Closed
Bug 685007
Opened 13 years ago
Closed 13 years ago
initialize mark bits in Chunk::init
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla7
People
(Reporter: mccr8, Assigned: espindola)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
699 bytes,
patch
|
mccr8
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
In Bug 673017, Rafael found that uninitialized mark bits were being read by xpc_UnmarkGrayObject. He has a patch for it. This bug is mostly just so I can nominate that patch for Aurora and Beta.
The general problem is that xpc_UnmarkGrayObject and the cycle collector proper rely on mark bits being valid, but the bits are uninitialized from when a chunk is allocated until garbage collection is run. One specific case of this, chunks allocated from startup being examined by the CC before the GC has a chance to run, is explicitly handled by checking if the GC has run when the CC starts up, and running the GC if not. This does not handle everything.
Aside from the case Rafael found, one troubling possibility is that a chunk can be allocated at some point after the first GC, then have objects allocated in it, then the CC runs and examines those objects, all before the GC runs. It will be reading random uninitialized mark bits, which I think this has the potential for causing things to be freed when they shouldn't be.
Bill found that this didn't have any noticeable performance impact.
I've attached Rafael's patch as committed to m-c: http://hg.mozilla.org/mozilla-central/rev/f092ce58bc20
Attachment #558637 -
Flags: review+
Attachment #558637 -
Flags: approval-mozilla-beta?
Attachment #558637 -
Flags: approval-mozilla-aurora?
Comment on attachment 558637 [details] [diff] [review]
initialize mark bits in Chunk::init
Approved for mozilla-beta and mozilla-aurora. If there are any issues we'll back it out. Please land by early tomorrow.
Attachment #558637 -
Flags: approval-mozilla-beta?
Attachment #558637 -
Flags: approval-mozilla-beta+
Attachment #558637 -
Flags: approval-mozilla-aurora?
Attachment #558637 -
Flags: approval-mozilla-aurora+
Reporter | ||
Comment 3•13 years ago
|
||
status-firefox7:
--- → fixed
status-firefox9:
--- → fixed
Reporter | ||
Comment 4•13 years ago
|
||
status-firefox8:
--- → fixed
Reporter | ||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla7
You need to log in
before you can comment on or make changes to this bug.
Description
•