Closed
Bug 776159
Opened 12 years ago
Closed 12 years ago
Thread more handles through jsarray
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla17
People
(Reporter: terrence, Assigned: terrence)
Details
(Whiteboard: [js:t])
Attachments
(1 file, 1 obsolete file)
14.39 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
Steve, do these changes make sense, or am I being too aggressive?
Attachment #644519 -
Flags: review?(sphink)
Comment 1•12 years ago
|
||
Comment on attachment 644519 [details] [diff] [review] v0 Review of attachment 644519 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsarray.cpp @@ +3742,5 @@ > } > } > > Rooted<GlobalObject*> parent(cx, parent_); > + RootedObject proto(cx, protoArg); Ooh, that's a good example of a tricky case. You're double-rooting proto, but I think it's probably best this way. The inner proto that you pass to FindProto definitely has to be rooted, but the parameter doesn't need to be -- looking at the callers, you're now explicitly rooting and so you could avoid one root by passing in a bare JSObject* and rooting it at the top. But I like it the way you did it better, just for the simplicity; you don't have to think it through this way. It's a good example for a rooting document.
Attachment #644519 -
Flags: review?(sphink) → review+
Comment on attachment 644519 [details] [diff] [review] v0 Review of attachment 644519 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsarray.cpp @@ +3795,5 @@ > #ifdef JS_METHODJIT > JSObject * JS_FASTCALL > mjit::stubs::NewDenseUnallocatedArray(VMFrame &f, uint32_t length) > { > + JSObject *obj = NewArray<false>(f.cx, length, HandleObject::fromMarkedLocation((JSObject **)&f.scratch)); Is this safe? f.scratch is not a marked location, as far as I can tell.
Assignee | ||
Comment 3•12 years ago
|
||
Steve, I've updated this to use RawObject, and I think it's better overall now. I do want a second opinion, however, so I'm re-requesting. (In reply to Bill McCloskey (:billm) from comment #2) > HandleObject::fromMarkedLocation((JSObject **)&f.scratch)); > > Is this safe? f.scratch is not a marked location, as far as I can tell. I assumed wrong. Do we need these to be marked through for moving GC?
Assignee: general → terrence
Attachment #644519 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #645010 -
Flags: review?(sphink)
Updated•12 years ago
|
Whiteboard: [js:t]
Comment 4•12 years ago
|
||
Comment on attachment 645010 [details] [diff] [review] v1 Review of attachment 645010 [details] [diff] [review]: ----------------------------------------------------------------- Sorry about missing the f.scratch thing earlier; I made the wrong assumption too. I see now that it is a void* slot. Unfortunately, it seems to be used to store things like argc at times, so we can't just change it to a gc::Cell* and trace it. ::: js/src/jsarray.cpp @@ +3683,5 @@ > } > > Rooted<GlobalObject*> parent(cx, parent_); > + RootedObject proto(cx, protoArg); > + PoisonPtr(reinterpret_cast<uintptr_t *>(protoArg)); Ooh, we should fix that. The reinterpret_cast kind of defeats the purpose, since this is mainly for documentation. Would it work to just declare PoisonPtr as taking a void*, or do we need to templafuscate it?
Attachment #645010 -
Flags: review?(sphink) → review+
Assignee | ||
Comment 5•12 years ago
|
||
Making PoisonPtr take a void* worked like a charm: https://hg.mozilla.org/integration/mozilla-inbound/rev/b6291bb72294
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b6291bb72294
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
You need to log in
before you can comment on or make changes to this bug.
Description
•