bent.mozilla) → review+
Updated•16 years ago
|
Attachment #357422 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Updated•16 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 14•16 years ago
|
||
Had to back out, chrome and browser tests are leaking, which is worrying since it means we might be relying on unlinking live cycles to mask leaks.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 15•16 years ago
|
||
We have a number of objects that participate in cycle collection but that don't have classinfo. These objects should only be used on the main thread, but we can't detect that from the wrapper. We can detect it by checking if they participate in cycle collection, so I added code to WrapperIsNotMainThreadOnly that does just that. It's a bit expensive (QI), but on the other hand it might make us traverse less XPCWrappedNatives than we do currently. This seems to fix all the leaks, I'll double-check that before checking in.
Attachment #358467 -
Flags: superreview?(jst)
Attachment #358467 -
Flags: review?(bent.mozilla)
Updated•16 years ago
|
Attachment #358467 -
Flags: review?(bent.mozilla) → review+
Comment on attachment 358467 [details] [diff] [review] v3.2 This looks good, though if we need to (want to?) optimize this I think we should do this QI up front when creating the wrappers and set a bit somewhere.
Updated•16 years ago
|
Attachment #358467 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Comment 17•15 years ago
|
||
Checked in again and backed out again, no leaks on the unit boxes but the leak boxes turned red with: *** Potential deadlock between XPCJSRuntime::mMapLockMonitor@22698b0 and nsComponentManagerImplMonitor@c3bb30 They did have one green cycle after my checkin and I can't reproduce locally (and the stacks in the logs are useless). I'm not sure this patch was to blame, so I might try landing again tomorrow.
I've seen that assertion lots of times before without this patch... Maybe this increases the frequency or something but the problem is elsewhere.
Assignee | ||
Comment 19•15 years ago
|
||
Relanded on trunk, seems to stick.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 20•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/0b0850b7f90b http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4e308e5150bb
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•