Closed
Bug 588364
Opened 14 years ago
Closed 14 years ago
Incorrect code and comments around Array/Vector shift/unshift
Categories
(Tamarin Graveyard :: Virtual Machine, defect)
Tamarin Graveyard
Virtual Machine
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: lhansen, Assigned: stejohns)
References
Details
Attachments
(1 file)
5.59 KB,
patch
|
stejohns
:
review+
treilly
:
review+
|
Details | Diff | Splinter Review |
I discovered some comments in the shift/unshift code that explained that some array-clearing code was there "for RC purposes". That was arguably not the best explanation - any kind of GC would benefit from stale pointers being cleared, though RC could go seriously wrong, I suppose. (Anyway, upon removing RC this code should not be removed.) Following up it turns out that there's a right way (nullAtomRange) and a wrong way (memset) to clear the contents, and the wrong way was used in a couple of places. So this patch (a) changes the comments and (b) factors the "right way" by placing a utility method in AvmCore and (c) uses the utility method uniformly.
Attachment #466988 -
Flags: review?(treilly)
Attachment #466988 -
Flags: review?(stejohns)
Reporter | ||
Comment 1•14 years ago
|
||
It's probably the case that the Array and Vector code should be vetted for this problem generally.
Assignee | ||
Updated•14 years ago
|
Attachment #466988 -
Flags: review?(stejohns) → review+
Reporter | ||
Comment 2•14 years ago
|
||
(In reply to comment #1)
> It's probably the case that the Array and Vector code should be vetted for
> this problem generally.
There is only one case left, namely AtomArray::checkCapacity. This one seems a little strange: it allocates a new GCObject, calls setAtoms() to do the necessary write barrier song and dance, and then copies atoms from an old array into a new one:
// use a memcpy to skip ref counting
VMPI_memcpy(m_atoms, oldAtoms, m_length*sizeof(Atom));
VMPI_memset(oldAtoms, 0, m_length*sizeof(Atom));
gc->Free(oldAtoms);
This code appears to be correct, but the VMPI_memset is redundant unless the object can't be freed. The only reason it wouldn't be freed is if we're in a callback handler from within the GC, or if the object is on the mark stack.
I will add a comments to that effect in the code when I land the patch, although I guess the correct thing to do would be to not use memset but to use nullAtomRange here too - to benefit exact tracing.
Opinions?
Assignee | ||
Comment 3•14 years ago
|
||
Yow, yeah, wacky. I had forgotten about the "free might not free immediately in obscure situations". (Perhaps, in such situations, Free() should at least zero/null out its contents, to avoid having to do it pre-emptively at the call site?)
Reporter | ||
Comment 4•14 years ago
|
||
(In reply to comment #3)
> Perhaps, in such situations, Free() should at least
> zero/null out its contents, to avoid having to do it pre-emptively at the call
> site?
Written up as bug #589102, I will insert a comment in checkCapacity to that effect.
Comment 5•14 years ago
|
||
Comment on attachment 466988 [details] [diff] [review]
Patch
- A little inconsistent that we start out zero'd but then later zero'd memory is actually nullAtom'd, not a show-stopper though.
- Also nullAtomRange needs a comment that it doesn't do anything smart wrt DRC and its only for nullAtom'ing undefined memory.
Attachment #466988 -
Flags: review?(treilly) → review+
Reporter | ||
Comment 6•14 years ago
|
||
On IM Tommy also pointed out that nullAtomRange is being used to clear vector storage before it's freed, like the Array storage in comment #2.
Altogether I think I'll be looking for a consistent story here before I try to land anything. It may be that nullAtomRange should just zero out its memory (with memset) if the Box code is not active, but I don't know if that's appropriate for typed vectors (I'm guessing not).
Whiteboard: has-patch
Reporter | ||
Updated•14 years ago
|
Updated•14 years ago
|
Flags: flashplayer-qrb+
Reporter | ||
Comment 8•14 years ago
|
||
No, we cannot land this, see my last comment - we need a consistent story.
Comment 9•14 years ago
|
||
I'm not working on this, resetting assignee to default
Assignee: treilly → nobody
Assignee | ||
Comment 10•14 years ago
|
||
poaching, as work on Bug 570608 should neatly resolve this
Assignee: nobody → stejohns
Assignee | ||
Comment 11•14 years ago
|
||
Bug 605324 would likely make this bug moot
Assignee | ||
Comment 12•14 years ago
|
||
fixed by way of bug 605324 in 5420:821faaf8d7ff
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•