Created attachment 558637 [details] [diff] [review] initialize mark bits in Chunk::init In Bug 673017, Rafael found that uninitialized mark bits were being read by xpc_UnmarkGrayObject. He has a patch for it. This bug is mostly just so I can nominate that patch for Aurora and Beta. The general problem is that xpc_UnmarkGrayObject and the cycle collector proper rely on mark bits being valid, but the bits are uninitialized from when a chunk is allocated until garbage collection is run. One specific case of this, chunks allocated from startup being examined by the CC before the GC has a chance to run, is explicitly handled by checking if the GC has run when the CC starts up, and running the GC if not. This does not handle everything. Aside from the case Rafael found, one troubling possibility is that a chunk can be allocated at some point after the first GC, then have objects allocated in it, then the CC runs and examines those objects, all before the GC runs. It will be reading random uninitialized mark bits, which I think this has the potential for causing things to be freed when they shouldn't be. Bill found that this didn't have any noticeable performance impact. I've attached Rafael's patch as committed to m-c: http://hg.mozilla.org/mozilla-central/rev/f092ce58bc20
Comment on attachment 558637 [details] [diff] [review] initialize mark bits in Chunk::init Approved for mozilla-beta and mozilla-aurora. If there are any issues we'll back it out. Please land by early tomorrow.
I'll land this on beta tonight.