Bug 650161 - Fix shell test failures caused by compacting GC r=terrence

2024-09-13 09:24:08 -07:00 · 2014-09-17 15:35:11 +01:00 · 2014-09-17 15:35:11 +01:00 · 7baed2498e
commit 7baed2498e
parent c60aa1033f
9 changed files with 35 additions and 12 deletions
--- a/js/src/gc/GCInternals.h
+++ b/js/src/gc/GCInternals.h
@ -138,7 +138,7 @@ CheckHashTablesAfterMovingGC(JSRuntime *rt);

 #ifdef JSGC_COMPACTING
 struct MovingTracer : JSTracer {
-    MovingTracer(JSRuntime *rt) : JSTracer(rt, Visit, TraceWeakMapValues) {}
+    MovingTracer(JSRuntime *rt) : JSTracer(rt, Visit, TraceWeakMapKeysValues) {}

    static void Visit(JSTracer *jstrc, void **thingp, JSGCTraceKind kind);
    static void Sweep(JSTracer *jstrc);
--- a/js/src/gc/Heap.h
+++ b/js/src/gc/Heap.h
@ -538,6 +538,8 @@ struct ArenaHeader : public JS::shadow::ArenaHeader
    inline ArenaHeader *getNextAllocDuringSweep() const;
    inline void setNextAllocDuringSweep(ArenaHeader *aheader);
    inline void unsetAllocDuringSweep();
+
+    void unmarkAll();
 };

 struct Arena
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@ -447,6 +447,13 @@ ArenaHeader::checkSynchronizedWithFreeList() const
 }
 #endif

+void
+ArenaHeader::unmarkAll()
+{
+    uintptr_t *word = chunk()->bitmap.arenaBits(this);
+    memset(word, 0, ArenaBitmapWords * sizeof(uintptr_t));
+}
+
 /* static */ void
 Arena::staticAsserts()
 {
@ -2483,6 +2490,9 @@ GCRuntime::releaseRelocatedArenas(ArenaHeader *relocatedList)
        ArenaHeader *aheader = relocatedList;
        relocatedList = relocatedList->next;

+        // Clear the mark bits
+        aheader->unmarkAll();
+
        // Mark arena as empty
        AllocKind thingKind = aheader->getAllocKind();
        size_t thingSize = aheader->getThingSize();
--- a/js/src/jsgc.h
+++ b/js/src/jsgc.h
@ -726,10 +726,8 @@ class ArenaLists
            /* The background finalization must have stopped at this point. */
            JS_ASSERT(backgroundFinalizeState[i] == BFS_DONE ||
                      backgroundFinalizeState[i] == BFS_JUST_FINISHED);
-            for (ArenaHeader *aheader = arenaLists[i].head(); aheader; aheader = aheader->next) {
-                uintptr_t *word = aheader->chunk()->bitmap.arenaBits(aheader);
-                memset(word, 0, ArenaBitmapWords * sizeof(uintptr_t));
-            }
+            for (ArenaHeader *aheader = arenaLists[i].head(); aheader; aheader = aheader->next)
+                aheader->unmarkAll();
        }
    }

--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@ -662,6 +662,12 @@ JSObject::finish(js::FreeOp *fop)
            fop->free_(elements);
        }
    }
+
+    // It's possible that unreachable shapes may be marked whose listp points
+    // into this object. In case this happens, null out the shape's pointer here
+    // so that a moving GC will not try to access the dead object.
+    if (shape_->listp == &shape_)
+        shape_->listp = nullptr;
 }

 /* static */ inline bool
--- a/js/src/jsweakmap.cpp
+++ b/js/src/jsweakmap.cpp
@ -71,8 +71,12 @@ WeakMapBase::unmarkCompartment(JSCompartment *c)
 void
 WeakMapBase::markAll(JSCompartment *c, JSTracer *tracer)
 {
-    for (WeakMapBase *m = c->gcWeakMapList; m; m = m->next)
-        m->markIteratively(tracer);
+    JS_ASSERT(tracer->eagerlyTraceWeakMaps() != DoNotTraceWeakMaps);
+    for (WeakMapBase *m = c->gcWeakMapList; m; m = m->next) {
+        m->trace(tracer);
+        if (m->memberOf)
+            gc::MarkObject(tracer, &m->memberOf, "memberOf");
+    }
 }

 bool
--- a/js/src/jsweakmap.h
+++ b/js/src/jsweakmap.h
@ -91,7 +91,7 @@ class WeakMapBase {
    virtual void finish() = 0;

    // Object that this weak map is part of, if any.
-    JSObject *memberOf;
+    HeapPtrObject memberOf;

    // Compartment that this weak map is part of.
    JSCompartment *compartment;
--- a/js/src/vm/RegExpObject.cpp
+++ b/js/src/vm/RegExpObject.cpp
@ -772,10 +772,13 @@ RegExpCompartment::sweep(JSRuntime *rt)
        bool keep = shared->marked() && !IsStringAboutToBeFinalized(shared->source.unsafeGet());
        for (size_t i = 0; i < ArrayLength(shared->compilationArray); i++) {
            RegExpShared::RegExpCompilation &compilation = shared->compilationArray[i];
-            if (keep && compilation.jitCode)
-                keep = !IsJitCodeAboutToBeFinalized(compilation.jitCode.unsafeGet());
+            if (compilation.jitCode &&
+                IsJitCodeAboutToBeFinalized(compilation.jitCode.unsafeGet()))
+            {
+                keep = false;
+            }
        }
-        if (keep) {
+        if (keep || rt->isHeapCompacting()) {
            shared->clearMarked();
        } else {
            js_delete(shared);
--- a/js/src/vm/RegExpObject.h
+++ b/js/src/vm/RegExpObject.h
@ -199,7 +199,7 @@ class RegExpShared
    void trace(JSTracer *trc);

    bool marked() const { return marked_; }
-    void clearMarked() { JS_ASSERT(marked_); marked_ = false; }
+    void clearMarked() { marked_ = false; }

    size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf);
 };