Bug 1506798 - Fix possible data race updating scope object during compacting GC r=pbone
authorJon Coppeard <jcoppeard@mozilla.com>
Sat, 17 Nov 2018 13:48:18 +0000
changeset 446919 764c5b94a3950791427e782e59e3e826921cffac
parent 446918 7211db666d5981232551d291392238de37726f23
child 446920 8b5f41cdab35e46c086655a05a11d76220eaddfb
push id35057
push userccoroiu@mozilla.com
push dateSat, 17 Nov 2018 21:37:33 +0000
treeherdermozilla-central@77223bb2fac2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerspbone
bugs1506798
milestone65.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1506798 - Fix possible data race updating scope object during compacting GC r=pbone
js/src/gc/GC.cpp
--- a/js/src/gc/GC.cpp
+++ b/js/src/gc/GC.cpp
@@ -2981,40 +2981,39 @@ GCRuntime::updateCellPointers(Zone* zone
 //   - Updating a typed object makes use of its type descriptor object
 //
 // This means we require at least three phases for update:
 //
 //  1) shapes
 //  2) typed object type descriptor objects
 //  3) all other objects
 //
-// Also, JSScripts and LazyScripts can have pointers to each other. Each can be
-// updated safely without requiring the referent to be up-to-date, but TSAN can
-// warn about data races when calling IsForwarded() on the new location of a
-// cell that is being updated in parallel. To avoid this, we update these in
-// separate phases.
+// Also, there can be data races calling IsForwarded() on the new location of a
+// cell that is being updated in parallel on another thread. This can be avoided
+// by updating some kinds of cells in different phases. This is done for JSScripts
+// and LazyScripts, and JSScripts and Scopes.
 //
 // Since we want to minimize the number of phases, arrange kinds into three
 // arbitrary phases.
 
 static const AllocKinds UpdatePhaseOne {
     AllocKind::SCRIPT,
     AllocKind::BASE_SHAPE,
     AllocKind::SHAPE,
     AllocKind::ACCESSOR_SHAPE,
     AllocKind::OBJECT_GROUP,
     AllocKind::STRING,
-    AllocKind::JITCODE,
-    AllocKind::SCOPE
+    AllocKind::JITCODE
 };
 
 // UpdatePhaseTwo is typed object descriptor objects.
 
 static const AllocKinds UpdatePhaseThree {
     AllocKind::LAZY_SCRIPT,
+    AllocKind::SCOPE,
     AllocKind::FUNCTION,
     AllocKind::FUNCTION_EXTENDED,
     AllocKind::OBJECT0,
     AllocKind::OBJECT0_BACKGROUND,
     AllocKind::OBJECT2,
     AllocKind::OBJECT2_BACKGROUND,
     AllocKind::OBJECT4,
     AllocKind::OBJECT4_BACKGROUND,