The default bug view has changed. See this FAQ.

GC: extra barriers in ArrayBuffer::create

RESOLVED FIXED in mozilla15



JavaScript Engine
5 years ago
5 years ago


(Reporter: terrence, Assigned: terrence)


Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)



(1 attachment, 1 obsolete attachment)



5 years ago
ArrayBuffers have 16 inline slots that the typearray uses to store arbitrary data.  Out of ArrayBuffer::create we end up calling JSObject::create, which calls initializeSlotRange, which calls init() on each of the 16 inline slots.  The post barrier puts a reference to each of these in the write buffer.  The typearray code goes on to write arbitrary data to these slots.  When we GC, we attempt to figure out if these values contain a GCThing and potentially dereference the "pointers" stored there.  These contain garbage: kaboom.

Comment 1

5 years ago
Created attachment 613440 [details] [diff] [review]

Simple, but ugly.  I'm not sure if it would be worth adding a special class flag for only this one case.
Attachment #613440 - Flags: review?(wmccloskey)
Is there any way we can do this without loading the class from the shape? Most of the callers I see already have the class in a local variable.

Comment 3

5 years ago
This code already calls shape->getObjectClass()->getPrivate() in the branch immediately above this one.  We should just store that and re-use it.

Comment 4

5 years ago
Created attachment 624446 [details] [diff] [review]
v1: Keep the Class in a shared local.

Bill, I talked this over with Waldo and sfink this morning. Slotspan is just used differently by ArrayBuffers, so it seems that doing this specialization is the right way to go for now.
Attachment #613440 - Attachment is obsolete: true
Attachment #613440 - Flags: review?(wmccloskey)
Attachment #624446 - Flags: review?(wmccloskey)
Comment on attachment 624446 [details] [diff] [review]
v1: Keep the Class in a shared local.

OK, but please call it clasp.
Attachment #624446 - Flags: review?(wmccloskey) → review+

Comment 6

5 years ago
Last Resolved: 5 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
You need to log in before you can comment on or make changes to this bug.