Clear NewObjectCache entries with nursery-allocated slots or elements on minor GC

RESOLVED FIXED in mozilla25

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: terrence, Assigned: terrence)

Tracking

Trunk
mozilla25
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Created attachment 769069 [details] [diff] [review]
v0

We evict all live slots and elements from the nursery at minor GC: if there happens to be a reference from the cache keyed on a non-nursery thing, then this will expose freed memory to anything that uses the cached object after a minor gc.
Attachment #769069 - Flags: review?(jdemooij)
Comment on attachment 769069 [details] [diff] [review]
v0

Review of attachment 769069 [details] [diff] [review]:
-----------------------------------------------------------------

Makes sense.
Attachment #769069 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/cbbd90120ca7
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.