[Webkit-unassigned] [Bug 72312] DFG code blocks that have speculation checks on objects should refer to those objects weakly
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 17 13:45:29 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=72312
--- Comment #6 from Filip Pizlo <fpizlo at apple.com> 2011-11-17 13:45:29 PST ---
(In reply to comment #5)
> (From update of attachment 115538 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=115538&action=review
>
> > Source/JavaScriptCore/bytecode/CodeBlock.cpp:1685
> > + // If some weak references are dead, then this fixpoint iteration was
> > + // unsuccessful.
> > + if (!allAreLiveSoFar)
> > + return;
>
> If we have weak references that are dead, where are we either clearing them, or removing the usage? My reading of this says that we'll end up maintaining references to dead objects, that may subsequently become live again (through new allocations) -- this does not currently happen as all values are forced to be live via the constant tables, but if that were not the case this seems like it would be incorrect. What have I missed?
If we ever hit this point, then we would have also registered an unconditional finalizer. If we finish GC without proving that the code block's weak references are live, then the unconditional finalizer will jettison the code block.
Weak references are never cleared. If the code is executing (i.e. it's on the stack), we strongly mark its weak references. If it's not executing, then we can jettison immediately during GC, so if any of its weak references are dead we just jettison and the code block dies immediately.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list