Closed
Bug 490044
Opened 15 years ago
Closed 15 years ago
TM: Add deep-bailing write barrier to global shape change code
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: graydon, Assigned: graydon)
Details
(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
9.78 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
This is the "more complete" version of the fix presented in bug 488363, split off for independent tracking.
Flags: blocking1.9.1?
Assignee | ||
Comment 1•15 years ago
|
||
This variant includes the proposed formatting and naming fixes in your last review, as well as the two additional shape-change cases I missed.
Attachment #374518 -
Flags: review?(brendan)
Comment 2•15 years ago
|
||
Comment on attachment 374518 [details] [diff] [review] Refreshed copy of wip from other bug Had to diff the patches, looks good. /be
Attachment #374518 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 3•15 years ago
|
||
First landing was http://hg.mozilla.org/tracemonkey/rev/d8c2060b0f9b . This caused cross-the-board red tinderboxes: crashes during object-tracing. I guess I was a little too optimistic that it was a conservative little patch, and was on a laptop so didn't do a full browser test run. So never saw cycle collection run. The culprit was the line added in js_TraceObject. I backed that line out; I wasn't entirely confident in it in the first place, since I don't really know the invariants of the tracing phase of CC. Anyway, current tip is http://hg.mozilla.org/tracemonkey/rev/07bdf85b247a , which appears to be settling down to green, though there's the one funny winnt orange again, and 2 taloses that don't seem to want to cycle (the taloses that *did* cycle are fine). It's nearly 2am now -- I was hoping this would wind down sooner -- so I'm off to bed now. If it's not resolved back to green by tomorrow morning I'll back out fully. Assuming it sticks, porting to other branches should take both changes.
Comment 4•15 years ago
|
||
Sorry, I should have caught that -- we have other ways of leaving trace if GC is activated. What was the crash stack? /be
Assignee | ||
Comment 5•15 years ago
|
||
(In reply to comment #4) > Sorry, I should have caught that -- we have other ways of leaving trace if GC > is activated. What was the crash stack? A representative would be, say, http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1240637337.1240638111.3015.gz They all look like this. Summary of stack: Crash reason: EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash address: 0x251467 Thread 0 (crashed) 0 js_TraceObject 1 JS_CallTracer 2 fun_trace 3 js_TraceObject 4 JS_CallTracer 5 js_TraceScopeProperty 6 js_TraceObject 7 JS_CallTracer 8 xpc_TraceForValidWrapper() 9 js_TraceObject 10 JS_CallTracer 11 js_TraceObject 12 JS_CallTracer 13 js_CallValueTracerIfGCThing 14 gc_root_traversal 15 JS_DHashTableEnumerate 16 js_TraceRuntime 17 js_GC 18 JS_GC 19 nsXREDirProvider::DoShutdown() 20 ScopedXPCOMStartup::RegisterProfileService() 21 XRE_main 22 main Pretty straightforward. I think the owning object was probably dead? *shrug* as you say, I think the odds of us being on trace during GC are zero anyway. It's caught elsewhere.
Comment 6•15 years ago
|
||
The "trace" (formerly "mark") phase of the GC is scanning live things, so the owning object had better not be dead. Any bad address info? With the inlining of js_LeaveTraceIfGlobalObject perhaps the crash was in that function. We should rename the GC "trace" phase, if we can (recent-ish API). /be
Assignee | ||
Comment 7•15 years ago
|
||
Asked build to kick it again since nothing happened overnight; all green now, looks like it was just a lot of transient noise. I've filed [orange] bugs for all of them.
Assignee | ||
Updated•15 years ago
|
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 9•15 years ago
|
||
(In reply to comment #8) > Created an attachment (id=374819) [details] > 490044 Um, what's this attachment? It's a PE binary claiming to be firefox.exe, but it sure doesn't look like that on the inside. It's got a few bits that look firefoxy (strings and imports and whatnot) but it's only 80kb. I'm not terribly interested in running it.
Comment 10•15 years ago
|
||
I removed user ticoi20@yahoo.com. /be
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 11•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d8c2060b0f9b (this bug is still fixed, right?)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 12•15 years ago
|
||
(In reply to comment #11) > http://hg.mozilla.org/mozilla-central/rev/d8c2060b0f9b > > (this bug is still fixed, right?) Yes, so long as you got the followup commit: http://hg.mozilla.org/tracemonkey/rev/07bdf85b247a It appears you did, http://hg.mozilla.org/mozilla-central/rev/07bdf85b247a (There was some wobbling with random oranges after *that* landed too, but nothing evidently related to this bug. And then some fellow appears to have decided to attach what looks like malware to the bug; I have no idea why. But otherwise I believe it's ok.)
Comment 13•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/a4b589a68a8e
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•