Closed Bug 886575 Opened 12 years ago Closed 12 years ago

Fix generational GC crash on octane-gbemu

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25

People

(Reporter: terrence, Assigned: terrence)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file, 1 obsolete file)

v1: fixed after jit-test crashes
7.37 KB, patch
sfink
: review+
Details | Diff | Splinter Review
Attached patch v0 (obsolete) — Splinter Review
When we store a value into TypedArray::DATA_SLOT that is into the middle of a nursery thing, we also store a write barrier to update it at the next minor GC. If, however, we do fallback marking because the buffer overflows, we skip this barrier. For this reason, and for eventual heap compaction, we need to do the same relocation as a normal part of marking.
Attachment #766931 - Flags: review?(sphink)
Attachment #766931 - Flags: review?(sphink) → review+
The prior version crashes on 2 jittests that use DataView, because DataView does not have a trace hook. This adds the trace hook.
Attachment #766931 - Attachment is obsolete: true
Attachment #766974 - Flags: review?(sphink)
Comment on attachment 766974 [details] [diff] [review] v1: fixed after jit-test crashes Review of attachment 766974 [details] [diff] [review]: ----------------------------------------------------------------- This is fine if you file a followup bug to do the IsMarked() on NEXT_VIEW_SLOT.
Attachment #766974 - Flags: review?(sphink) → review+
I added the VIEW_SLOT weak marking in this patch. https://hg.mozilla.org/integration/mozilla-inbound/rev/866dbb8830d1
https://hg.mozilla.org/mozilla-central/rev/866dbb8830d1
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: