From 478ff0d6a202bd90251483d7f0924b2d4e6a5d0c Mon Sep 17 00:00:00 2001 From: Jon Coppeard Date: Mon, 27 Jun 2016 10:30:15 +0100 Subject: [PATCH] Bug 1282072 - Refactor and comment free list assertion in js::CheckTracedThing r=terrence --- js/src/gc/Marking.cpp | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/js/src/gc/Marking.cpp b/js/src/gc/Marking.cpp index 59d7d6e7a8cc..baa6bc99c0c4 100644 --- a/js/src/gc/Marking.cpp +++ b/js/src/gc/Marking.cpp @@ -232,18 +232,20 @@ js::CheckTracedThing(JSTracer* trc, T* thing) } /* - * Try to assert that the thing is allocated. This is complicated by the - * fact that allocated things may still contain the poison pattern if that - * part has not been overwritten. Also, background sweeping may be running - * and concurrently modifiying the free list. + * Try to assert that the thing is allocated. * - * Tracing is done off main thread while compacting and reading the contents - * of the thing in IsThingPoisoned is racy so this check is skipped there. + * We would like to assert that the thing is not in the free list, but this + * check is very slow. Instead we check whether the thing has been poisoned: + * if it has not then we assume it is allocated, but if it has then it is + * either free or uninitialized in which case we check the free list. + * + * Further complications are that background sweeping may be running and + * concurrently modifiying the free list and that tracing is done off main + * thread during compacting GC and reading the contents of the thing by + * IsThingPoisoned would be racy in this case. */ - MOZ_ASSERT_IF(rt->isHeapBusy() && !zone->isGCCompacting() && - !rt->gc.isBackgroundSweeping() && - IsThingPoisoned(thing), - !InFreeList(thing->asTenured().arena(), thing)); + MOZ_ASSERT_IF(rt->isHeapBusy() && !zone->isGCCompacting() && !rt->gc.isBackgroundSweeping(), + !IsThingPoisoned(thing) || !InFreeList(thing->asTenured().arena(), thing)); #endif }