Closed Bug 793823 Opened 12 years ago Closed 12 years ago

GC: exact rooting for Bindings

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18

People

(Reporter: terrence, Assigned: terrence)

References

Details

(Whiteboard: [rooting-example])

Attachments

(2 files, 3 obsolete files)

v1: updated method 2
10.29 KB, patch
billm
: review+
Details | Diff | Splinter Review
v0
20.20 KB, patch
billm
: review+
Details | Diff | Splinter Review 
Bindings stores a Shape pointer and is itself stored both on the stack and on the heap.  It currently stores the Shape* as a HeapPtrShape.  This leads to a rooting problem when we store the Bindings on the stack because the exact rooting does not know about the internal Shape* in the Bindings.
Attached patch v0: templatized version (obsolete) — Splinter Review 
This approach templatizes Bindings on the underlying Shape* type.
Attachment #664186 - Flags: feedback?(wmccloskey)
Attachment #664186 - Flags: feedback?(luke)
This patch cleans up the way we do root analysis and exact rooting so that we can specialize it enough to make it possible to add a Rooted for Bindings.  I think this patch is a good enough cleanup to stand on it's own, so I've split it out.
Attachment #664191 - Flags: feedback?(wmccloskey)
Attached patch v0: Rooted<Bindings> (obsolete) — Splinter Review 
This patch implements and uses Rooted<Bindings> using the new analysis functionality.  It also solves the issue uncovered by the root analysis, but less succinctly: since the internal pointer is still a HeapPtr stored on the stack, we have to be careful to ensure correct ordering between operator-> and operator= when assigning to it from a fallible method so that we do not corrupt the HeapPtr's |this| during operator=.
Attachment #664192 - Flags: feedback?(wmccloskey)
Attachment #664192 - Flags: feedback?(luke)
Comment on attachment 664186 [details] [diff] [review]
v0: templatized version

Review of attachment 664186 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsscript.h
@@ +215,5 @@
>  
>      void trace(JSTracer *trc);
>  };
>  
> +typedef InternalHandle<BindingsBase<js::HeapPtrShape>*> HeapBindingsHandle;

Could you call this InternalBindingsHandle?

@@ +216,5 @@
>      void trace(JSTracer *trc);
>  };
>  
> +typedef InternalHandle<BindingsBase<js::HeapPtrShape>*> HeapBindingsHandle;
> +typedef InternalHandle<BindingsBase<RootedShape>*> StackBindingsHandle;

If I understand InternalHandle correctly, I don't think it would ever make sense to have a StackBindingsHandle.

::: js/src/vm/ScopeObject.cpp
@@ +1122,5 @@
>              JSScript *script = callobj.callee().script();
>              if (!script->ensureHasTypes(cx))
>                  return false;
>  
> +            HeapBindings &bindings = script->bindings;

Could you make this an InterbalHeapBindingsHandle instead? It seems safer.
Attachment #664186 - Flags: feedback?(wmccloskey) → feedback+
Comment on attachment 664191 [details] [diff] [review]
v0: templatize root analysis APIs

Review of attachment 664191 [details] [diff] [review]:
-----------------------------------------------------------------

I'd rather not do this. It just seems to add more indirection that we don't actually need.
Attachment #664191 - Flags: feedback?(wmccloskey) → feedback-
Comment on attachment 664192 [details] [diff] [review]
v0: Rooted<Bindings>

Review of attachment 664192 [details] [diff] [review]:
-----------------------------------------------------------------

I guess this is okay, except for the bits that overlap with the previous patch.
Attachment #664192 - Flags: feedback?(wmccloskey) → feedback+
Attachment #664186 - Flags: feedback?(luke)
Attachment #664192 - Flags: feedback?(luke)
I realized when updating the exact marking code that I forgot to update it when I added rooters to the runtime, so I folded that change in as well.
Attachment #664186 - Attachment is obsolete: true
Attachment #664191 - Attachment is obsolete: true
Attachment #664192 - Attachment is obsolete: true
Attachment #664278 - Flags: review?(wmccloskey)
Attachment #664278 - Flags: review?(wmccloskey) → review+
Attached patch v0Splinter Review 
Currently, BindingIter stores a Bindings*: this is sometimes a pointer into a JSScript, which causes the analysis to poison it.  This patch straightforwardly replaces this Bindings* with an InternalBindingsHandle.
Attachment #665177 - Flags: review?(wmccloskey)
Comment on attachment 665177 [details] [diff] [review]
v0

Review of attachment 665177 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsanalyze.cpp
@@ +141,5 @@
>      bool allVarsAliased = script->compartment()->debugMode();
>      bool allArgsAliased = allVarsAliased || script->argumentsHasVarBinding();
>  
> +    RootedScript script_(cx, script);
> +    for (BindingIter bi(script_); bi; bi++) {

It looks like Nick changed this recently, and you can just use the script_ field directly without need for the rooted.

::: js/src/jsscript.cpp
@@ +267,1 @@
>      for (BindingIter bi(bindings); bi; bi++) {

It seems like you could just pass fromScript into the bi constructor.
Attachment #665177 - Flags: review?(wmccloskey) → review+
Whiteboard: [leave-open]
https://hg.mozilla.org/mozilla-central/rev/7cdce684b523
https://hg.mozilla.org/mozilla-central/rev/c2c611cc8df4
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Whiteboard: [rooting-example]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: