Closed Bug 935903 Opened 11 years ago Closed 11 years ago

GC: SharedScriptData is not unmarked if a collection is reset

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox26 --- fixed
firefox27 --- fixed
firefox28 --- fixed
b2g-v1.2 --- fixed

People

(Reporter: jonco, Assigned: jonco)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

unmark-shared-script-data
2.86 KB, patch
billm
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
SharedScriptData has a 'marked' flag which is set indirectly from JSScript::markChildren() and cleared from js::SweepScriptData(). These objects are only marked in a full GC. Unfortunately SweepScriptData() is not called if the collection is reset, or if what started as a full GC becomes a non-full GC. So this could lead to SharedScriptData being retained longer than the scripts they reference. I don't know if this is responsible for bug 931251, but it should be fixed. The simplest solution is to unmark the SharedScriptData objects at the start of a full GC.
Attachment #828565 - Flags: review?(wmccloskey)
Comment on attachment 828565 [details] [diff] [review] unmark-shared-script-data Review of attachment 828565 [details] [diff] [review]: ----------------------------------------------------------------- Nice catch.
Attachment #828565 - Flags: review?(wmccloskey) → review+
Blocks: 931251
https://hg.mozilla.org/mozilla-central/rev/264184ace1e1
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment on attachment 828565 [details] [diff] [review] unmark-shared-script-data [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 679940 User impact if declined: unclear, this is a long-shot attempt to fix the unreproducible top-crash in bug 931251. See bug 931251, comment 10 for some details. Testing completed (on m-c, etc.): yes Risk to taking this patch (and alternatives if risky): extremely low. The patch fixes a bug and doesn't otherwise change any behavior. Applies cleanly and builds the js shell on beta and aurora. String or IDL/UUID changes made by this patch: n/a
Attachment #828565 - Flags: approval-mozilla-beta?
Attachment #828565 - Flags: approval-mozilla-aurora?
Attachment #828565 - Flags: approval-mozilla-beta?
Attachment #828565 - Flags: approval-mozilla-beta+
Attachment #828565 - Flags: approval-mozilla-aurora?
Attachment #828565 - Flags: approval-mozilla-aurora+
I don't think this needs QA verification. If anyone thinks that's a mistake please remove the [qa-] whiteboard tag and add the verifyme keyword.
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: