GC: StoreBuffer::CellPtrEdge::mark() assumes edge is an object pointer

RESOLVED FIXED in mozilla26

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: jonco, Assigned: jonco)

Tracking

unspecified
mozilla26
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

5 years ago
Created attachment 788177 [details] [diff] [review]
browser-ggc

I guess this doesn't get exercised in the shell, but StoreBuffer::bufferRelocCell can contain e.g. JSScript edges added from heap post barriers.
Attachment #788177 - Flags: review?(terrence)
Comment on attachment 788177 [details] [diff] [review]
browser-ggc

Review of attachment 788177 [details] [diff] [review]:
-----------------------------------------------------------------

As we discussed on IRC this morning, this is a bug I introduced when I moved the filtering of store buffer entries to happen at insertion time. The right solution here is to add checks similar to the ones on putCell, putValue, etc in {put|remove}Reloctable{Cell|Value}.
Attachment #788177 - Flags: review?(terrence)
Blocks: 673454
(Assignee)

Comment 2

5 years ago
Created attachment 789653 [details] [diff] [review]
store-buffer-check

Fix as described in comment 1.

However we also need to ensure that when removing edges from the store buffer we don't overwrite the value first, otherwise with the new check the edge will not be removed.
Attachment #788177 - Attachment is obsolete: true
Attachment #789653 - Flags: review?(wmccloskey)
Attachment #789653 - Flags: review?(wmccloskey) → review+

Comment 4

5 years ago
https://hg.mozilla.org/mozilla-central/rev/e84ced5321be
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.