The default bug view has changed. See this FAQ.

initialize mark bits in Chunk::init

RESOLVED FIXED in Firefox 7

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: mccr8, Assigned: espindola)

Tracking

Trunk
mozilla7
Points:
---

Firefox Tracking Flags

(firefox7 fixed, firefox8 fixed, firefox9 fixed)

Details

(Whiteboard: [qa-])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 558637 [details] [diff] [review]
initialize mark bits in Chunk::init

In Bug 673017, Rafael found that uninitialized mark bits were being read by xpc_UnmarkGrayObject.  He has a patch for it.  This bug is mostly just so I can nominate that patch for Aurora and Beta.

The general problem is that xpc_UnmarkGrayObject and the cycle collector proper rely on mark bits being valid, but the bits are uninitialized from when a chunk is allocated until garbage collection is run.  One specific case of this, chunks allocated from startup being examined by the CC before the GC has a chance to run, is explicitly handled by checking if the GC has run when the CC starts up, and running the GC if not.  This does not handle everything.

Aside from the case Rafael found, one troubling possibility is that a chunk can be allocated at some point after the first GC, then have objects allocated in it, then the CC runs and examines those objects, all before the GC runs.  It will be reading random uninitialized mark bits, which I think this has the potential for causing things to be freed when they shouldn't be.

Bill found that this didn't have any noticeable performance impact.

I've attached Rafael's patch as committed to m-c: http://hg.mozilla.org/mozilla-central/rev/f092ce58bc20
Attachment #558637 - Flags: review+
Attachment #558637 - Flags: approval-mozilla-beta?
Attachment #558637 - Flags: approval-mozilla-aurora?

Comment 1

6 years ago
Comment on attachment 558637 [details] [diff] [review]
initialize mark bits in Chunk::init

Approved for mozilla-beta and mozilla-aurora. If there are any issues we'll back it out. Please land by early tomorrow.
Attachment #558637 - Flags: approval-mozilla-beta?
Attachment #558637 - Flags: approval-mozilla-beta+
Attachment #558637 - Flags: approval-mozilla-aurora?
Attachment #558637 - Flags: approval-mozilla-aurora+
(Reporter)

Comment 2

6 years ago
I'll land this on beta tonight.
Assignee: general → respindola
(Reporter)

Comment 3

6 years ago
http://hg.mozilla.org/releases/mozilla-beta/rev/7b67433ffa2f
status-firefox7: --- → fixed
status-firefox9: --- → fixed
(Reporter)

Comment 4

6 years ago
http://hg.mozilla.org/releases/mozilla-aurora/rev/abcf25487703
status-firefox8: --- → fixed
(Reporter)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Target Milestone: --- → mozilla7
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.