As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 711626 - GC: More barriers on object internals
: GC: More barriers on object internals
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla12
Assigned To: Terrence Cole [:terrence]
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 673454
  Show dependency treegraph
Reported: 2011-12-16 14:48 PST by Terrence Cole [:terrence]
Modified: 2011-12-29 03:34 PST (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

v1: barriers on slots and elements. (6.28 KB, patch)
2011-12-16 14:48 PST, Terrence Cole [:terrence]
no flags Details | Diff | Splinter Review
v2: Uses loops everywhere. (10.16 KB, patch)
2011-12-19 17:20 PST, Terrence Cole [:terrence]
wmccloskey: review+
Details | Diff | Splinter Review
v3: With review feedback. (11.41 KB, patch)
2011-12-28 14:10 PST, Terrence Cole [:terrence]
terrence.d.cole: review+
Details | Diff | Splinter Review

Description User image Terrence Cole [:terrence] 2011-12-16 14:48:09 PST
Created attachment 582396 [details] [diff] [review]
v1: barriers on slots and elements.

This adds an "after(.*)RangeOverwritten" to match the existing "prepare(.*)RangeForOverwrite" methods and adds calls to them where needed in the object implementation to properly trigger post-write barriers.  Ironically, this undoes the changes to copyDenseArrayElements I made yesterday: this is a more general solution, applicable in more places (and probably faster as well).

This also removes the void* parameter to HeapValue::writeBarrierPost.  Unlike with the HeapPtr, HeapValue needs to know that addr has Value* type in order to deref it safely.  Because of this, we can't use the addr parameter in HeapValue::writeBarrierPost.  I added it to this patch because this is the first place we use the function directly and not through operator=.
Comment 1 User image Terrence Cole [:terrence] 2011-12-19 17:20:39 PST
Created attachment 583027 [details] [diff] [review]
v2: Uses loops everywhere.

This is quite a bit clearer.
Comment 2 User image Bill McCloskey (:billm) 2011-12-27 16:31:12 PST
Comment on attachment 583027 [details] [diff] [review]
v2: Uses loops everywhere.

Review of attachment 583027 [details] [diff] [review]:

::: js/src/jsobj.cpp
@@ +4509,5 @@
>                                           ps, fs, static_ps, static_fs, ctorp, ctorKind);
>  }
>  void
> +JSObject::initSlotRange(size_t start, const Value *vector, size_t length)

How about adding a getSlotRange method? It would use the current branching logic to generate four things:
  fixedStart, fixedEnd, slotsStart, slotsEnd
These would be returned as HeapValue** parameters.

Then the code for initSlotRange would be:
  getSlotRange(&fixedStart, &fixedEnd, &slotsStart, &slotsEnd);
  for (HeapValue *vp = fixedStart; vp != fixedEnd; vp++)
    vp->init(comp, *vector++);
  for (HeapValue *vp = slotsStart; vp != slotsEnd; vp++)
    vp->init(comp, *vector++);

And the code for copySlotRange would be similar, except that it would use set instead of init.

::: js/src/jsobj.h
@@ +702,5 @@
>      inline void prepareElementRangeForOverwrite(size_t start, size_t end);
>      /*
> +     * Initialize a flat array of slots to this object at a start slot.  The
> +     * caller must ensure that are enough slots.

Let's rewrite this. How about:
"Initialize the slots in the range [start, start+length) to values from vector. The caller must ensure that there are enough slots."
Comment 3 User image Terrence Cole [:terrence] 2011-12-28 14:10:31 PST
Created attachment 584639 [details] [diff] [review]
v3: With review feedback.

For posterity, since there was a bit of reworking needed.
Comment 4 User image Terrence Cole [:terrence] 2011-12-28 14:11:24 PST
Comment 5 User image Marco Bonardo [::mak] 2011-12-29 03:34:27 PST

Note You need to log in before you can comment on or make changes to this bug.