RESOLVED FIXED 131634
Objective-C API external object graphs don't handle generational collection properly 
https://bugs.webkit.org/show_bug.cgi?id=131634
Summary Objective-C API external object graphs don't handle generational collection p...
Mark Hahnenberg
Reported 2014-04-14 14:47:27 PDT
If the set of Objective-C objects transitively reachable through an object changes, we need to update the set of opaque roots accordingly. If we don't, the next EdenCollection won't rescan the external object graph, which would lead us to consider a newly allocated JSManagedValue to be dead.
Attachments
Patch (12.51 KB, patch)
2014-04-15 11:16 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (12.76 KB, patch)
2014-04-15 11:20 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (12.93 KB, patch)
2014-04-15 11:28 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (13.45 KB, patch)
2014-04-15 11:37 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2014-04-14 14:48:15 PDT
<rdar://problem/16612948>
Mark Hahnenberg
Comment 2 2014-04-14 14:55:10 PDT
The fix is to record new pointers from old owners to new owned objects and to rescan those "remembered" owners with scanExternalObject graph during EdenCollections.
Mark Hahnenberg
Comment 3 2014-04-15 11:16:32 PDT
Created attachment 229380 [details] Patch
Mark Hahnenberg
Comment 4 2014-04-15 11:20:50 PDT
Created attachment 229381 [details] Patch
Mark Hahnenberg
Comment 5 2014-04-15 11:28:59 PDT
Created attachment 229383 [details] Patch
Mark Hahnenberg
Comment 6 2014-04-15 11:37:35 PDT
Created attachment 229385 [details] Patch
Geoffrey Garen
Comment 7 2014-04-15 12:41:05 PDT
Comment on attachment 229385 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229385&action=review r=me > Source/JavaScriptCore/API/JSVirtualMachine.mm:162 > + [m_externalRememberedSet setObject:[NSNumber numberWithBool:true] forKey:object]; You might be able to use NSSet here with something similar to weakIDOptions. > Source/JavaScriptCore/API/JSVirtualMachine.mm:293 > + JSVirtualMachine *virtualMachine = [JSVMWrapperCache wrapperForJSContextGroupRef:toRef(&vm)]; > + if (!virtualMachine) > + return; Is it possible that the JSVirtualMachine will go away, by virtue of a zero retain count? If so, we'll forget all the external object graph stuff. Probably worth a follow-up bug.
Mark Hahnenberg
Comment 8 2014-04-15 13:22:26 PDT
(In reply to comment #7) > (From update of attachment 229385 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=229385&action=review > > r=me > > > Source/JavaScriptCore/API/JSVirtualMachine.mm:162 > > + [m_externalRememberedSet setObject:[NSNumber numberWithBool:true] forKey:object]; > > You might be able to use NSSet here with something similar to weakIDOptions. Looks like it's nontrivial to get NSSet to do weak references, so I guess I'll stick with NSMapTable for now. > > > Source/JavaScriptCore/API/JSVirtualMachine.mm:293 > > + JSVirtualMachine *virtualMachine = [JSVMWrapperCache wrapperForJSContextGroupRef:toRef(&vm)]; > > + if (!virtualMachine) > > + return; > > Is it possible that the JSVirtualMachine will go away, by virtue of a zero retain count? If so, we'll forget all the external object graph stuff. Probably worth a follow-up bug. I filed bug 131691 for this.
WebKit Commit Bot
Comment 9 2014-04-15 14:05:39 PDT
Comment on attachment 229385 [details] Patch Clearing flags on attachment: 229385 Committed r167326: <http://trac.webkit.org/changeset/167326>
WebKit Commit Bot
Comment 10 2014-04-15 14:05:42 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.