Closed Bug 780653 Opened 9 years ago Closed 9 years ago

CellIter on shapes/types is empty during incremental sweeping

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla17

People

(Reporter: bhackett1024, Assigned: billm)

References

Details

Attachments

(1 file)

This seems to be causing a crash with the patch in bug 778724.  If I iterate over all type objects in a compartment outside of a GC, sometimes the iteration turns up empty (there are several hundred types in the compartment).

If I break in gdb at a point where the iteration is empty, I see in cx->compartment->arenas that the freeLists and arenaLists for FINALIZE_TYPE_OBJECT are both empty, but that arenaListsToSweep[FINALIZE_TYPE_OBJECT] is non-NULL but ignored by CellIter.  cx->runtime->gcIncrementalState is SWEEP.

I'm guessing this is due to bug 729760.
Attached patch patchSplinter Review
I think this should fix the problem. I need to work on a testcase, though.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #649407 - Flags: review?(jcoppeard)
Comment on attachment 649407 [details] [diff] [review]
patch

Review of attachment 649407 [details] [diff] [review]:
-----------------------------------------------------------------

Ah yes, I didn't think of that.

Cheers for fixing this.  The patch looks fine, the only problem might be that we are handing out references to objects that are about to be finalized so hopefully CellIter is not used in a way that will cause any of these to become live again.
Attachment #649407 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/61037dd2fc68
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
You need to log in before you can comment on or make changes to this bug.