Closed
Bug 943827
Opened 11 years ago
Closed 11 years ago
GC: Out of memory memory handling for buffering gray roots is broken
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: jonco, Assigned: jonco)
Details
(Whiteboard: [qa-])
Attachments
(1 file)
9.33 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
If appending a gray root fails, GCMarker::appendGrayRoot() sets grayFailed to true and calls resetBufferedGrayRoots(), which sets it back to false again. This means that on OOM some gray roots will silently be lost. I found while investigating bug 937903, although I don't think it's related to that crash.
Assignee | ||
Comment 1•11 years ago
|
||
Here's a patch that fixes this. It removes the use of the gray root buffer for non-incremental collections, so we actually exercise this code path. Doing this showed up several points where we would have returned part way though a collection even though we were supposed to have completed everything in a single slice, so these are fixed too. Also I added asserts that the gray root pointers we are passed are non-null.
Attachment #8339293 -
Flags: review?(wmccloskey)
Comment on attachment 8339293 [details] [diff] [review] gray-work Review of attachment 8339293 [details] [diff] [review]: ----------------------------------------------------------------- Thanks. This code has always worried me. ::: js/src/gc/Marking.cpp @@ -150,5 @@ > JS_ASSERT_IF(rt->gcStrictCompartmentChecking, > thing->zone()->isCollecting() || rt->isAtomsZone(thing->zone())); > > JS_ASSERT_IF(IS_GC_MARKING_TRACER(trc) && AsGCMarker(trc)->getMarkColor() == GRAY, > - thing->zone()->isGCMarkingGray() || rt->isAtomsZone(thing->zone())); Why this change?
Attachment #8339293 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 3•11 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #2) That change is because it's ok to try and mark something gray in a compartment which is not being collected, and this happens when we mark things gray directly, without buffering. It's not ok to try and mark something gray in a compartment we're marking black because this means we've got our deferred gray marking scheme wrong.
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/dd032c97a9a8
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/dd032c97a9a8
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Updated•10 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•