| blob | 982cacf8bac3fc06dca526abc88d95cf8ae28ec1 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
3 /* This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 //
8 // This file implements a garbage-cycle collector based on the paper
9 //
10 // Concurrent Cycle Collection in Reference Counted Systems
11 // Bacon & Rajan (2001), ECOOP 2001 / Springer LNCS vol 2072
12 //
13 // We are not using the concurrent or acyclic cases of that paper; so
14 // the green, red and orange colors are not used.
15 //
16 // The collector is based on tracking pointers of four colors:
17 //
18 // Black nodes are definitely live. If we ever determine a node is
19 // black, it's ok to forget about, drop from our records.
20 //
21 // White nodes are definitely garbage cycles. Once we finish with our
22 // scanning, we unlink all the white nodes and expect that by
23 // unlinking them they will self-destruct (since a garbage cycle is
24 // only keeping itself alive with internal links, by definition).
25 //
26 // Snow-white is an addition to the original algorithm. Snow-white object
27 // has reference count zero and is just waiting for deletion.
28 //
29 // Grey nodes are being scanned. Nodes that turn grey will turn
30 // either black if we determine that they're live, or white if we
31 // determine that they're a garbage cycle. After the main collection
32 // algorithm there should be no grey nodes.
33 //
34 // Purple nodes are *candidates* for being scanned. They are nodes we
35 // haven't begun scanning yet because they're not old enough, or we're
36 // still partway through the algorithm.
37 //
38 // XPCOM objects participating in garbage-cycle collection are obliged
39 // to inform us when they ought to turn purple; that is, when their
40 // refcount transitions from N+1 -> N, for nonzero N. Furthermore we
41 // require that *after* an XPCOM object has informed us of turning
42 // purple, they will tell us when they either transition back to being
43 // black (incremented refcount) or are ultimately deleted.
45 // Incremental cycle collection
46 //
47 // Beyond the simple state machine required to implement incremental
48 // collection, the CC needs to be able to compensate for things the browser
49 // is doing during the collection. There are two kinds of problems. For each
50 // of these, there are two cases to deal with: purple-buffered C++ objects
51 // and JS objects.
53 // The first problem is that an object in the CC's graph can become garbage.
54 // This is bad because the CC touches the objects in its graph at every
55 // stage of its operation.
56 //
57 // All cycle collected C++ objects that die during a cycle collection
58 // will end up actually getting deleted by the SnowWhiteKiller. Before
59 // the SWK deletes an object, it checks if an ICC is running, and if so,
60 // if the object is in the graph. If it is, the CC clears mPointer and
61 // mParticipant so it does not point to the raw object any more. Because
62 // objects could die any time the CC returns to the mutator, any time the CC
63 // accesses a PtrInfo it must perform a null check on mParticipant to
64 // ensure the object has not gone away.
65 //
66 // JS objects don't always run finalizers, so the CC can't remove them from
67 // the graph when they die. Fortunately, JS objects can only die during a GC,
68 // so if a GC is begun during an ICC, the browser synchronously finishes off
69 // the ICC, which clears the entire CC graph. If the GC and CC are scheduled
70 // properly, this should be rare.
71 //
72 // The second problem is that objects in the graph can be changed, say by
73 // being addrefed or released, or by having a field updated, after the object
74 // has been added to the graph. The problem is that ICC can miss a newly
75 // created reference to an object, and end up unlinking an object that is
76 // actually alive.
77 //
78 // The basic idea of the solution, from "An on-the-fly Reference Counting
79 // Garbage Collector for Java" by Levanoni and Petrank, is to notice if an
80 // object has had an additional reference to it created during the collection,
81 // and if so, don't collect it during the current collection. This avoids having
82 // to rerun the scan as in Bacon & Rajan 2001.
83 //
84 // For cycle collected C++ objects, we modify AddRef to place the object in
85 // the purple buffer, in addition to Release. Then, in the CC, we treat any
86 // objects in the purple buffer as being alive, after graph building has
87 // completed. Because they are in the purple buffer, they will be suspected
88 // in the next CC, so there's no danger of leaks. This is imprecise, because
89 // we will treat as live an object that has been Released but not AddRefed
90 // during graph building, but that's probably rare enough that the additional
91 // bookkeeping overhead is not worthwhile.
92 //
93 // For JS objects, the cycle collector is only looking at gray objects. If a
94 // gray object is touched during ICC, it will be made black by UnmarkGray.
95 // Thus, if a JS object has become black during the ICC, we treat it as live.
96 // Merged JS zones have to be handled specially: we scan all zone globals.
97 // If any are black, we treat the zone as being black.
100 // Safety
101 //
102 // An XPCOM object is either scan-safe or scan-unsafe, purple-safe or
103 // purple-unsafe.
104 //
105 // An nsISupports object is scan-safe if:
106 //
107 // - It can be QI'ed to |nsXPCOMCycleCollectionParticipant|, though
108 // this operation loses ISupports identity (like nsIClassInfo).
109 // - Additionally, the operation |traverse| on the resulting
110 // nsXPCOMCycleCollectionParticipant does not cause *any* refcount
111 // adjustment to occur (no AddRef / Release calls).
112 //
113 // A non-nsISupports ("native") object is scan-safe by explicitly
114 // providing its nsCycleCollectionParticipant.
115 //
116 // An object is purple-safe if it satisfies the following properties:
117 //
118 // - The object is scan-safe.
119 //
120 // When we receive a pointer |ptr| via
121 // |nsCycleCollector::suspect(ptr)|, we assume it is purple-safe. We
122 // can check the scan-safety, but have no way to ensure the
123 // purple-safety; objects must obey, or else the entire system falls
124 // apart. Don't involve an object in this scheme if you can't
125 // guarantee its purple-safety. The easiest way to ensure that an
126 // object is purple-safe is to use nsCycleCollectingAutoRefCnt.
127 //
128 // When we have a scannable set of purple nodes ready, we begin
129 // our walks. During the walks, the nodes we |traverse| should only
130 // feed us more scan-safe nodes, and should not adjust the refcounts
131 // of those nodes.
132 //
133 // We do not |AddRef| or |Release| any objects during scanning. We
134 // rely on the purple-safety of the roots that call |suspect| to
135 // hold, such that we will clear the pointer from the purple buffer
136 // entry to the object before it is destroyed. The pointers that are
137 // merely scan-safe we hold only for the duration of scanning, and
138 // there should be no objects released from the scan-safe set during
139 // the scan.
140 //
141 // We *do* call |Root| and |Unroot| on every white object, on
142 // either side of the calls to |Unlink|. This keeps the set of white
143 // objects alive during the unlinking.
144 //
146 #if !defined(__MINGW32__)
147 #ifdef WIN32
148 #include <crtdbg.h>
149 #include <errno.h>
150 #endif
151 #endif
159 /* This must occur *after* base/process_util.h to avoid typedefs conflicts. */
181 #include <stdint.h>
182 #include <stdio.h>
191 //#define COLLECT_TIME_DEBUG
193 // Enable assertions that are useful for diagnosing errors in graph construction.
194 //#define DEBUG_CC_GRAPH
196 #define DEFAULT_SHUTDOWN_COLLECTIONS 5
198 // One to do the freeing, then another to detect there is no more work to do.
199 #define NORMAL_SHUTDOWN_COLLECTIONS 2
201 // Cycle collector environment variables
202 //
203 // MOZ_CC_LOG_ALL: If defined, always log cycle collector heaps.
204 //
205 // MOZ_CC_LOG_SHUTDOWN: If defined, log cycle collector heaps at shutdown.
206 //
207 // MOZ_CC_LOG_THREAD: If set to "main", only automatically log main thread
208 // CCs. If set to "worker", only automatically log worker CCs. If set to "all",
209 // log either. The default value is "all". This must be used with either
210 // MOZ_CC_LOG_ALL or MOZ_CC_LOG_SHUTDOWN for it to do anything.
211 //
212 // MOZ_CC_LOG_PROCESS: If set to "main", only automatically log main process
213 // CCs. If set to "content", only automatically log tab CCs. If set to
214 // "plugins", only automatically log plugin CCs. If set to "all", log
215 // everything. The default value is "all". This must be used with either
216 // MOZ_CC_LOG_ALL or MOZ_CC_LOG_SHUTDOWN for it to do anything.
217 //
218 // MOZ_CC_ALL_TRACES: If set to "all", any cycle collector
219 // logging done will be WantAllTraces, which disables
220 // various cycle collector optimizations to give a fuller picture of
221 // the heap. If set to "shutdown", only shutdown logging will be WantAllTraces.
222 // The default is none.
223 //
224 // MOZ_CC_RUN_DURING_SHUTDOWN: In non-DEBUG or builds, if this is set,
225 // run cycle collections at shutdown.
226 //
227 // MOZ_CC_LOG_DIRECTORY: The directory in which logs are placed (such as
228 // logs from MOZ_CC_LOG_ALL and MOZ_CC_LOG_SHUTDOWN, or other uses
229 // of nsICycleCollectorListener)
231 // Various parameters of this collector can be tuned using environment
232 // variables.
234 struct nsCycleCollectorParams
235 {
247 {
255 }
256 }
274 }
275 }
284 }
285 }
286 }
289 {
291 }
294 {
296 }
297 };
299 #ifdef COLLECT_TIME_DEBUG
300 class TimeLog
301 {
304 {
305 }
307 void
309 {
314 }
316 }
319 TimeStamp mLastCheckpoint;
320 };
321 #else
322 class TimeLog
323 {
326 {
327 }
329 {
330 }
331 };
332 #endif
335 ////////////////////////////////////////////////////////////////////////
336 // Base types
337 ////////////////////////////////////////////////////////////////////////
341 class EdgePool
342 {
344 // EdgePool allocates arrays of void*, primarily to hold PtrInfo*.
345 // However, at the end of a block, the last two pointers are a null
346 // and then a void** pointing to the next block. This allows
347 // EdgePool::Iterators to be a single word but still capable of crossing
348 // block boundaries.
351 {
354 }
357 {
361 }
364 {
370 }
374 }
376 #ifdef DEBUG
378 {
381 }
382 #endif
386 union PtrInfoOrBlock
387 {
388 // Use a union to avoid reinterpret_cast and the ensuing
389 // potential aliasing bugs.
392 };
393 struct Block
394 {
399 {
402 }
404 {
406 }
408 {
410 }
412 {
414 }
415 };
417 // Store the null sentinel so that we can have valid iterators
418 // before adding any edges and without adding any blocks.
422 {
424 }
426 {
428 }
431 class Iterator
432 {
439 {
441 // Null pointer is a sentinel for link to the next block.
443 }
446 }
449 {
451 // Null pointer is a sentinel for link to the next block.
453 }
455 }
457 {
459 }
461 {
463 }
465 #ifdef DEBUG_CC_GRAPH
467 {
469 }
470 #endif
474 };
478 class Builder
479 {
485 {
486 }
489 {
491 }
494 {
501 }
503 }
505 // mBlockEnd points to space for null sentinel
509 };
512 {
518 }
520 }
521 };
523 #ifdef DEBUG_CC_GRAPH
524 #define CC_GRAPH_ASSERT(b) MOZ_ASSERT(b)
525 #else
526 #define CC_GRAPH_ASSERT(b)
527 #endif
529 #define CC_TELEMETRY(_name, _value) \
530 PR_BEGIN_MACRO \
531 if (NS_IsMainThread()) { \
532 Telemetry::Accumulate(Telemetry::CYCLE_COLLECTOR##_name, _value); \
533 } else { \
534 Telemetry::Accumulate(Telemetry::CYCLE_COLLECTOR_WORKER##_name, _value); \
535 } \
536 PR_END_MACRO
540 // This structure should be kept as small as possible; we may expect
541 // hundreds of thousands of them to be allocated and touched
542 // repeatedly during each cycle collection.
544 struct PtrInfo
545 {
565 {
568 // We initialize mRefCount to a large non-zero value so
569 // that it doesn't look like a JS object to the cycle collector
570 // in the case where the object dies before being traversed.
572 }
574 // Allow NodePool::Block's constructor to compile.
576 {
578 }
581 {
583 }
586 {
588 }
591 {
593 }
596 {
599 }
601 // this PtrInfo must be part of a NodePool
603 {
606 }
609 {
612 }
614 // this PtrInfo must be part of a NodePool
616 {
619 }
620 };
622 /**
623 * A structure designed to be used like a linked list of PtrInfo, except
624 * that allocates the PtrInfo 32K-at-a-time.
625 */
626 class NodePool
627 {
629 // The -2 allows us to use |BlockSize + 1| for |mEntries|, and fit |mNext|,
630 // all without causing slop.
633 struct Block
634 {
635 // We create and destroy Block using NS_Alloc/NS_Free rather
636 // than new and delete to avoid calling its constructor and
637 // destructor.
639 {
642 // Ensure Block is the right size (see the comment on BlockSize above).
646 "ill-sized NodePool::Block"
647 );
648 }
650 {
652 }
656 };
662 {
663 }
666 {
668 }
671 {
677 }
681 }
683 #ifdef DEBUG
685 {
687 }
688 #endif
692 class Builder
693 {
699 {
701 }
703 {
711 }
713 }
718 };
722 class Enumerator
723 {
731 {
732 }
735 {
737 }
740 {
742 }
745 {
752 }
754 }
756 // mFirstBlock is a reference to allow an Enumerator to be constructed
757 // for an empty graph.
760 // mNext is the next value we want to return, unless mNext == mBlockEnd
761 // NB: mLast is a reference to allow enumerating while building!
765 };
768 {
769 // We don't measure the things pointed to by mEntries[] because those
770 // pointers are non-owning.
776 }
778 }
783 };
786 // Declarations for mPtrToNodeMap.
789 {
790 // The key is mNode->mPointer
792 };
794 static bool
798 {
801 }
804 PL_DHashAllocTable,
805 PL_DHashFreeTable,
806 PL_DHashVoidPtrKeyStub,
807 PtrToNodeMatchEntry,
808 PL_DHashMoveEntryStub,
809 PL_DHashClearEntryStub,
810 PL_DHashFinalizeStub,
811 nullptr
812 };
815 struct WeakMapping
816 {
817 // map and key will be null if the corresponding objects are GC marked
822 };
826 struct CCGraph
827 {
828 NodePool mNodes;
829 EdgePool mEdges;
834 PLDHashTable mPtrToNodeMap;
838 {
840 }
843 {
846 }
847 }
850 {
854 }
857 {
864 }
866 #ifdef DEBUG
868 {
872 }
873 #endif
880 {
882 }
887 {
891 // We don't measure what the WeakMappings point to, because the
892 // pointers are non-owning.
894 }
895 };
897 PtrInfo*
899 {
902 PL_DHASH_LOOKUP));
905 }
907 }
909 PtrToNodeEntry*
911 {
914 PL_DHASH_ADD));
916 // Caller should track OOMs
918 }
920 }
922 void
924 {
926 }
931 {
936 }
941 static void
943 {
944 // If the participant is null, this is an nsISupports participant,
945 // so we must QI to get the real participant.
956 }
957 }
959 struct nsPurpleBufferEntry
960 {
961 union
962 {
965 };
970 };
974 struct nsPurpleBuffer
975 {
977 struct Block
978 {
980 // Try to match the size of a jemalloc bucket, to minimize slop bytes.
981 // - On 32-bit platforms sizeof(nsPurpleBufferEntry) is 12, so mEntries
982 // is 16,380 bytes, which leaves 4 bytes for mNext.
983 // - On 64-bit platforms sizeof(nsPurpleBufferEntry) is 24, so mEntries
984 // is 32,544 bytes, which leaves 8 bytes for mNext.
988 {
989 // Ensure Block is the right size (see above).
993 "ill-sized nsPurpleBuffer::Block"
994 );
995 }
999 {
1002 MOZ_ASSERT(e->mObject, "There should be no null mObject when we iterate over the purple buffer");
1005 }
1006 }
1007 }
1008 };
1009 // This class wraps a linked list of the elements in the purple
1010 // buffer.
1013 Block mFirstBlock;
1018 {
1020 }
1023 {
1025 }
1029 {
1032 }
1033 }
1036 {
1040 }
1043 {
1046 // Put all the entries in the block on the free list.
1052 }
1055 }
1058 {
1061 }
1066 }
1070 }
1072 }
1074 struct UnmarkRemainingPurpleVisitor
1075 {
1076 void
1078 {
1082 }
1085 }
1086 };
1089 {
1090 UnmarkRemainingPurpleVisitor visitor;
1092 }
1096 // RemoveSkippable removes entries from the purple buffer synchronously
1097 // (1) if aAsyncSnowWhiteFreeing is false and nsPurpleBufferEntry::mRefCnt is 0 or
1098 // (2) if the object's nsXPCOMCycleCollectionParticipant::CanSkip() returns true or
1099 // (3) if nsPurpleBufferEntry::mRefCnt->IsPurple() is false.
1100 // (4) If removeChildlessNodes is true, then any nodes in the purple buffer
1101 // that will have no children in the cycle collector graph will also be
1102 // removed. CanSkip() may be run on these children.
1106 CC_ForgetSkippableCallback aCb);
1109 {
1114 // Add the new block as the second block in the list.
1117 }
1123 }
1127 {
1135 }
1138 {
1144 }
1150 }
1153 {
1155 }
1158 {
1161 // Don't measure mFirstBlock because it's within |this|.
1166 }
1168 // mFreeList is deliberately not measured because it points into
1169 // the purple buffer, which is within mFirstBlock and thus within |this|.
1170 //
1171 // We also don't measure the things pointed to by mEntries[] because
1172 // those pointers are non-owning.
1175 }
1176 };
1178 static bool
1182 struct SelectPointersVisitor
1183 {
1186 {
1187 }
1189 void
1191 {
1198 }
1199 }
1203 };
1205 void
1207 {
1215 }
1216 }
1218 enum ccPhase
1219 {
1220 IdlePhase,
1221 GraphBuildingPhase,
1222 ScanAndCollectWhitePhase,
1223 CleanupPhase
1224 };
1226 enum ccType
1227 {
1230 ShutdownCC /* Shutdown CC, used for finding leaks. */
1231 };
1233 #ifdef MOZ_NUWA_PROCESS
1235 #endif
1237 ////////////////////////////////////////////////////////////////////////
1238 // Top level structure for the cycle collector.
1239 ////////////////////////////////////////////////////////////////////////
1246 {
1247 NS_DECL_ISUPPORTS
1248 NS_DECL_NSIMEMORYREPORTER
1252 // mScanInProgress should be false when we're collecting white objects.
1254 CycleCollectorResults mResults;
1255 TimeStamp mCollectionStart;
1259 ccPhase mIncrementalPhase;
1260 CCGraph mGraph;
1267 nsCycleCollectorParams mParams;
1271 CC_BeforeUnlinkCallback mBeforeUnlinkCB;
1272 CC_ForgetSkippableCallback mForgetSkippableCB;
1274 nsPurpleBuffer mPurpleBuf;
1291 {
1294 }
1297 {
1300 }
1308 // This method assumes its argument is already canonicalized.
1342 // returns whether anything was collected
1346 };
1350 /**
1351 * GraphWalker is templatized over a Visitor class that must provide
1352 * the following two methods:
1353 *
1354 * bool ShouldVisitNode(PtrInfo const *pi);
1355 * void VisitNode(PtrInfo *pi);
1356 */
1358 class GraphWalker
1359 {
1361 Visitor mVisitor;
1366 {
1369 }
1372 }
1373 }
1378 // copy-constructing the visitor should be cheap, and less
1379 // indirection than using a reference
1381 {
1382 }
1383 };
1386 ////////////////////////////////////////////////////////////////////////
1387 // The static collector struct
1388 ////////////////////////////////////////////////////////////////////////
1390 struct CollectorData
1391 {
1394 };
1398 ////////////////////////////////////////////////////////////////////////
1399 // Utility functions
1400 ////////////////////////////////////////////////////////////////////////
1402 MOZ_NEVER_INLINE static void
1404 {
1409 }
1412 }
1414 static void
1416 {
1418 }
1422 {
1423 // We use QI to move from an nsISupports to an
1424 // nsXPCOMCycleCollectionParticipant, which is a per-class singleton helper
1425 // object that implements traversal and unlinking logic for the nsISupports
1426 // in question.
1428 }
1431 MOZ_NEVER_INLINE void
1433 {
1434 nsDeque queue;
1437 }
1440 MOZ_NEVER_INLINE void
1442 {
1443 nsDeque queue;
1447 }
1449 }
1452 MOZ_NEVER_INLINE void
1454 {
1455 // Use a aQueue to match the breadth-first traversal used when we
1456 // built the graph, for hopefully-better locality.
1466 }
1467 }
1468 }
1469 }
1472 {
1475 {
1476 }
1478 enum Type
1479 {
1480 eRefCountedObject,
1481 eGCedObject,
1482 eGCMarkedObject,
1483 eEdge,
1484 eRoot,
1485 eGarbage,
1486 eUnknown
1487 };
1489 nsCString mAddress;
1490 nsCString mName;
1491 nsCString mCompartmentOrToAddress;
1493 Type mType;
1494 };
1497 {
1499 NS_DECL_ISUPPORTS
1504 {
1505 }
1508 {
1511 }
1514 {
1517 }
1520 {
1523 }
1526 {
1529 }
1532 {
1535 }
1538 {
1541 }
1544 {
1545 nsresult rv;
1549 }
1560 }
1563 {
1566 }
1569 }
1572 {
1575 }
1578 }
1582 {
1586 }
1590 }
1591 }
1593 struct FileInfo
1594 {
1600 };
1602 /**
1603 * Create a new file named something like aPrefix.$PID.$IDENTIFIER.log in
1604 * $MOZ_CC_LOG_DIRECTORY or in the system's temp directory. No existing
1605 * file will be overwritten; if aPrefix.$PID.$IDENTIFIER.log exists, we'll
1606 * try a file named something like aPrefix.$PID.$IDENTIFIER-1.log, and so
1607 * on.
1608 */
1610 {
1612 aPrefix,
1613 mProcessIdentifier,
1617 // Get the log directory either from $MOZ_CC_LOG_DIRECTORY or from
1618 // the fallback directories in OpenTempFile. We don't use an nsCOMPtr
1619 // here because OpenTempFile uses an in/out param and getter_AddRefs
1620 // wouldn't work.
1625 }
1627 // On Android or B2G, this function will open a file named
1628 // aFilename under a memory-reporting-specific folder
1629 // (/data/local/tmp/memory-reports). Otherwise, it will open a
1630 // file named aFilename under "NS_OS_TEMP_DIR".
1636 }
1639 }
1642 {
1643 // Initially create the log in a file starting with "incomplete-".
1644 // We'll move the file and strip off the "incomplete-" once the dump
1645 // completes. (We do this because we don't want scripts which poll
1646 // the filesystem looking for GC/CC dumps to grab a file before we're
1647 // finished writing to it.)
1648 nsAutoCString incomplete;
1655 }
1661 }
1664 }
1667 {
1675 // Strip off "incomplete-".
1680 }
1682 nsAutoString logFileFinalDestinationName;
1686 }
1690 // Save the file path.
1693 // Log to the error console.
1697 // Copy out the path.
1698 nsAutoString logPath;
1704 }
1706 }
1709 nsString mFilenameIdentifier;
1710 FileInfo mGCLog;
1711 FileInfo mCCLog;
1712 };
1718 {
1720 {
1722 }
1731 {
1732 }
1734 NS_DECL_ISUPPORTS
1737 {
1739 }
1742 {
1746 }
1749 {
1752 }
1755 {
1758 }
1761 {
1764 }
1767 {
1770 }
1773 {
1776 }
1779 {
1782 }
1785 {
1788 }
1791 }
1794 {
1795 nsresult rv;
1801 }
1806 // Dump the JS heap.
1810 }
1816 }
1819 {
1822 aObjectDescription);
1823 }
1833 }
1835 }
1839 {
1843 }
1858 }
1859 }
1861 }
1863 {
1866 }
1875 }
1877 }
1880 {
1884 }
1885 // We don't support after-processing for weak map entries.
1887 }
1889 {
1892 }
1893 // We don't support after-processing for incremental roots.
1895 }
1897 {
1900 }
1902 }
1904 {
1907 }
1914 }
1916 }
1918 {
1921 }
1927 }
1929 }
1931 {
1936 }
1938 }
1941 {
1944 }
1976 }
1978 }
1981 }
1983 }
1986 {
1990 }
1991 }
1997 nsCString mCurrentAddress;
2000 };
2004 nsresult
2008 {
2011 }
2016 }
2018 ////////////////////////////////////////////////////////////////////////
2019 // Bacon & Rajan's |MarkRoots| routine.
2020 ////////////////////////////////////////////////////////////////////////
2023 public nsCycleCollectionNoteRootCallback
2024 {
2033 nsCString mNextEdgeName;
2047 {
2049 }
2057 {
2059 }
2063 {
2065 }
2068 // nsCycleCollectionNoteRootCallback methods.
2076 // nsCycleCollectionTraversalCallback methods.
2091 {
2097 }
2098 }
2101 nsCString aEdgeName)
2102 {
2106 }
2110 }
2112 }
2115 {
2118 }
2122 }
2124 }
2125 };
2141 {
2145 }
2155 }
2156 }
2164 }
2167 {
2168 }
2170 PtrInfo*
2172 {
2177 }
2181 // New entry.
2189 }
2191 }
2193 MOZ_NEVER_INLINE void
2195 {
2202 }
2207 }
2208 }
2210 void
2212 {
2214 }
2218 {
2227 }
2231 {
2236 }
2237 }
2242 {
2244 }
2248 {
2251 }
2254 }
2259 aObjName);
2260 }
2263 }
2268 {
2275 }
2278 }
2282 {
2283 nsCString edgeName;
2287 }
2290 }
2296 }
2297 }
2302 {
2303 nsCString edgeName;
2307 }
2310 }
2314 }
2318 {
2321 }
2323 nsCString edgeName;
2327 }
2334 }
2335 }
2336 }
2340 {
2343 }
2344 }
2346 PtrInfo*
2348 {
2353 }
2357 }
2359 }
2364 {
2365 // Don't try to optimize away the entry here, as we've already attempted to
2366 // do that in TraceWeakMapping in nsXPConnect.
2376 }
2377 }
2379 static bool
2382 {
2389 }
2390 }
2393 }
2395 // MayHaveChild() will be false after a Traverse if the object does
2396 // not have any children the CC will visit.
2398 {
2401 {
2402 }
2404 // The logic of the Note*Child functions must mirror that of their
2405 // respective functions in CCGraphBuilder.
2413 {
2414 }
2418 {
2419 }
2421 {
2422 }
2424 {
2426 }
2429 };
2433 {
2436 }
2441 }
2442 }
2447 {
2450 }
2451 }
2455 {
2458 }
2459 }
2461 static bool
2463 {
2464 ChildFinder cf;
2467 }
2470 class SegmentedArrayElement
2473 {
2474 };
2477 class SegmentedArray
2478 {
2481 {
2483 }
2486 {
2491 }
2493 }
2496 {
2500 }
2501 }
2504 {
2506 }
2509 {
2511 }
2515 };
2517 // JSPurpleBuffer keeps references to GCThings which might affect the
2518 // next cycle collection. It is owned only by itself and during unlink its
2519 // self reference is broken down and the object ends up killing itself.
2520 // If GC happens before CC, references to GCthings and the self reference are
2521 // removed.
2522 class JSPurpleBuffer
2523 {
2525 {
2528 }
2533 {
2537 }
2540 {
2546 }
2553 // These are raw pointers instead of Heap<T> because we only need Heap<T> for
2554 // pointers which may point into the nursery. The purple buffer never contains
2555 // pointers to the nursery because nursery gcthings can never be gray and only
2556 // gray things can be inserted into the purple buffer.
2559 };
2565 NS_IMPL_CYCLE_COLLECTION_UNLINK_END
2569 NS_IMPL_CYCLE_COLLECTION_TRAVERSE_SCRIPT_OBJECTS
2570 NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
2572 #define NS_TRACE_SEGMENTED_ARRAY(_field, _type) \
2573 { \
2574 auto segment = tmp->_field.GetFirstSegment(); \
2575 while (segment) { \
2576 for (uint32_t i = segment->Length(); i > 0;) { \
2577 js::gc::CallTraceCallbackOnNonHeap<_type, TraceCallbacks>( \
2578 &segment->ElementAt(--i), aCallbacks, #_field, aClosure); \
2579 } \
2580 segment = segment->getNext(); \
2581 } \
2582 }
2587 NS_IMPL_CYCLE_COLLECTION_TRACE_END
2592 struct SnowWhiteObject
2593 {
2597 };
2600 {
2604 {
2609 }
2612 }
2614 }
2615 }
2618 {
2626 }
2627 }
2628 }
2630 void
2632 {
2641 }
2642 }
2643 }
2646 {
2648 }
2652 {
2659 }
2660 }
2661 }
2665 {
2666 }
2669 {
2673 }
2674 }
2678 {
2680 }
2684 {
2686 }
2690 {
2691 }
2695 {
2696 }
2700 {
2701 }
2706 };
2709 {
2714 CC_ForgetSkippableCallback aCb)
2720 {
2721 }
2724 {
2725 // Note, we must call the callback before SnowWhiteKiller calls
2726 // DeleteCycleCollectable!
2729 }
2731 // Effectively a continuation.
2733 }
2734 }
2736 void
2738 {
2746 }
2748 }
2755 }
2757 }
2763 CC_ForgetSkippableCallback mCallback;
2764 };
2766 void
2770 CC_ForgetSkippableCallback aCb)
2771 {
2775 }
2777 bool
2779 {
2784 }
2797 }
2800 }
2802 void
2805 {
2808 // If we remove things from the purple buffer during graph building, we may
2809 // lose track of an object that was mutated during graph building.
2814 }
2819 }
2821 MOZ_NEVER_INLINE void
2823 {
2827 TimeLog timeLog;
2838 }
2840 // We need to call the builder's Traverse() method on deleted nodes, to
2841 // set their firstChild() that may be read by a prior non-deleted
2842 // neighbor.
2846 }
2848 }
2853 }
2857 }
2862 }
2868 }
2871 ////////////////////////////////////////////////////////////////////////
2872 // Bacon & Rajan's |ScanRoots| routine.
2873 ////////////////////////////////////////////////////////////////////////
2876 struct ScanBlackVisitor
2877 {
2880 {
2881 }
2884 {
2886 }
2889 {
2892 }
2894 }
2897 {
2899 }
2904 };
2906 static void
2908 {
2913 }
2915 // Iterate over the WeakMaps. If we mark anything while iterating
2916 // over the WeakMaps, we must iterate over all of the WeakMaps again.
2917 void
2919 {
2927 // If any of these are null, the original object was marked black.
2941 }
2946 }
2947 }
2953 }
2954 }
2956 // Flood black from any objects in the purple buffer that are in the CC graph.
2957 class PurpleScanBlackVisitor
2958 {
2963 {
2964 }
2966 void
2968 {
2978 }
2983 }
2987 }
2990 }
2992 }
2999 };
3001 // Objects that have been stored somewhere since the start of incremental graph building must
3002 // be treated as live for this cycle collection, because we may not have accurate information
3003 // about who holds references to them.
3004 void
3006 {
3007 TimeLog timeLog;
3009 // Reference counted objects:
3010 // We cleared the purple buffer at the start of the current ICC, so if a
3011 // refcounted object is purple, it may have been AddRef'd during the current
3012 // ICC. (It may also have only been released.) If that is the case, we cannot
3013 // be sure that the set of things pointing to the object in the CC graph
3014 // is accurate. Therefore, for safety, we treat any purple objects as being
3015 // live during the current CC. We don't remove anything from the purple
3016 // buffer here, so these objects will be suspected and freed in the next CC
3017 // if they are garbage.
3035 // As an optimization, if an object has already been determined to be live,
3036 // don't consider it further. We can't do this if there is a listener,
3037 // because the listener wants to know the complete set of incremental roots.
3040 }
3042 // Garbage collected objects:
3043 // If a GCed object was added to the graph with a refcount of zero, and is
3044 // now marked black by the GC, it was probably gray before and was exposed
3045 // to active JS, so it may have been stored somewhere, so it needs to be
3046 // treated as live.
3048 // If the object is still marked gray by the GC, nothing could have gotten
3049 // hold of it, so it isn't an incremental root.
3053 }
3058 }
3061 }
3063 // Dead traversed refcounted objects:
3064 // If the object was traversed, it must have been alive at the start of
3065 // the CC, and thus had a positive refcount. It is dead now, so its
3066 // refcount must have decreased at some point during the CC. Therefore,
3067 // it would be in the purple buffer if it wasn't dead, so treat it as an
3068 // incremental root.
3069 //
3070 // This should not cause leaks because as the object died it should have
3071 // released anything it held onto, which will add them to the purple
3072 // buffer, which will cause them to be considered in the next CC.
3075 }
3077 // At this point, pi must be an incremental root.
3079 // If there's a listener, tell it about this root. We don't bother with the
3080 // optimization of skipping the Walk() if pi is black: it will just return
3081 // without doing anything and there's no need to make this case faster.
3083 // Dead objects aren't logged. See bug 1031370.
3085 }
3088 }
3095 }
3096 }
3098 // Mark nodes white and make sure their refcounts are ok.
3099 // No nodes are marked black during this pass to ensure that refcount
3100 // checking is run on all nodes not marked black by ScanIncrementalRoots.
3101 void
3103 {
3108 // Incremental roots can be in a nonsensical state, so don't
3109 // check them. This will miss checking nodes that are merely
3110 // reachable from incremental roots.
3114 }
3118 // This node was deleted before it was traversed, so there's no reason
3119 // to look at it.
3122 }
3128 }
3131 // This node will get marked black in the next pass.
3133 }
3136 }
3137 }
3139 // Any remaining grey nodes that haven't already been deleted must be alive,
3140 // so mark them and their children black. Any nodes that are black must have
3141 // already had their children marked black, so there's no need to look at them
3142 // again. This pass may turn some white nodes to black.
3143 void
3145 {
3152 }
3153 }
3158 }
3159 }
3161 void
3163 {
3172 }
3174 TimeLog timeLog;
3181 // Scanning weak maps must be done last.
3193 }
3200 }
3208 }
3209 }
3214 }
3215 }
3218 ////////////////////////////////////////////////////////////////////////
3219 // Bacon & Rajan's |CollectWhite| routine, somewhat modified.
3220 ////////////////////////////////////////////////////////////////////////
3222 bool
3224 {
3225 // Explanation of "somewhat modified": we have no way to collect the
3226 // set of whites "all at once", we have to ask each of them to drop
3227 // their outgoing links and assume this will cause the garbage cycle
3228 // to *mostly* self-destruct (except for the reference we continue
3229 // to hold).
3230 //
3231 // To do this "safely" we must make sure that the white nodes we're
3232 // operating on are stable for the duration of our operation. So we
3233 // make 3 sets of calls to language runtimes:
3234 //
3235 // - Root(whites), which should pin the whites in memory.
3236 // - Unlink(whites), which drops outgoing links on each white.
3237 // - Unroot(whites), which returns the whites to normal GC.
3239 TimeLog timeLog;
3255 }
3256 }
3257 }
3270 }
3277 #ifdef DEBUG
3280 }
3281 #endif
3282 }
3290 }
3299 }
3302 ////////////////////////
3303 // Memory reporting
3304 ////////////////////////
3308 NS_IMETHODIMP
3311 {
3313 purpleBufferSize;
3320 #define REPORT(_path, _amount, _desc) \
3321 do { \
3323 if (amount > 0) { \
3324 nsresult rv; \
3325 rv = aHandleReport->Callback(EmptyCString(), \
3326 NS_LITERAL_CSTRING(_path), \
3327 KIND_HEAP, UNITS_BYTES, _amount, \
3328 NS_LITERAL_CSTRING(_desc), \
3329 aData); \
3330 if (NS_WARN_IF(NS_FAILED(rv))) \
3331 return rv; \
3332 } \
3333 } while (0)
3339 "Memory used for the nodes of the cycle collector's graph. "
3343 "Memory used for the edges of the cycle collector's graph. "
3347 "Memory used for the representation of weak maps in the "
3348 "cycle collector's graph. "
3354 #undef REPORT
3357 };
3360 ////////////////////////////////////////////////////////////////////////
3361 // Collector implementation
3362 ////////////////////////////////////////////////////////////////////////
3377 {
3378 }
3381 {
3383 }
3385 void
3387 {
3390 }
3394 // We can't register as a reporter in nsCycleCollector() because that runs
3395 // before the memory reporter manager is initialized. So we do it here
3396 // instead.
3401 }
3402 }
3404 void
3406 {
3409 }
3412 }
3414 #ifdef DEBUG
3415 static bool
3417 {
3420 }
3425 }
3426 #endif
3428 MOZ_ALWAYS_INLINE void
3431 {
3434 // Re-entering ::Suspect during collection used to be a fault, but
3435 // we are canonicalizing nsISupports pointers using QI, so we will
3436 // see some spurious refcount traffic here.
3440 }
3448 }
3450 void
3452 {
3453 #ifdef DEBUG
3455 // XXXkhuey we can be called so late in shutdown that NS_GetCurrentThread
3456 // returns null (after the thread manager has shut down)
3458 #endif
3459 }
3461 // The cycle collector uses the mark bitmap to discover what JS objects
3462 // were reachable only from XPConnect roots that might participate in
3463 // cycles. We ask the JS runtime whether we need to force a GC before
3464 // this CC. It returns true on startup (before the mark bits have been set),
3465 // and also when UnmarkGray has run out of stack. We also force GCs on shut
3466 // down to collect cycles involving both DOM and JS.
3467 void
3469 {
3474 }
3480 // Only do a telemetry ping for non-shutdown CCs.
3484 }
3486 }
3488 TimeLog timeLog;
3492 }
3494 void
3496 {
3497 TimeLog timeLog;
3504 #ifdef COLLECT_TIME_DEBUG
3507 printf("cc: visited %u ref counted and %u GCed objects, freed %d ref counted and %d GCed objects",
3514 }
3516 #endif
3527 }
3529 }
3531 void
3533 {
3534 SliceBudget unlimitedBudget;
3539 }
3540 }
3542 }
3544 static void
3546 {
3547 #ifdef DEBUG_PHASES
3550 #endif
3551 }
3553 bool
3557 {
3560 // This can legitimately happen in a few cases. See bug 383651.
3563 }
3569 // If the CC started idle, it will call BeginCollection, which
3570 // will do FreeSnowWhite, so it doesn't need to be done here.
3572 TimeLog timeLog;
3575 }
3590 // Only continue this slice if we're running synchronously or the
3591 // next phase will probably be short, to reduce the max pause for this
3592 // collection.
3593 // (There's no need to check if we've finished graph building, because
3594 // if we haven't, we've already exceeded our budget, and will finish
3595 // this slice anyways.)
3599 // We do ScanRoots and CollectWhite in a single slice to ensure
3600 // that we won't unlink a live object if a weak reference is
3601 // promoted to a strong reference after ScanRoots has finished.
3602 // See bug 926533.
3613 }
3616 }
3619 // Clear mActivelyCollecting here to ensure that a recursive call to
3620 // Collect() does something.
3624 // We were in the middle of an incremental CC (using its own listener).
3625 // Somebody has forced a CC, so after having finished out the current CC,
3626 // run the CC again using the new listener.
3630 }
3631 }
3636 }
3638 // Any JS objects we have in the graph could die when we GC, but we
3639 // don't want to abandon the current CC, because the graph contains
3640 // information about purple roots. So we synchronously finish off
3641 // the current CC.
3642 void
3644 {
3650 }
3652 }
3655 }
3657 void
3659 {
3662 }
3664 SliceBudget unlimitedBudget;
3666 // Use SliceCC because we only want to finish the CC in progress.
3669 }
3671 // Don't merge too many times in a row, and do at least a minimum
3672 // number of unmerged CCs in a row.
3676 bool
3678 {
3681 }
3689 }
3692 mUnmergedNeeded--;
3695 }
3698 mMergedInARow++;
3703 }
3704 }
3706 void
3709 {
3710 TimeLog timeLog;
3718 }
3722 // Set up the listener for this CC.
3731 }
3733 }
3737 // On a WantAllTraces CC, force a synchronous global GC to prevent
3738 // hijinks from ForgetSkippable and compartmental GCs.
3740 }
3747 }
3749 // Set up the data structures for building the graph.
3757 mergeZones);
3762 }
3770 // We've finished adding roots, and everything in the graph is a root.
3775 }
3777 uint32_t
3779 {
3782 }
3784 void
3786 {
3789 // Always delete snow white objects.
3792 #ifndef DEBUG
3794 #endif
3795 {
3797 }
3798 }
3800 void
3802 {
3805 }
3812 }
3813 }
3815 void
3822 {
3826 aWeakMapsSize);
3830 // These fields are deliberately not measured:
3831 // - mJSRuntime: because it's non-owning and measured by JS reporters.
3832 // - mParams: because it only contains scalars.
3833 }
3835 JSPurpleBuffer*
3837 {
3839 // The Release call here confuses the GC analysis.
3841 // JSPurpleBuffer keeps itself alive, but we need to create it in such way
3842 // that it ends up in the normal purple buffer. That happens when
3843 // nsRefPtr goes out of the scope and calls Release.
3845 }
3847 }
3849 ////////////////////////////////////////////////////////////////////////
3850 // Module public API (exported in nsCycleCollector.h)
3851 // Just functions that redirect into the singleton, once it's built.
3852 ////////////////////////////////////////////////////////////////////////
3854 void
3856 {
3859 // We should have started the cycle collector by now.
3862 // But we shouldn't already have a runtime.
3867 }
3869 void
3871 {
3874 // We should have started the cycle collector by now.
3876 // And we shouldn't have already forgotten our runtime.
3879 // But it may have shutdown already.
3887 }
3888 }
3892 {
3896 }
3898 }
3904 void
3906 {
3909 // We should have started the cycle collector by now.
3912 // And we should have a runtime.
3916 }
3918 void
3920 {
3928 }
3930 void
3932 {
3935 // We should have started the cycle collector by now, and not completely
3936 // shut down.
3938 // And we should have a runtime.
3942 }
3944 void
3946 {
3947 #ifdef DEBUG
3953 #endif
3955 }
3957 #ifdef DEBUG
3958 bool
3960 {
3963 // We should have started the cycle collector by now, and not completely
3964 // shut down.
3966 // And we should have a runtime.
3970 }
3971 #endif
3973 void
3975 {
3978 // We should have started the cycle collector by now, and not completely
3979 // shut down.
3981 // And we should have a runtime.
3985 }
3987 void
3989 DeferredFinalizeFunction aFunc,
3991 {
3994 // We should have started the cycle collector by now, and not completely
3995 // shut down.
3997 // And we should have a runtime.
4001 }
4007 MOZ_NEVER_INLINE static void
4011 {
4014 // The CC is shut down, so we can't be in the middle of an ICC.
4020 }
4022 // Make sure we'll get called again.
4024 }
4025 }
4027 void
4031 {
4034 // We should have started the cycle collector by now.
4040 }
4042 }
4044 uint32_t
4046 {
4049 // We should have started the cycle collector by now.
4054 }
4057 }
4059 bool
4061 {
4066 }
4068 void
4070 {
4075 }
4082 }
4084 void
4086 {
4089 // We should have started the cycle collector by now.
4094 }
4096 void
4098 {
4101 // We should have started the cycle collector by now.
4106 }
4108 void
4111 {
4114 // We should have started the cycle collector by now.
4121 TimeLog timeLog;
4123 aAsyncSnowWhiteFreeing);
4125 }
4127 void
4129 {
4134 }
4137 }
4139 bool
4141 {
4144 // We should have started the cycle collector by now.
4150 }
4154 {
4157 }
4159 void
4161 {
4164 // We should have started the cycle collector by now.
4171 SliceBudget unlimitedBudget;
4173 }
4175 void
4177 {
4180 // We should have started the cycle collector by now.
4187 SliceBudget budget;
4190 }
4192 }
4194 void
4196 {
4199 // We should have started the cycle collector by now.
4206 SliceBudget budget;
4209 }
4211 }
4213 void
4215 {
4222 }
4225 }
4227 void
4229 {
4236 }
4239 }
4241 void
4243 {
4256 }
4257 }
4258 }