Closed
Bug 948516
Opened 11 years ago
Closed 11 years ago
Add more correctness assertions to HashTable
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: terrence, Assigned: terrence)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
(deleted),
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
Currently, changes to HashTable::generation can only happen after bumping HashTable::mutationCount. With generational GC enabled, however, a MinorGC can change a table's generation through rekey without changing its mutationCount. Since AddPtr only checks mutationCount, this meant that we were sometimes not catching a MinorGC across the lifetime of an AddPtr, later accessing freed memory.
We could "fix" this by making generation changes also bump mutationCount, but I was worried there might be other holes I wasn't seeing. Instead, since this is all debug code, I just added full correctness assertions to all the things. With this patch we assert the correctness of mutationCount and generation in Ptr, AddPtr, Range, and Enum, hopefully preventing any further instances of this class of errors.
Attachment #8345378 -
Flags: review?(luke)
Comment 1•11 years ago
|
||
Comment on attachment 8345378 [details] [diff] [review]
add_hashtable_assertions-v0.diff
Review of attachment 8345378 [details] [diff] [review]:
-----------------------------------------------------------------
Nice! Can you wrap all the DebugOnly member variable declarations in #ifdef DEBUG? Otherwise they'll consume real space (even if it's dead) hash tables are relatively hot enough for this to matter.
Attachment #8345378 -
Flags: review?(luke) → review+
Assignee | ||
Comment 2•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/70e76314c8a7
You are right, it's probably worth it to make sure Ptr fits in a word even if it is a bit uglier.
Assignee | ||
Comment 3•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1ce15dd9df2e
And backed out because apparently layout is constructing their own Ptrs(!)?
Assignee | ||
Comment 4•11 years ago
|
||
Was not able to reproduce the build bustage locally with linux-clang. Clang on mac seems to be complaining that |table| in HashTable::Ptr(HashTable &table) masks HashTable::table. O_o Likewise for the constructors of AddPtr and Range. AFAICT, clang is off it's meds.
I've renamed the argument to |tableArg| and the nested |table| to |table_| in the vague hope that clang doesn't flip out again.
https://tbpl.mozilla.org/?tree=Try&rev=14968651197b
Assignee | ||
Comment 5•11 years ago
|
||
This time with more qreffing. https://tbpl.mozilla.org/?tree=Try&rev=5ace6ce24832
Assignee | ||
Comment 6•11 years ago
|
||
Looks green on the builds that failed before, relanding:
https://hg.mozilla.org/integration/mozilla-inbound/rev/517312577287
Comment 7•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Updated•11 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•