On 2015/09/01 09:15:46, fedor.indutny wrote:
Ok, you are definitely right. Looking through the logs that I have
collected I
see the following scenario:
1. Marking starts
2. ArrayBuffers in NewSpace are visited and marked as live by removing
them
from
not_yet_..._for_scavenge
3. Scavenge starts, PrepareArrayBufferDiscovery is called,
not_yet_..._for_scavenge is overwritten
4. ArrayBuffers in NewSpace are visited again and removed from the
not_yet_..._for_scavenge
5. Scavenge ends, buffers are not freed `not_yet_..._for_scavenge` is
overwritten by `live_..._for_scavenge`
6. Mark-Compact GC resumes
7. `live_..._for_scavenge === not_yet_..._for_scavenge`
8. Buffers are freed
9. EvacuateNewSpaceAndCandidates is invoked, it finds these buffers and
promotes
them to Old Space
10. Crash happens when Old Space is GCed.
I think the reordering `Evacuate` and `FreeDeadBuffers` fixes it with the
price
of loosing the invariant. The other choice is to disable Scavenge during
Mark-Compact GC.
Thoughts?
As far as I see this only mitigates the problem.
The problem is resetting the buffers in your step 5. As soon as you do the
mark-compact GC you would delete all buffers in the not_yet_discovered set
(which has been reset for scavenge).
Moving it after evacuate helps for fixing the state of promoted objects.
However, objects could be allocated between a scavenge and the final GC,
which
would would not make them eligible for promotion (objects are copied once
before
promoted). As a result, for these objects is that they are live, but freed
in
FreeDeadArrayBuffers, as there state is not fixed during PromoteArrayBuffer.
The solution is to not only fix promoted objects, but also those that are
only
copied in new space during
MarkCompactCollector::DiscoverAndEvacuateBlackObjectsOnPage.
I will precautionally revert this as I would like it to be a single CL. You
can
send me another CL that includes the additional fix in mark-compact.cc. The
order of EvacuateNewSpaceAndCandidates and FreeDeadArrayBuffers can stay as
in
this CL.
https://codereview.chromium.org/1316873004/
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
