Closed Bug 841054 Opened 11 years ago Closed 11 years ago

GC: Exactly root ScriptFrameIter

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: terrence, Assigned: terrence)

References

Details

Attachments

(1 file)

v0
1.71 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
From our exact rooting notes:
* Debugger.cpp uses ScriptFrameIter all over the place
 - inherits from StackIter, contains ion::InlineFrameIter, contains a pair of SnapshotIters which have an IonScript*
 - many uses of these are in hot code that can't GC during the iter's lifetime, and I'm not sure they all have convenient access to a cx
 - StackIter also contains a CallArgs, which contains a Value array (may not be live across GC?)
Attached patch v0Splinter Review 
Nicolas r+ed this on IRC. 

If the static analysis is using a debug build, this could be the cause of the failures. Or there may be other stuff triggering it. I'll wait for a build tomorrow morning to find out.
Attachment #713757 - Flags: review+
The static analysis does use a debug build.

By my reckoning (see https://etherpad.mozilla.org/m5VbrA00YP for details) fixing StackIter will fix 33 of the remaining 97 hazards.
> By my reckoning (see https://etherpad.mozilla.org/m5VbrA00YP for details)
> fixing StackIter will fix 33 of the remaining 97 hazards.

Holy crap, I was exactly right.  We're down to 64.  What do I win?
https://hg.mozilla.org/mozilla-central/rev/9f1436e90783
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Depends on: 842752
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: