| blob | 8e06f7ed02294866f8fdfe199ebc539d96be8043 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=78:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS Mark-and-Sweep Garbage Collector.
43 *
44 * This GC allocates fixed-sized things with sizes up to GC_NBYTES_MAX (see
45 * jsgc.h). It allocates from a special GC arena pool with each arena allocated
46 * using malloc. It uses an ideally parallel array of flag bytes to hold the
47 * mark bit, finalizer type index, etc.
48 *
49 * XXX swizzle page to freelist for better locality of reference
50 */
52 #include <math.h>
84 #if JS_HAS_XML_SUPPORT
86 #endif
93 #ifdef MOZ_VALGRIND
94 # define JS_VALGRIND
95 #endif
96 #ifdef JS_VALGRIND
97 # include <valgrind/memcheck.h>
98 #endif
102 /*
103 * Check that JSTRACE_XML follows JSTRACE_OBJECT and JSTRACE_STRING.
104 */
109 /*
110 * JS_IS_VALID_TRACE_KIND assumes that JSTRACE_STRING is the last non-xml
111 * trace kind when JS_HAS_XML_SUPPORT is false.
112 */
115 /*
116 * Check consistency of external string constants from JSFinalizeGCThingKind.
117 */
121 /*
122 * GC memory is allocated in chunks. The size of each chunk is GC_CHUNK_SIZE.
123 * The chunk contains an array of GC arenas holding GC things, an array of
124 * the mark bitmaps for each arena, an array of JSGCArenaInfo arena
125 * descriptors, an array of JSGCMarkingDelay descriptors, the GCChunkInfo
126 * chunk descriptor and a bitmap indicating free arenas in the chunk. The
127 * following picture demonstrates the layout:
128 *
129 * +--------+--------------+-------+--------+------------+-----------------+
130 * | arenas | mark bitmaps | infos | delays | chunk info | free arena bits |
131 * +--------+--------------+-------+--------+------------+-----------------+
132 *
133 * To ensure fast O(1) lookup of mark bits and arena descriptors each chunk is
134 * allocated on GC_CHUNK_SIZE boundary. This way a simple mask and shift
135 * operation gives an arena index into the mark and JSGCArenaInfo arrays.
136 *
137 * All chunks that have at least one free arena are put on the doubly-linked
138 * list with the head stored in JSRuntime.gcChunkList. GCChunkInfo contains
139 * the head of the chunk's free arena list together with the link fields for
140 * gcChunkList.
141 *
142 * A GC arena contains GC_ARENA_SIZE bytes aligned on GC_ARENA_SIZE boundary
143 * and holds things of the same size and kind. The size of each thing in the
144 * arena must be divisible by GC_CELL_SIZE, the minimal allocation unit, and
145 * the size of the mark bitmap is fixed and is independent of the thing's
146 * size with one bit per each GC_CELL_SIZE bytes. For thing sizes that exceed
147 * GC_CELL_SIZE this implies that we waste space in the mark bitmap. The
148 * advantage is that we can find the mark bit for the thing using just
149 * integer shifts avoiding an expensive integer division. We trade some space
150 * for speed here.
151 *
152 * The number of arenas in the chunk is given by GC_ARENAS_PER_CHUNK. We find
153 * that number as follows. Suppose chunk contains n arenas. Together with the
154 * word-aligned free arena bitmap and GCChunkInfo they should fit into the
155 * chunk. Hence GC_ARENAS_PER_CHUNK or n_max is the maximum value of n for
156 * which the following holds:
157 *
158 * n*s + ceil(n/B) <= M (1)
159 *
160 * where "/" denotes normal real division,
161 * ceil(r) gives the least integer not smaller than the number r,
162 * s is the number of words in the GC arena, arena's mark bitmap,
163 * JSGCArenaInfo and JSGCMarkingDelay or GC_ARENA_ALL_WORDS.
164 * B is number of bits per word or B == JS_BITS_PER_WORD
165 * M is the number of words in the chunk without GCChunkInfo or
166 * M == (GC_CHUNK_SIZE - sizeof(JSGCArenaInfo)) / sizeof(jsuword).
167 *
168 * We rewrite the inequality as
169 *
170 * n*B*s/B + ceil(n/B) <= M,
171 * ceil(n*B*s/B + n/B) <= M,
172 * ceil(n*(B*s + 1)/B) <= M (2)
173 *
174 * We define a helper function e(n, s, B),
175 *
176 * e(n, s, B) := ceil(n*(B*s + 1)/B) - n*(B*s + 1)/B, 0 <= e(n, s, B) < 1.
177 *
178 * It gives:
179 *
180 * n*(B*s + 1)/B + e(n, s, B) <= M,
181 * n + e*B/(B*s + 1) <= M*B/(B*s + 1)
182 *
183 * We apply the floor function to both sides of the last equation, where
184 * floor(r) gives the biggest integer not greater than r. As a consequence we
185 * have:
186 *
187 * floor(n + e*B/(B*s + 1)) <= floor(M*B/(B*s + 1)),
188 * n + floor(e*B/(B*s + 1)) <= floor(M*B/(B*s + 1)),
189 * n <= floor(M*B/(B*s + 1)), (3)
190 *
191 * where floor(e*B/(B*s + 1)) is zero as e*B/(B*s + 1) < B/(B*s + 1) < 1.
192 * Thus any n that satisfies the original constraint (1) or its equivalent (2),
193 * must also satisfy (3). That is, we got an upper estimate for the maximum
194 * value of n. Lets show that this upper estimate,
195 *
196 * floor(M*B/(B*s + 1)), (4)
197 *
198 * also satisfies (1) and, as such, gives the required maximum value.
199 * Substituting it into (2) gives:
200 *
201 * ceil(floor(M*B/(B*s + 1))*(B*s + 1)/B) == ceil(floor(M/X)*X)
202 *
203 * where X == (B*s + 1)/B > 1. But then floor(M/X)*X <= M/X*X == M and
204 *
205 * ceil(floor(M/X)*X) <= ceil(M) == M.
206 *
207 * Thus the value of (4) gives the maximum n satisfying (1).
208 *
209 * For the final result we observe that in (4)
210 *
211 * M*B == (GC_CHUNK_SIZE - sizeof(GCChunkInfo)) / sizeof(jsuword) *
212 * JS_BITS_PER_WORD
213 * == (GC_CHUNK_SIZE - sizeof(GCChunkInfo)) * JS_BITS_PER_BYTE
214 *
215 * since GC_CHUNK_SIZE and sizeof(GCChunkInfo) are at least word-aligned.
216 */
239 #ifdef JSXML
241 #endif
243 #ifdef JS_GCMETER
244 # define METER(x) ((void) (x))
245 # define METER_IF(condition, x) ((void) ((condition) && (x)))
246 #else
247 # define METER(x) ((void) 0)
248 # define METER_IF(condition, x) ((void) 0)
249 #endif
252 /*
253 * Allocation list for the arena.
254 */
257 /*
258 * Pointer to the previous arena in a linked list. The arena can either
259 * belong to one of JSContext.gcArenaList lists or, when it does not have
260 * any allocated GC things, to the list of free arenas in the chunk with
261 * head stored in GCChunkInfo.lastFreeArena.
262 */
268 };
270 /* See comments before ThingsPerUnmarkedBit below. */
273 jsuword unmarkedChildren;
274 };
281 }
286 }
294 }
298 }
305 };
323 };
327 /* Check that all chunk arrays at least word-aligned. */
337 /* The value according (4) above. */
344 JS_BITS_PER_WORD;
349 /* Check that GC_ARENAS_PER_CHUNK indeed maximises (1). */
351 GC_FREE_ARENA_BITMAP_WORDS <=
356 JS_BITS_PER_WORD >
372 inline jsuword
378 }
382 {
385 }
387 /* static */
393 }
397 {
400 }
404 {
409 /*
410 * For simplicity we set all bits to 1 including the high bits in the
411 * last word that corresponds to nonexistent arenas. This is fine since
412 * the arena scans the bitmap words from lowest to highest bits and the
413 * allocation checks numFreeArenas before doing the search.
414 */
416 }
420 {
421 #ifdef DEBUG
426 #endif
427 }
429 /* static */
432 {
440 }
442 /* static */
445 {
449 }
451 /* static */
458 }
462 {
467 }
471 {
477 }
481 {
486 }
488 /*
489 * Helpers for GC-thing operations.
490 */
494 {
500 }
502 /*
503 * Live objects are marked black. How many other additional colors are available
504 * depends on the size of the GCThing.
505 */
508 static void
510 {
512 }
516 {
522 }
524 /*
525 * The GC always marks live objects BLACK. If color is not BLACK, we also mark
526 * the object with that additional color.
527 */
530 {
541 }
543 size_t
545 {
549 }
551 /* Can only be called if thing belongs to an arena where a->list is not null. */
554 {
562 }
564 /* Can only be applicable to arena where a->list is not null. */
567 {
570 /*
571 * We use "<=" and not "<" in the assert so index can mean the limit.
572 * For the same reason we use "+", not "|" when finding the thing address
573 * as the limit address can start at the next arena.
574 */
578 }
580 /*
581 * The private JSGCThing struct, which describes a JSRuntime.gcFreeList element.
582 */
585 };
589 {
604 }
606 inline jsuword
608 {
610 #ifdef MOZ_GCTIMER
613 #endif
617 }
621 {
624 #ifdef MOZ_GCTIMER
626 #endif
630 }
634 {
637 /*
638 * FIXME bug 524051 We cannot run a last-ditch GC on trace for now, so
639 * just pretend we are out of memory which will throw us off trace and
640 * we will re-try this code path from the interpreter.
641 */
645 }
648 #ifdef DEBUG
651 #endif
652 /*
653 * Make sure that after the GC we can append all allocated chunks to
654 * gcFreeArenaChunks.
655 *
656 * FIXME bug 583729 - use the same for the rt->gcChunkSet.
657 */
666 /*
667 * FIXME bug 583732 - chunk is newly allocated and cannot present in
668 * the table so using ordinary lookupForAdd is suboptimal here.
669 */
675 }
677 }
682 /* Scan the bitmap for the first non-zero bit. */
687 freeArenas++;
688 }
698 }
705 }
707 /*
708 * This function does not touch the arena or release its memory so code can
709 * still refer into it.
710 */
711 static void
713 {
730 #ifdef DEBUG
733 #endif
734 }
736 static void
738 {
739 #ifdef DEBUG
744 }
745 #endif
747 /* Remove unused chunks and rebuild gcFreeArenaChunks. */
758 }
760 }
764 }
765 }
769 {
775 #if JS_HAS_XML_SUPPORT
777 #endif
788 };
792 }
796 {
803 JSTRACE_XML,
804 #endif
815 };
819 }
823 {
826 }
830 {
832 }
836 {
839 }
841 static void
843 {
850 }
851 }
853 static void
855 {
859 }
867 }
869 intN
871 {
878 }
882 {
888 }
890 JSRuntime *
892 {
895 }
899 {
904 }
908 {
910 }
912 JSBool
914 {
917 /*
918 * Make room for at least 16 chunks so the table would not grow before
919 * the browser starts up.
920 */
930 #ifdef JS_THREADSAFE
933 #endif
935 /*
936 * Separate gcMaxMallocBytes from gcMaxBytes but initialize to maxbytes
937 * for default backward API compatibility.
938 */
944 /*
945 * By default the trigger factor gets maximum possible value. This
946 * means that GC will not be triggered by growth of GC memory (gcBytes).
947 */
950 /*
951 * The assigned value prevents GC from running when GC memory is too low
952 * (during JS engine start).
953 */
958 }
962 /*
963 * Returns CGCT_VALID if the w can be a live GC thing and sets thing and traceKind
964 * accordingly. Otherwise returns the reason for rejection.
965 */
966 inline ConservativeGCTest
968 {
969 /*
970 * The conservative scanner may access words that valgrind considers as
971 * undefined. To avoid false positives and not to alter valgrind view of
972 * the memory we make as memcheck-defined the argument, a copy of the
973 * original word. See bug 572678.
974 */
975 #ifdef JS_VALGRIND
977 #endif
979 /*
980 * We assume that the compiler never uses sub-word alignment to store
981 * pointers and does not tag pointers on its own. Additionally, the value
982 * representation for all values and the jsid representation for GC-things
983 * do not touch the low two bits. Thus any word with the low two bits set
984 * is not a valid GC-thing.
985 */
990 /*
991 * An object jsid has its low bits tagged. In the value representation on
992 * 64-bit, the high bits are tagged.
993 */
995 #if JS_BITS_PER_WORD == 32
997 #elif JS_BITS_PER_WORD == 64
999 #endif
1019 /*
1020 * On 64-bit we might consider using the tag bits in w to disqualify
1021 * additional false roots, however, the condition would have to look
1022 * something like:
1023 *
1024 * if ((traceKind == JSTRACE_STRING && tag > 0 && tag != JSVAL_TAG_SHIFT) ||
1025 * (traceKind == JSTRACE_OBJECT && tag > 0 && tag != JSVAL_TAG_OBJECT))
1026 * return CGCT_WRONGTAG;
1027 *
1028 * However, it seems like we should measure how often this actually avoids
1029 * false roots.
1030 */
1037 /*
1038 * If GC_ARENA_SIZE % thingSize != 0 or when thingSize is not a power
1039 * of two, thingSize-aligned pointer may point at the end of the last
1040 * thing yet be inside the arena.
1041 */
1045 }
1048 /* Make sure the thing is not on the freelist of the arena. */
1054 /* If the cursor moves past the thing, it's not in the freelist. */
1058 /* If we find it on the freelist, it's dead. */
1063 }
1066 }
1068 inline ConservativeGCTest
1070 {
1072 uint32 traceKind;
1074 }
1076 static void
1078 {
1079 /*
1080 * The conservative scanner may access words that valgrind considers as
1081 * undefined. To avoid false positives and not to alter valgrind view of
1082 * the memory we make as memcheck-defined the argument, a copy of the
1083 * original word. See bug 572678.
1084 */
1085 #ifdef JS_VALGRIND
1087 #endif
1090 uint32 traceKind;
1094 #ifdef JS_DUMP_CONSERVATIVE_GC_ROOTS
1098 }
1099 #endif
1100 }
1102 #if defined JS_DUMP_CONSERVATIVE_GC_ROOTS || defined JS_GCMETER
1105 #endif
1106 }
1108 static void
1110 {
1114 }
1116 void
1118 {
1119 /* Do conservative scanning of the stack and registers. */
1125 #if JS_STACK_GROWTH_DIRECTION > 0
1128 #else
1131 #endif
1136 }
1137 }
1138 }
1142 {
1147 /* Update the native stack pointer if it points to a bigger stack. */
1148 #if JS_STACK_GROWTH_DIRECTION > 0
1149 # define CMP >
1150 #else
1151 # define CMP <
1152 #endif
1153 jsuword dummy;
1156 #undef CMP
1158 /* Update the register snapshot with the latest values. */
1159 #if defined(_MSC_VER)
1160 # pragma warning(push)
1161 # pragma warning(disable: 4611)
1162 #endif
1164 #if defined(_MSC_VER)
1165 # pragma warning(pop)
1166 #endif
1168 }
1172 {
1174 #ifdef DEBUG
1177 #endif
1178 }
1182 #ifdef DEBUG
1183 static void
1185 #endif
1187 void
1189 {
1190 #ifdef JS_ARENAMETER
1192 #endif
1193 #ifdef JS_GCMETER
1196 #endif
1198 #ifdef JS_THREADSAFE
1200 #endif
1203 #ifdef DEBUG
1206 #endif
1209 }
1211 JSBool
1213 {
1218 }
1220 JSBool
1222 {
1227 }
1231 {
1232 /*
1233 * Due to the long-standing, but now removed, use of rt->gcLock across the
1234 * bulk of js_GC, API users have come to depend on JS_AddRoot etc. locking
1235 * properly with a racing GC, without calling JS_AddRoot from a request.
1236 * We have to preserve API compatibility here, now that we avoid holding
1237 * rt->gcLock across the mark phase (including the root hashtable mark).
1238 */
1244 }
1248 {
1249 /*
1250 * Due to the long-standing, but now removed, use of rt->gcLock across the
1251 * bulk of js_GC, API users have come to depend on JS_AddRoot etc. locking
1252 * properly with a racing GC, without calling JS_AddRoot from a request.
1253 * We have to preserve API compatibility here, now that we avoid holding
1254 * rt->gcLock across the mark phase (including the root hashtable mark).
1255 */
1261 }
1265 {
1266 /*
1267 * Due to the JS_RemoveRootRT API, we may be called outside of a request.
1268 * Same synchronization drill as above in js_AddRoot.
1269 */
1275 }
1281 #ifdef DEBUG
1283 static void
1285 {
1288 /* Warn (but don't assert) debug builds of any remaining roots. */
1291 leakedroots++;
1295 }
1310 }
1311 }
1312 }
1314 void
1318 {
1323 }
1324 }
1328 uint32
1330 {
1336 ct++;
1343 }
1346 }
1348 void
1350 {
1355 }
1357 void
1359 {
1365 }
1367 void
1369 {
1370 /*
1371 * Return the free list back to the arena so the GC finalization will not
1372 * run the finalizers over unitialized bytes from free things.
1373 */
1381 }
1382 }
1383 }
1385 void
1387 {
1391 }
1395 {
1396 #ifdef JS_GC_ZEAL
1399 #endif
1401 /*
1402 * Since the initial value of the gcLastBytes parameter is not equal to
1403 * zero (see the js_InitGC function) the return value is false when
1404 * the gcBytes value is close to zero at the JS engine start.
1405 */
1407 }
1409 static void
1411 {
1414 /* The last ditch GC preserves weak roots and all atoms. */
1417 /*
1418 * Keep rt->gcLock across the call into the GC so we don't starve and
1419 * lose to racing threads who deplete the heap just after the GC has
1420 * replenished it (or has synchronized with a racing GC that collected a
1421 * bunch of garbage). This unfair scheduling can happen on certain
1422 * operating systems. For the gory details, see bug 162779.
1423 */
1425 }
1429 {
1435 {
1450 /*
1451 * The JSGC_END callback can legitimately allocate new GC
1452 * things and populate the free list. If that happens, just
1453 * return that list head.
1454 */
1458 }
1467 }
1468 }
1476 }
1478 }
1480 /*
1481 * Do only minimal initialization of the arena inside the GC lock. We
1482 * can do the rest outside the lock because no other threads will see
1483 * the arena until the GC is run.
1484 */
1490 }
1497 }
1501 {
1502 /*
1503 * The GC things on the free lists come from one arena and the things on
1504 * the free list are linked in ascending address order.
1505 */
1510 }
1514 {
1516 #ifdef JS_THREADSAFE
1518 #endif
1520 /* Updates of metering counters here may not be thread-safe. */
1531 }
1537 }
1539 /*
1540 * See comments in RefillFinalizableFreeList about a possibility
1541 * of *freeListp == thing.
1542 */
1549 }
1551 JSBool
1553 {
1568 }
1572 }
1574 void
1576 {
1589 }
1590 }
1594 {
1597 /* If obj has no map, it must be a newborn. */
1608 }
1619 }
1621 }
1623 #if JS_HAS_XML_SUPPORT
1627 #endif
1628 }
1629 }
1633 /*
1634 * When the native stack is low, the GC does not call JS_TraceChildren to mark
1635 * the reachable "children" of the thing. Rather the thing is put aside and
1636 * JS_TraceChildren is called later with more space on the C stack.
1637 *
1638 * To implement such delayed marking of the children with minimal overhead for
1639 * the normal case of sufficient native stack, the code uses two fields per
1640 * arena stored in JSGCMarkingDelay. The first field, JSGCMarkingDelay::link,
1641 * links all arenas with delayed things into a stack list with the pointer to
1642 * stack top in JSRuntime::gcUnmarkedArenaStackTop. delayMarkingChildren adds
1643 * arenas to the stack as necessary while markDelayedChildren pops the arenas
1644 * from the stack until it empties.
1645 *
1646 * The second field, JSGCMarkingDelay::unmarkedChildren, is a bitmap that
1647 * tells for which things the GC should call JS_TraceChildren later. The
1648 * bitmap is a single word. As such it does not pinpoint the delayed things
1649 * in the arena but rather tells the intervals containing
1650 * ThingsPerUnmarkedBit(thingSize) things. Later the code in
1651 * markDelayedChildren discovers such intervals and calls JS_TraceChildren on
1652 * any marked thing in the interval. This implies that JS_TraceChildren can be
1653 * called many times for a single thing if the thing shares the same interval
1654 * with some delayed things. This should be fine as any GC graph
1655 * marking/traversing hooks must allow repeated calls during the same GC cycle.
1656 * In particular, xpcom cycle collector relies on this.
1657 *
1658 * Note that such repeated scanning may slow down the GC. In particular, it is
1659 * possible to construct an object graph where the GC calls JS_TraceChildren
1660 * ThingsPerUnmarkedBit(thingSize) for almost all things in the graph. We
1661 * tolerate this as the max value for ThingsPerUnmarkedBit(thingSize) is 4.
1662 * This is archived for JSObject on 32 bit system as it is exactly JSObject
1663 * that has the smallest size among the GC things that can be delayed. On 32
1664 * bit CPU we have less than 128 objects per 4K GC arena so each bit in
1665 * unmarkedChildren covers 4 objects.
1666 */
1669 {
1671 }
1675 {
1677 #ifdef DEBUG
1679 #endif
1680 #ifdef JS_DUMP_CONSERVATIVE_GC_ROOTS
1683 #endif
1684 }
1687 {
1688 #ifdef JS_DUMP_CONSERVATIVE_GC_ROOTS
1690 #endif
1691 #ifdef JS_GCMETER
1692 /* Update total stats. */
1694 #endif
1695 }
1697 void
1699 {
1717 /* bit already covers things with children to mark later. */
1719 }
1722 /*
1723 * The thing is the first thing with not yet marked children in the
1724 * whole arena, so push the arena on the stack of arenas with things
1725 * to be marked later unless the arena has already been pushed. We
1726 * detect that through checking prevUnmarked as the field is 0
1727 * only for not yet pushed arenas. To ensure that
1728 * prevUnmarked != 0
1729 * even when the stack contains one element, we make prevUnmarked
1730 * for the arena at the bottom to point to itself.
1731 *
1732 * See comments in markDelayedChildren.
1733 */
1737 /* Stack was empty, mark the arena as the bottom element. */
1742 }
1744 }
1746 }
1747 #ifdef DEBUG
1750 #endif
1751 }
1755 {
1762 }
1765 /*
1766 * The following assert verifies that the current arena belongs to the
1767 * unmarked stack, since delayMarkingChildren ensures that even for
1768 * the stack's bottom, prevUnmarked != 0 but rather points to
1769 * itself.
1770 */
1780 /*
1781 * We cannot use do-while loop here as a->unmarkedChildren can be zero
1782 * before the loop as a leftover from the previous iterations. See
1783 * comments after the loop.
1784 */
1788 #ifdef DEBUG
1791 #endif
1795 /*
1796 * endIndex can go beyond the last allocated thing as the real
1797 * limit can be "inside" the bit.
1798 */
1809 }
1811 /*
1812 * We finished tracing of all things in the the arena but we can only
1813 * pop it from the stack if the arena is the stack's top.
1814 *
1815 * When JS_TraceChildren from the above calls JS_CallTracer that in
1816 * turn on low C stack calls delayMarkingChildren and the latter
1817 * pushes new arenas to the unmarked stack, we have to skip popping
1818 * of this arena until it becomes the top of the stack again.
1819 */
1824 /*
1825 * prevUnmarked points to itself and we reached the bottom of
1826 * the stack.
1827 */
1829 }
1833 }
1834 }
1839 }
1841 void
1843 {
1849 }
1850 }
1852 void
1854 {
1859 #ifdef DEBUG
1864 }
1865 #endif
1873 /*
1874 * Optimize for string as their marking is not recursive.
1875 *
1876 * Iterate through all nodes and leaves in the rope if this is
1877 * part of a rope; otherwise, we only iterate once: on the string
1878 * itself.
1879 */
1892 }
1897 /*
1898 * With JS_GC_ASSUME_LOW_C_STACK defined the mark phase of GC
1899 * always uses the non-recursive code that otherwise would be
1900 * called only on a low C stack condition.
1901 */
1902 #ifdef JS_GC_ASSUME_LOW_C_STACK
1903 # define RECURSION_TOO_DEEP() true
1904 #else
1906 # define RECURSION_TOO_DEEP() (!JS_CHECK_STACK_SIZE(trc->context, stackDummy))
1907 #endif
1910 else
1912 }
1913 }
1915 #ifdef DEBUG
1918 #endif
1919 }
1921 void
1923 {
1931 }
1935 static void
1937 {
1938 #ifdef DEBUG
1945 }
1957 a;
1962 }
1963 }
1964 }
1971 }
1973 }
1974 }
1975 #endif
1979 else
1981 }
1983 static void
1985 {
1986 uint32 traceKind;
1991 }
1993 void
1995 {
2003 /* Allow for primitive this parameter due to JSFUN_THISP_* flags. */
2008 }
2012 {
2039 }
2051 }
2053 }
2065 }
2073 }
2092 }
2103 }
2104 }
2107 MarkValueRange(trc, tag, static_cast<AutoArrayRooter *>(this)->array, "js::AutoArrayRooter.array");
2108 }
2110 void
2112 {
2113 /* Stack frames and slots are traced by StackSpace::mark. */
2115 /* Mark other roots-by-definition in acx. */
2121 /* Avoid keeping GC-ed junk stored in JSContext.exception. */
2123 }
2137 #ifdef JS_TRACER
2143 }
2144 #endif
2145 }
2147 JS_REQUIRES_STACK void
2149 {
2155 /*
2156 * Verify that we do not have at this point unmarked GC things stored in
2157 * autorooters. To maximize test coverage we abort even in non-debug
2158 * builds for now, see bug 574313.
2159 */
2161 #if 1
2165 #ifdef JS_THREADSAFE
2167 #endif
2179 }
2194 }
2195 }
2203 "Conservative GC scanner has missed the root 0x%p with tag %ld"
2204 " on the stack due to %d. The root location 0x%p, distance from"
2205 " the stack base %ld, conservative gc span %ld."
2206 " Consevtaive GC status for the thread %d."
2215 }
2216 }
2217 }
2218 #endif
2236 /*
2237 * We mark extra roots at the last thing so it can use use additional
2238 * colors to implement cycle collection.
2239 */
2243 #ifdef DEBUG
2251 }
2252 }
2253 }
2254 #endif
2255 }
2257 void
2259 {
2262 #ifdef JS_THREADSAFE
2264 #endif
2269 /*
2270 * Trigger the GC when it is safe to call an operation callback on any
2271 * thread.
2272 */
2275 }
2277 void
2279 {
2288 }
2289 }
2290 }
2294 {
2298 /* Cope with stillborn objects that have no map. */
2302 /* Finalize obj first, in case it needs map and slots. */
2313 else
2315 }
2318 }
2322 {
2324 }
2326 #if JS_HAS_XML_SUPPORT
2329 {
2331 }
2332 #endif
2337 };
2339 intN
2341 JSStringFinalizeOp newop)
2342 {
2347 }
2348 }
2350 }
2354 {
2359 }
2363 {
2371 /*
2372 * flatChars for stillborn string is null, but cx->free checks
2373 * for a null pointer on its own.
2374 */
2378 }
2379 /* Nothing to be done for rope interior nodes. */
2380 }
2384 {
2392 /* A stillborn string has null chars. */
2399 }
2401 /*
2402 * This function is called from js_FinishAtomState to force the finalization
2403 * of the permanently interned strings when cx is not available.
2404 */
2405 void
2407 {
2413 /* A dependent string can not be external and must be valid. */
2421 /* A stillborn string has null chars, so is not valid. */
2432 /*
2433 * Assume that the finalizer for the permanently interned
2434 * string knows how to deal with null context.
2435 */
2437 }
2438 }
2439 }
2440 }
2444 static void
2446 {
2456 #ifdef JS_GCMETER
2458 #endif
2478 }
2493 }
2501 #ifdef DEBUG
2503 #endif
2504 }
2508 }
2510 #ifdef DEBUG
2511 /* Check that the free list is consistent. */
2522 }
2523 }
2524 #endif
2526 /*
2527 * Forget just assembled free list head for the arena and
2528 * add the arena itself to the destroy list.
2529 */
2540 }
2543 }
2548 }
2550 #ifdef JS_THREADSAFE
2556 {
2565 }
2571 }
2573 void
2575 {
2582 }
2586 }
2587 }
2589 }
2593 static void
2595 {
2602 /* Delete defaultCompartment only during runtime shutdown */
2610 /* Remove dead wrappers from the compartment map. */
2618 }
2619 }
2621 }
2623 /*
2624 * Common cache invalidation and so forth that must be done before GC. Even if
2625 * GCUntilDone calls GC several times, this work only needs to be done once.
2626 */
2627 static void
2629 {
2632 /* Clear gcIsNeeded now, when we are about to start a normal GC cycle. */
2635 /* Reset malloc counter. */
2638 #ifdef JS_DUMP_SCOPE_METERS
2639 {
2642 }
2643 #endif
2645 /*
2646 * Reset the property cache's type id generator so we can compress ids.
2647 * Same for the protoHazardShape proxy-shape standing in for all object
2648 * prototypes having readonly or setter properties.
2649 */
2651 #ifdef JS_GC_ZEAL
2653 #endif
2654 ) {
2659 }
2662 {
2666 }
2667 }
2669 /*
2670 * Perform mark-and-sweep GC.
2671 *
2672 * In a JS_THREADSAFE build, the calling thread must be rt->gcThread and each
2673 * other thread must be either outside all requests or blocked waiting for GC
2674 * to finish. Note that the caller does not hold rt->gcLock.
2675 */
2676 static void
2678 {
2682 /*
2683 * Mark phase.
2684 */
2696 /*
2697 * Mark children of things that caused too deep recursion during the above
2698 * tracing.
2699 */
2707 #ifdef JS_THREADSAFE
2711 #endif
2713 /*
2714 * Sweep phase.
2715 *
2716 * Finalize as we sweep, outside of rt->gcLock but with rt->gcRunning set
2717 * so that any attempt to allocate a GC-thing from a finalizer will fail,
2718 * rather than nest badly and leave the unmarked newborn to be swept.
2719 *
2720 * We first sweep atom state so we can use js_IsAboutToBeFinalized on
2721 * JSString held in a hashtable to check if the hashtable entry can be
2722 * freed. Note that even after the entry is freed, JSObject finalizers can
2723 * continue to access the corresponding JSString* assuming that they are
2724 * unique. This works since the atomization API must not be called during
2725 * the GC.
2726 */
2730 /* Finalize watch points associated with unreachable objects. */
2733 #ifdef DEBUG
2734 /* Save the pre-sweep count of scope-mapped properties. */
2736 #endif
2738 /*
2739 * We finalize iterators before other objects so the iterator can use the
2740 * object which properties it enumerates over to finalize the enumeration
2741 * state. We finalize objects before other GC things to ensure that
2742 * object's finalizer can access them even if they will be freed.
2743 */
2747 #if JS_HAS_XML_SUPPORT
2749 #endif
2752 /*
2753 * We sweep the deflated cache before we finalize the strings so the
2754 * cache can safely use js_IsAboutToBeFinalized..
2755 */
2764 }
2769 /*
2770 * Sweep the runtime's property tree after finalizing objects, in case any
2771 * had watchpoints referencing tree nodes.
2772 */
2775 /*
2776 * Sweep script filenames after sweeping functions in the generic loop
2777 * above. In this way when a scripted function's finalizer destroys the
2778 * script and calls rt->destroyScriptHook, the hook can still access the
2779 * script's filename. See bug 323267.
2780 */
2783 /* Slowify arrays we have accumulated. */
2786 /*
2787 * Destroy arenas after we finished the sweeping so finalizers can safely
2788 * use js_IsAboutToBeFinalized().
2789 */
2793 #ifdef JS_THREADSAFE
2797 }
2798 #endif
2802 #ifdef DEBUG_srcnotesize
2806 }
2807 #endif
2809 #ifdef JS_SCOPE_DEPTH_METER
2811 #endif
2813 #ifdef JS_DUMP_LOOP_STATS
2815 #endif
2816 }
2818 #ifdef JS_THREADSAFE
2820 /*
2821 * If the GC is running and we're called on another thread, wait for this GC
2822 * activation to finish. We can safely wait here without fear of deadlock (in
2823 * the case where we are called within a request on another thread's context)
2824 * because the GC doesn't set rt->gcRunning until after it has waited for all
2825 * active requests to end.
2826 *
2827 * We call here js_CurrentThreadId() after checking for rt->gcState to avoid
2828 * an expensive call when the GC is not running.
2829 */
2830 void
2832 {
2837 }
2838 }
2840 /*
2841 * GC is running on another thread. Temporarily suspend all requests running
2842 * on the current thread and wait until the GC is done.
2843 */
2844 static void
2846 {
2853 #ifdef JS_TRACER
2855 #endif
2857 #ifdef JS_TRACER
2859 /*
2860 * Leave trace before we decrease rt->requestCount and notify the
2861 * GC. Otherwise the GC may start immediately after we unlock while
2862 * this thread is still on trace.
2863 */
2866 }
2867 #endif
2871 }
2873 /* See comments before another call to js_ShareWaitingTitles below. */
2877 /*
2878 * Check that we did not release the GC lock above and let the GC to
2879 * finish before we wait.
2880 */
2884 /*
2885 * Wait for GC to finish on the other thread, even if requestDebit is 0
2886 * and even if GC has not started yet because the gcThread is waiting in
2887 * BeginGCSession. This ensures that js_GC never returns without a full GC
2888 * cycle happening.
2889 */
2897 }
2899 #endif
2901 /*
2902 * Start a new GC session assuming no GC is running on this or other threads.
2903 * Together with LetOtherGCFinish this function contains the rendezvous
2904 * algorithm by which we stop the world for GC.
2905 *
2906 * This thread becomes the GC thread. Wait for all other threads to quiesce.
2907 * Then set rt->gcRunning and return. The caller must call EndGCSession when
2908 * GC work is done.
2909 */
2910 static void
2912 {
2916 #ifdef JS_THREADSAFE
2917 /* No other thread is in GC, so indicate that we're now in GC. */
2921 /*
2922 * Notify operation callbacks on other threads, which will give them a
2923 * chance to yield their requests. Threads without requests perform their
2924 * callback at some later point, which then will be unnecessary, but
2925 * harmless.
2926 */
2931 }
2933 /*
2934 * Discount the request on the current thread from contributing to
2935 * rt->requestCount before we wait for all other requests to finish.
2936 * JS_NOTIFY_REQUEST_DONE, which will wake us up, is only called on
2937 * rt->requestCount transitions to 0.
2938 */
2945 /*
2946 * Share any title that is owned by the GC thread before we wait, to
2947 * avoid a deadlock with ClaimTitle. We also set the gcWaiting flag so
2948 * that ClaimTitle can claim the title ownership from the GC thread if
2949 * that function is called while the GC is waiting.
2950 */
2958 }
2962 /*
2963 * Set rt->gcRunning here within the GC lock, and after waiting for any
2964 * active requests to end. This way js_WaitForGC called outside a request
2965 * would not block on the GC that is waiting for other requests to finish
2966 * with rt->gcThread set while JS_BeginRequest would do such wait.
2967 */
2969 }
2971 /* End the current GC session and allow other threads to proceed. */
2972 static void
2974 {
2978 #ifdef JS_THREADSAFE
2982 #endif
2983 }
2985 /*
2986 * GC, repeatedly if necessary, until we think we have not created any new
2987 * garbage and no other threads are demanding more GC.
2988 */
2989 static void
2991 {
2997 /* Recursive GC or a call from another thread restarts the GC cycle. */
2998 #ifndef JS_THREADSAFE
3002 }
3009 }
3012 /*
3013 * Check if the GC on another thread have collected the garbage and
3014 * it was not a set slot request.
3015 */
3018 }
3025 /*
3026 * Do not scan the current thread on the shutdown or when the GC is called
3027 * outside a request.
3028 */
3030 #ifdef JS_THREADSAFE
3032 #endif
3044 }
3047 // GC again if:
3048 // - another thread, not in a request, called js_GC
3049 // - js_GC was called recursively
3050 // - a finalizer called js_RemoveRoot or js_UnlockGCThingRT.
3060 }
3062 /*
3063 * The gckind flag bit GC_LOCK_HELD indicates a call from js_NewGCThing with
3064 * rt->gcLock already held, so the lock should be kept on return.
3065 */
3066 void
3068 {
3071 /*
3072 * Don't collect garbage if the runtime isn't up, and cx is not the last
3073 * context in the runtime. The last context must force a GC, and nothing
3074 * should suppress that final collection or there may be shutdown leaks,
3075 * or runtime bloat until the next context is created.
3076 */
3083 /*
3084 * Let the API user decide to defer a GC if it wants to (unless this
3085 * is the last context). Invoke the callback regardless. Sample the
3086 * callback in case we are freely racing with a JS_SetGCCallback{,RT}
3087 * on another thread.
3088 */
3093 }
3095 {
3096 /* Lock out other GC allocator and collector invocations. */
3100 }
3102 /* We re-sample the callback again as the finalizers can change it. */
3107 }
3109 /*
3110 * On shutdown, iterate until the JSGC_END callback stops creating
3111 * garbage.
3112 */
3116 }
3120 bool
3122 {
3125 /*
3126 * This function cannot be called during the GC and always requires a
3127 * request.
3128 */
3129 #ifdef JS_THREADSAFE
3131 #endif
3135 /*
3136 * The set slot request cannot be called recursively and must not be
3137 * called during a normal GC. So if at this point JSRuntime::gcThread is
3138 * set it must be a GC or a set slot request from another thread.
3139 */
3140 #ifdef JS_THREADSAFE
3144 }
3145 #endif
3150 {
3159 }
3161 }
3164 }
3169 }
3171 JSCompartment *
3173 {
3179 }
3184 }
3186 {
3193 }
3194 }
3201 }
3204 }
3206 }