Last Comment Bug 780653 - CellIter on shapes/types is empty during incremental sweeping
: CellIter on shapes/types is empty during incremental sweeping
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86 Mac OS X
: -- normal (vote)
: mozilla17
Assigned To: Bill McCloskey (:billm)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: 729760 778724
  Show dependency treegraph
 
Reported: 2012-08-06 10:25 PDT by Brian Hackett (:bhackett)
Modified: 2012-08-09 19:57 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (6.16 KB, patch)
2012-08-06 14:01 PDT, Bill McCloskey (:billm)
jcoppeard: review+
Details | Diff | Splinter Review

Description Brian Hackett (:bhackett) 2012-08-06 10:25:51 PDT
This seems to be causing a crash with the patch in bug 778724.  If I iterate over all type objects in a compartment outside of a GC, sometimes the iteration turns up empty (there are several hundred types in the compartment).

If I break in gdb at a point where the iteration is empty, I see in cx->compartment->arenas that the freeLists and arenaLists for FINALIZE_TYPE_OBJECT are both empty, but that arenaListsToSweep[FINALIZE_TYPE_OBJECT] is non-NULL but ignored by CellIter.  cx->runtime->gcIncrementalState is SWEEP.

I'm guessing this is due to bug 729760.
Comment 1 Bill McCloskey (:billm) 2012-08-06 14:01:31 PDT
Created attachment 649407 [details] [diff] [review]
patch

I think this should fix the problem. I need to work on a testcase, though.
Comment 2 Jon Coppeard (:jonco) 2012-08-07 09:28:00 PDT
Comment on attachment 649407 [details] [diff] [review]
patch

Review of attachment 649407 [details] [diff] [review]:
-----------------------------------------------------------------

Ah yes, I didn't think of that.

Cheers for fixing this.  The patch looks fine, the only problem might be that we are handing out references to objects that are about to be finalized so hopefully CellIter is not used in a way that will cause any of these to become live again.
Comment 4 Ryan VanderMeulen [:RyanVM] 2012-08-09 19:57:59 PDT
https://hg.mozilla.org/mozilla-central/rev/61037dd2fc68

Note You need to log in before you can comment on or make changes to this bug.