| blob | 588fca45708dd6c577f8fc2617271137276570af |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=78:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS Mark-and-Sweep Garbage Collector.
43 *
44 * This GC allocates fixed-sized things with sizes up to GC_NBYTES_MAX (see
45 * jsgc.h). It allocates from a special GC arena pool with each arena allocated
46 * using malloc. It uses an ideally parallel array of flag bytes to hold the
47 * mark bit, finalizer type index, etc.
48 *
49 * XXX swizzle page to freelist for better locality of reference
50 */
52 #include <math.h>
85 #if JS_HAS_XML_SUPPORT
87 #endif
94 #ifdef MOZ_VALGRIND
95 # define JS_VALGRIND
96 #endif
97 #ifdef JS_VALGRIND
98 # include <valgrind/memcheck.h>
99 #endif
103 /*
104 * Check that JSTRACE_XML follows JSTRACE_OBJECT and JSTRACE_STRING.
105 */
110 /*
111 * JS_IS_VALID_TRACE_KIND assumes that JSTRACE_STRING is the last non-xml
112 * trace kind when JS_HAS_XML_SUPPORT is false.
113 */
116 /*
117 * Check consistency of external string constants from JSFinalizeGCThingKind.
118 */
122 /*
123 * GC memory is allocated in chunks. The size of each chunk is GC_CHUNK_SIZE.
124 * The chunk contains an array of GC arenas holding GC things, an array of
125 * the mark bitmaps for each arena, an array of JSGCArenaInfo arena
126 * descriptors, an array of JSGCMarkingDelay descriptors, the GCChunkInfo
127 * chunk descriptor and a bitmap indicating free arenas in the chunk. The
128 * following picture demonstrates the layout:
129 *
130 * +--------+--------------+-------+--------+------------+-----------------+
131 * | arenas | mark bitmaps | infos | delays | chunk info | free arena bits |
132 * +--------+--------------+-------+--------+------------+-----------------+
133 *
134 * To ensure fast O(1) lookup of mark bits and arena descriptors each chunk is
135 * allocated on GC_CHUNK_SIZE boundary. This way a simple mask and shift
136 * operation gives an arena index into the mark and JSGCArenaInfo arrays.
137 *
138 * All chunks that have at least one free arena are put on the doubly-linked
139 * list with the head stored in JSRuntime.gcChunkList. GCChunkInfo contains
140 * the head of the chunk's free arena list together with the link fields for
141 * gcChunkList.
142 *
143 * A GC arena contains GC_ARENA_SIZE bytes aligned on GC_ARENA_SIZE boundary
144 * and holds things of the same size and kind. The size of each thing in the
145 * arena must be divisible by GC_CELL_SIZE, the minimal allocation unit, and
146 * the size of the mark bitmap is fixed and is independent of the thing's
147 * size with one bit per each GC_CELL_SIZE bytes. For thing sizes that exceed
148 * GC_CELL_SIZE this implies that we waste space in the mark bitmap. The
149 * advantage is that we can find the mark bit for the thing using just
150 * integer shifts avoiding an expensive integer division. We trade some space
151 * for speed here.
152 *
153 * The number of arenas in the chunk is given by GC_ARENAS_PER_CHUNK. We find
154 * that number as follows. Suppose chunk contains n arenas. Together with the
155 * word-aligned free arena bitmap and GCChunkInfo they should fit into the
156 * chunk. Hence GC_ARENAS_PER_CHUNK or n_max is the maximum value of n for
157 * which the following holds:
158 *
159 * n*s + ceil(n/B) <= M (1)
160 *
161 * where "/" denotes normal real division,
162 * ceil(r) gives the least integer not smaller than the number r,
163 * s is the number of words in the GC arena, arena's mark bitmap,
164 * JSGCArenaInfo and JSGCMarkingDelay or GC_ARENA_ALL_WORDS.
165 * B is number of bits per word or B == JS_BITS_PER_WORD
166 * M is the number of words in the chunk without GCChunkInfo or
167 * M == (GC_CHUNK_SIZE - sizeof(JSGCArenaInfo)) / sizeof(jsuword).
168 *
169 * We rewrite the inequality as
170 *
171 * n*B*s/B + ceil(n/B) <= M,
172 * ceil(n*B*s/B + n/B) <= M,
173 * ceil(n*(B*s + 1)/B) <= M (2)
174 *
175 * We define a helper function e(n, s, B),
176 *
177 * e(n, s, B) := ceil(n*(B*s + 1)/B) - n*(B*s + 1)/B, 0 <= e(n, s, B) < 1.
178 *
179 * It gives:
180 *
181 * n*(B*s + 1)/B + e(n, s, B) <= M,
182 * n + e*B/(B*s + 1) <= M*B/(B*s + 1)
183 *
184 * We apply the floor function to both sides of the last equation, where
185 * floor(r) gives the biggest integer not greater than r. As a consequence we
186 * have:
187 *
188 * floor(n + e*B/(B*s + 1)) <= floor(M*B/(B*s + 1)),
189 * n + floor(e*B/(B*s + 1)) <= floor(M*B/(B*s + 1)),
190 * n <= floor(M*B/(B*s + 1)), (3)
191 *
192 * where floor(e*B/(B*s + 1)) is zero as e*B/(B*s + 1) < B/(B*s + 1) < 1.
193 * Thus any n that satisfies the original constraint (1) or its equivalent (2),
194 * must also satisfy (3). That is, we got an upper estimate for the maximum
195 * value of n. Lets show that this upper estimate,
196 *
197 * floor(M*B/(B*s + 1)), (4)
198 *
199 * also satisfies (1) and, as such, gives the required maximum value.
200 * Substituting it into (2) gives:
201 *
202 * ceil(floor(M*B/(B*s + 1))*(B*s + 1)/B) == ceil(floor(M/X)*X)
203 *
204 * where X == (B*s + 1)/B > 1. But then floor(M/X)*X <= M/X*X == M and
205 *
206 * ceil(floor(M/X)*X) <= ceil(M) == M.
207 *
208 * Thus the value of (4) gives the maximum n satisfying (1).
209 *
210 * For the final result we observe that in (4)
211 *
212 * M*B == (GC_CHUNK_SIZE - sizeof(GCChunkInfo)) / sizeof(jsuword) *
213 * JS_BITS_PER_WORD
214 * == (GC_CHUNK_SIZE - sizeof(GCChunkInfo)) * JS_BITS_PER_BYTE
215 *
216 * since GC_CHUNK_SIZE and sizeof(GCChunkInfo) are at least word-aligned.
217 */
240 #ifdef JSXML
242 #endif
244 #ifdef JS_GCMETER
245 # define METER(x) ((void) (x))
246 # define METER_IF(condition, x) ((void) ((condition) && (x)))
247 #else
248 # define METER(x) ((void) 0)
249 # define METER_IF(condition, x) ((void) 0)
250 #endif
253 /*
254 * Allocation list for the arena.
255 */
258 /*
259 * Pointer to the previous arena in a linked list. The arena can either
260 * belong to one of JSContext.gcArenaList lists or, when it does not have
261 * any allocated GC things, to the list of free arenas in the chunk with
262 * head stored in GCChunkInfo.lastFreeArena.
263 */
269 };
271 /* See comments before ThingsPerUnmarkedBit below. */
274 jsuword unmarkedChildren;
275 };
282 }
287 }
295 }
299 }
306 };
324 };
328 /* Check that all chunk arrays at least word-aligned. */
338 /* The value according (4) above. */
345 JS_BITS_PER_WORD;
350 /* Check that GC_ARENAS_PER_CHUNK indeed maximises (1). */
352 GC_FREE_ARENA_BITMAP_WORDS <=
357 JS_BITS_PER_WORD >
373 inline jsuword
379 }
383 {
386 }
388 /* static */
394 }
398 {
401 }
405 {
410 /*
411 * For simplicity we set all bits to 1 including the high bits in the
412 * last word that corresponds to nonexistent arenas. This is fine since
413 * the arena scans the bitmap words from lowest to highest bits and the
414 * allocation checks numFreeArenas before doing the search.
415 */
417 }
421 {
422 #ifdef DEBUG
427 #endif
428 }
430 /* static */
433 {
441 }
443 /* static */
446 {
450 }
452 /* static */
459 }
463 {
468 }
472 {
478 }
482 {
487 }
489 /*
490 * Helpers for GC-thing operations.
491 */
495 {
501 }
503 /*
504 * Live objects are marked black. How many other additional colors are available
505 * depends on the size of the GCThing.
506 */
509 static void
511 {
513 }
517 {
523 }
525 /*
526 * The GC always marks live objects BLACK. If color is not BLACK, we also mark
527 * the object with that additional color.
528 */
531 {
542 }
544 size_t
546 {
550 }
552 /* Can only be called if thing belongs to an arena where a->list is not null. */
555 {
563 }
565 /* Can only be applicable to arena where a->list is not null. */
568 {
571 /*
572 * We use "<=" and not "<" in the assert so index can mean the limit.
573 * For the same reason we use "+", not "|" when finding the thing address
574 * as the limit address can start at the next arena.
575 */
579 }
581 /*
582 * The private JSGCThing struct, which describes a JSRuntime.gcFreeList element.
583 */
586 };
590 {
605 }
607 inline jsuword
609 {
611 #ifdef MOZ_GCTIMER
614 #endif
618 }
622 {
625 #ifdef MOZ_GCTIMER
627 #endif
631 }
635 {
640 /*
641 * FIXME bug 524051 We cannot run a last-ditch GC on trace for now, so
642 * just pretend we are out of memory which will throw us off trace and
643 * we will re-try this code path from the interpreter.
644 */
648 }
651 #ifdef DEBUG
654 #endif
655 /*
656 * Make sure that after the GC we can append all allocated chunks to
657 * gcFreeArenaChunks.
658 *
659 * FIXME bug 583729 - use the same for the rt->gcChunkSet.
660 */
669 /*
670 * FIXME bug 583732 - chunk is newly allocated and cannot present in
671 * the table so using ordinary lookupForAdd is suboptimal here.
672 */
678 }
680 }
685 /* Scan the bitmap for the first non-zero bit. */
690 freeArenas++;
691 }
701 }
708 }
710 /*
711 * This function does not touch the arena or release its memory so code can
712 * still refer into it.
713 */
714 static void
716 {
733 #ifdef DEBUG
736 #endif
737 }
739 static void
741 {
742 #ifdef DEBUG
747 }
748 #endif
750 /* Remove unused chunks and rebuild gcFreeArenaChunks. */
761 }
763 }
767 }
768 }
772 {
778 #if JS_HAS_XML_SUPPORT
780 #endif
791 };
795 }
799 {
806 JSTRACE_XML,
807 #endif
818 };
822 }
826 {
829 }
833 {
835 }
839 {
842 }
844 static void
846 {
853 }
854 }
856 static void
858 {
862 }
870 }
872 intN
874 {
881 }
885 {
891 }
893 JSRuntime *
895 {
898 }
902 {
907 }
911 {
913 }
915 JSBool
917 {
920 /*
921 * Make room for at least 16 chunks so the table would not grow before
922 * the browser starts up.
923 */
933 #ifdef JS_THREADSAFE
936 #endif
938 /*
939 * Separate gcMaxMallocBytes from gcMaxBytes but initialize to maxbytes
940 * for default backward API compatibility.
941 */
947 /*
948 * By default the trigger factor gets maximum possible value. This
949 * means that GC will not be triggered by growth of GC memory (gcBytes).
950 */
953 /*
954 * The assigned value prevents GC from running when GC memory is too low
955 * (during JS engine start).
956 */
962 }
966 /*
967 * Returns CGCT_VALID if the w can be a live GC thing and sets thing and traceKind
968 * accordingly. Otherwise returns the reason for rejection.
969 */
970 inline ConservativeGCTest
972 {
973 /*
974 * The conservative scanner may access words that valgrind considers as
975 * undefined. To avoid false positives and not to alter valgrind view of
976 * the memory we make as memcheck-defined the argument, a copy of the
977 * original word. See bug 572678.
978 */
979 #ifdef JS_VALGRIND
981 #endif
983 /*
984 * We assume that the compiler never uses sub-word alignment to store
985 * pointers and does not tag pointers on its own. Additionally, the value
986 * representation for all values and the jsid representation for GC-things
987 * do not touch the low two bits. Thus any word with the low two bits set
988 * is not a valid GC-thing.
989 */
994 /*
995 * An object jsid has its low bits tagged. In the value representation on
996 * 64-bit, the high bits are tagged.
997 */
999 #if JS_BITS_PER_WORD == 32
1001 #elif JS_BITS_PER_WORD == 64
1003 #endif
1023 /*
1024 * On 64-bit we might consider using the tag bits in w to disqualify
1025 * additional false roots, however, the condition would have to look
1026 * something like:
1027 *
1028 * if ((traceKind == JSTRACE_STRING && tag > 0 && tag != JSVAL_TAG_SHIFT) ||
1029 * (traceKind == JSTRACE_OBJECT && tag > 0 && tag != JSVAL_TAG_OBJECT))
1030 * return CGCT_WRONGTAG;
1031 *
1032 * However, it seems like we should measure how often this actually avoids
1033 * false roots.
1034 */
1041 /*
1042 * If GC_ARENA_SIZE % thingSize != 0 or when thingSize is not a power
1043 * of two, thingSize-aligned pointer may point at the end of the last
1044 * thing yet be inside the arena.
1045 */
1049 }
1052 /* Make sure the thing is not on the freelist of the arena. */
1058 /* If the cursor moves past the thing, it's not in the freelist. */
1062 /* If we find it on the freelist, it's dead. */
1067 }
1070 }
1072 inline ConservativeGCTest
1074 {
1076 uint32 traceKind;
1078 }
1080 static void
1082 {
1083 /*
1084 * The conservative scanner may access words that valgrind considers as
1085 * undefined. To avoid false positives and not to alter valgrind view of
1086 * the memory we make as memcheck-defined the argument, a copy of the
1087 * original word. See bug 572678.
1088 */
1089 #ifdef JS_VALGRIND
1091 #endif
1094 uint32 traceKind;
1098 #ifdef JS_DUMP_CONSERVATIVE_GC_ROOTS
1102 }
1103 #endif
1104 }
1106 #if defined JS_DUMP_CONSERVATIVE_GC_ROOTS || defined JS_GCMETER
1109 #endif
1110 }
1112 static void
1114 {
1118 }
1120 static void
1122 {
1126 #if JS_STACK_GROWTH_DIRECTION > 0
1129 #else
1132 #endif
1138 }
1140 void
1142 {
1145 #ifdef JS_NUNBOX32
1146 /*
1147 * With 64-bit jsvals on 32-bit systems, we can optimize a bit by
1148 * scanning only the payloads.
1149 */
1153 #else
1155 #endif
1156 }
1158 void
1160 {
1161 #ifdef JS_THREADSAFE
1162 for (JSThread::Map::Range r = trc->context->runtime->threads.all(); !r.empty(); r.popFront()) {
1171 }
1172 }
1173 #else
1175 #endif
1176 }
1178 JS_NEVER_INLINE void
1180 {
1181 /* Update the native stack pointer if it points to a bigger stack. */
1182 jsuword dummy;
1185 /* Update the register snapshot with the latest values. */
1186 #if defined(_MSC_VER)
1187 # pragma warning(push)
1188 # pragma warning(disable: 4611)
1189 #endif
1191 #if defined(_MSC_VER)
1192 # pragma warning(pop)
1193 #endif
1195 }
1199 {
1202 #ifdef JS_THREADSAFE
1203 /* Record the stack top here only if we are called from a request. */
1207 #endif
1209 }
1213 #ifdef DEBUG
1214 static void
1216 #endif
1218 void
1220 {
1221 #ifdef JS_ARENAMETER
1223 #endif
1224 #ifdef JS_GCMETER
1227 #endif
1229 #ifdef JS_THREADSAFE
1231 #endif
1234 #ifdef DEBUG
1237 #endif
1240 }
1242 JSBool
1244 {
1249 }
1251 JSBool
1253 {
1258 }
1262 {
1263 /*
1264 * Due to the long-standing, but now removed, use of rt->gcLock across the
1265 * bulk of js_GC, API users have come to depend on JS_AddRoot etc. locking
1266 * properly with a racing GC, without calling JS_AddRoot from a request.
1267 * We have to preserve API compatibility here, now that we avoid holding
1268 * rt->gcLock across the mark phase (including the root hashtable mark).
1269 */
1275 }
1279 {
1280 /*
1281 * Due to the long-standing, but now removed, use of rt->gcLock across the
1282 * bulk of js_GC, API users have come to depend on JS_AddRoot etc. locking
1283 * properly with a racing GC, without calling JS_AddRoot from a request.
1284 * We have to preserve API compatibility here, now that we avoid holding
1285 * rt->gcLock across the mark phase (including the root hashtable mark).
1286 */
1292 }
1296 {
1297 /*
1298 * Due to the JS_RemoveRootRT API, we may be called outside of a request.
1299 * Same synchronization drill as above in js_AddRoot.
1300 */
1306 }
1312 #ifdef DEBUG
1314 static void
1316 {
1319 /* Warn (but don't assert) debug builds of any remaining roots. */
1322 leakedroots++;
1326 }
1341 }
1342 }
1343 }
1345 void
1349 {
1354 }
1355 }
1359 uint32
1361 {
1367 ct++;
1374 }
1377 }
1379 void
1381 {
1386 }
1388 void
1390 {
1396 }
1398 void
1400 {
1401 /*
1402 * Return the free list back to the arena so the GC finalization will not
1403 * run the finalizers over unitialized bytes from free things.
1404 */
1412 }
1413 }
1414 }
1416 void
1418 {
1422 }
1426 {
1427 #ifdef JS_GC_ZEAL
1430 #endif
1432 /*
1433 * Since the initial value of the gcLastBytes parameter is not equal to
1434 * zero (see the js_InitGC function) the return value is false when
1435 * the gcBytes value is close to zero at the JS engine start.
1436 */
1438 }
1440 static void
1442 {
1445 /* The last ditch GC preserves weak roots and all atoms. */
1448 /*
1449 * Keep rt->gcLock across the call into the GC so we don't starve and
1450 * lose to racing threads who deplete the heap just after the GC has
1451 * replenished it (or has synchronized with a racing GC that collected a
1452 * bunch of garbage). This unfair scheduling can happen on certain
1453 * operating systems. For the gory details, see bug 162779.
1454 */
1456 }
1460 {
1466 {
1481 /*
1482 * The JSGC_END callback can legitimately allocate new GC
1483 * things and populate the free list. If that happens, just
1484 * return that list head.
1485 */
1489 }
1498 }
1499 }
1507 }
1509 }
1511 /*
1512 * Do only minimal initialization of the arena inside the GC lock. We
1513 * can do the rest outside the lock because no other threads will see
1514 * the arena until the GC is run.
1515 */
1521 }
1528 }
1532 {
1533 /*
1534 * The GC things on the free lists come from one arena and the things on
1535 * the free list are linked in ascending address order.
1536 */
1541 }
1545 {
1547 #ifdef JS_THREADSAFE
1549 #endif
1551 /* Updates of metering counters here may not be thread-safe. */
1562 }
1568 }
1570 /*
1571 * See comments in RefillFinalizableFreeList about a possibility
1572 * of *freeListp == thing.
1573 */
1580 }
1582 JSBool
1584 {
1599 }
1603 }
1605 void
1607 {
1620 }
1621 }
1625 {
1628 /* If obj has no map, it must be a newborn. */
1639 }
1650 }
1652 }
1654 #if JS_HAS_XML_SUPPORT
1658 #endif
1659 }
1660 }
1664 /*
1665 * When the native stack is low, the GC does not call JS_TraceChildren to mark
1666 * the reachable "children" of the thing. Rather the thing is put aside and
1667 * JS_TraceChildren is called later with more space on the C stack.
1668 *
1669 * To implement such delayed marking of the children with minimal overhead for
1670 * the normal case of sufficient native stack, the code uses two fields per
1671 * arena stored in JSGCMarkingDelay. The first field, JSGCMarkingDelay::link,
1672 * links all arenas with delayed things into a stack list with the pointer to
1673 * stack top in JSRuntime::gcUnmarkedArenaStackTop. delayMarkingChildren adds
1674 * arenas to the stack as necessary while markDelayedChildren pops the arenas
1675 * from the stack until it empties.
1676 *
1677 * The second field, JSGCMarkingDelay::unmarkedChildren, is a bitmap that
1678 * tells for which things the GC should call JS_TraceChildren later. The
1679 * bitmap is a single word. As such it does not pinpoint the delayed things
1680 * in the arena but rather tells the intervals containing
1681 * ThingsPerUnmarkedBit(thingSize) things. Later the code in
1682 * markDelayedChildren discovers such intervals and calls JS_TraceChildren on
1683 * any marked thing in the interval. This implies that JS_TraceChildren can be
1684 * called many times for a single thing if the thing shares the same interval
1685 * with some delayed things. This should be fine as any GC graph
1686 * marking/traversing hooks must allow repeated calls during the same GC cycle.
1687 * In particular, xpcom cycle collector relies on this.
1688 *
1689 * Note that such repeated scanning may slow down the GC. In particular, it is
1690 * possible to construct an object graph where the GC calls JS_TraceChildren
1691 * ThingsPerUnmarkedBit(thingSize) for almost all things in the graph. We
1692 * tolerate this as the max value for ThingsPerUnmarkedBit(thingSize) is 4.
1693 * This is archived for JSObject on 32 bit system as it is exactly JSObject
1694 * that has the smallest size among the GC things that can be delayed. On 32
1695 * bit CPU we have less than 128 objects per 4K GC arena so each bit in
1696 * unmarkedChildren covers 4 objects.
1697 */
1700 {
1702 }
1706 {
1708 #ifdef DEBUG
1710 #endif
1711 #ifdef JS_DUMP_CONSERVATIVE_GC_ROOTS
1714 #endif
1715 }
1718 {
1719 #ifdef JS_DUMP_CONSERVATIVE_GC_ROOTS
1721 #endif
1722 #ifdef JS_GCMETER
1723 /* Update total stats. */
1725 #endif
1726 }
1728 void
1730 {
1748 /* bit already covers things with children to mark later. */
1750 }
1753 /*
1754 * The thing is the first thing with not yet marked children in the
1755 * whole arena, so push the arena on the stack of arenas with things
1756 * to be marked later unless the arena has already been pushed. We
1757 * detect that through checking prevUnmarked as the field is 0
1758 * only for not yet pushed arenas. To ensure that
1759 * prevUnmarked != 0
1760 * even when the stack contains one element, we make prevUnmarked
1761 * for the arena at the bottom to point to itself.
1762 *
1763 * See comments in markDelayedChildren.
1764 */
1768 /* Stack was empty, mark the arena as the bottom element. */
1773 }
1775 }
1777 }
1778 #ifdef DEBUG
1781 #endif
1782 }
1786 {
1793 }
1796 /*
1797 * The following assert verifies that the current arena belongs to the
1798 * unmarked stack, since delayMarkingChildren ensures that even for
1799 * the stack's bottom, prevUnmarked != 0 but rather points to
1800 * itself.
1801 */
1811 /*
1812 * We cannot use do-while loop here as a->unmarkedChildren can be zero
1813 * before the loop as a leftover from the previous iterations. See
1814 * comments after the loop.
1815 */
1819 #ifdef DEBUG
1822 #endif
1826 /*
1827 * endIndex can go beyond the last allocated thing as the real
1828 * limit can be "inside" the bit.
1829 */
1840 }
1842 /*
1843 * We finished tracing of all things in the the arena but we can only
1844 * pop it from the stack if the arena is the stack's top.
1845 *
1846 * When JS_TraceChildren from the above calls JS_CallTracer that in
1847 * turn on low C stack calls delayMarkingChildren and the latter
1848 * pushes new arenas to the unmarked stack, we have to skip popping
1849 * of this arena until it becomes the top of the stack again.
1850 */
1855 /*
1856 * prevUnmarked points to itself and we reached the bottom of
1857 * the stack.
1858 */
1860 }
1864 }
1865 }
1870 }
1872 void
1874 {
1880 }
1881 }
1883 void
1885 {
1890 #ifdef DEBUG
1895 }
1896 #endif
1904 /*
1905 * Optimize for string as their marking is not recursive.
1906 *
1907 * Iterate through all nodes and leaves in the rope if this is
1908 * part of a rope; otherwise, we only iterate once: on the string
1909 * itself.
1910 */
1923 }
1928 /*
1929 * With JS_GC_ASSUME_LOW_C_STACK defined the mark phase of GC
1930 * always uses the non-recursive code that otherwise would be
1931 * called only on a low C stack condition.
1932 */
1933 #ifdef JS_GC_ASSUME_LOW_C_STACK
1934 # define RECURSION_TOO_DEEP() true
1935 #else
1937 # define RECURSION_TOO_DEEP() (!JS_CHECK_STACK_SIZE(trc->context, stackDummy))
1938 #endif
1941 else
1943 }
1944 }
1946 #ifdef DEBUG
1949 #endif
1950 }
1952 void
1954 {
1962 }
1966 static void
1968 {
1969 #ifdef DEBUG
1976 }
1988 a;
1993 }
1994 }
1995 }
2002 }
2004 }
2005 }
2006 #endif
2010 else
2012 }
2014 static void
2016 {
2017 uint32 traceKind;
2022 }
2024 void
2026 {
2034 /* Allow for primitive this parameter due to JSFUN_THISP_* flags. */
2039 }
2043 {
2070 }
2082 }
2084 }
2096 }
2104 }
2123 }
2134 }
2135 }
2138 MarkValueRange(trc, tag, static_cast<AutoArrayRooter *>(this)->array, "js::AutoArrayRooter.array");
2139 }
2143 void
2145 {
2146 /* Stack frames and slots are traced by StackSpace::mark. */
2148 /* Mark other roots-by-definition in acx. */
2154 /* Avoid keeping GC-ed junk stored in JSContext.exception. */
2156 }
2170 #ifdef JS_TRACER
2176 }
2177 #endif
2178 }
2180 JS_REQUIRES_STACK void
2182 {
2188 /*
2189 * Verify that we do not have at this point unmarked GC things stored in
2190 * autorooters. To maximize test coverage we abort even in non-debug
2191 * builds for now, see bug 574313.
2192 */
2194 #if 1
2198 #ifdef JS_THREADSAFE
2200 #endif
2212 }
2227 }
2228 }
2236 "Conservative GC scanner has missed the root 0x%p with tag %ld"
2237 " on the stack due to %d. The root location 0x%p, distance from"
2238 " the stack base %ld, conservative gc span %ld."
2239 " Consevtaive GC status for the thread %d."
2248 }
2249 }
2250 }
2251 #endif
2282 /*
2283 * We mark extra roots at the last thing so it can use use additional
2284 * colors to implement cycle collection.
2285 */
2289 #ifdef DEBUG
2297 }
2298 }
2299 }
2300 #endif
2301 }
2305 void
2307 {
2310 #ifdef JS_THREADSAFE
2312 #endif
2317 /*
2318 * Trigger the GC when it is safe to call an operation callback on any
2319 * thread.
2320 */
2323 }
2325 void
2327 {
2336 }
2337 }
2338 }
2342 {
2346 /* Cope with stillborn objects that have no map. */
2350 /* Finalize obj first, in case it needs map and slots. */
2358 }
2362 {
2364 }
2366 #if JS_HAS_XML_SUPPORT
2369 {
2371 }
2372 #endif
2377 };
2379 intN
2381 JSStringFinalizeOp newop)
2382 {
2387 }
2388 }
2390 }
2394 {
2399 }
2403 {
2411 /*
2412 * flatChars for stillborn string is null, but cx->free checks
2413 * for a null pointer on its own.
2414 */
2418 }
2419 /* Nothing to be done for rope interior nodes. */
2420 }
2424 {
2432 /* A stillborn string has null chars. */
2439 }
2441 /*
2442 * This function is called from js_FinishAtomState to force the finalization
2443 * of the permanently interned strings when cx is not available.
2444 */
2445 void
2447 {
2453 /* A dependent string can not be external and must be valid. */
2461 /* A stillborn string has null chars, so is not valid. */
2472 /*
2473 * Assume that the finalizer for the permanently interned
2474 * string knows how to deal with null context.
2475 */
2477 }
2478 }
2479 }
2480 }
2484 static void
2486 {
2496 #ifdef JS_GCMETER
2498 #endif
2518 }
2533 }
2541 #ifdef DEBUG
2543 #endif
2544 }
2548 }
2550 #ifdef DEBUG
2551 /* Check that the free list is consistent. */
2562 }
2563 }
2564 #endif
2566 /*
2567 * Forget just assembled free list head for the arena and
2568 * add the arena itself to the destroy list.
2569 */
2580 }
2583 }
2588 }
2590 #ifdef JS_THREADSAFE
2596 {
2605 }
2611 }
2613 void
2615 {
2622 }
2626 }
2627 }
2629 }
2633 static void
2635 {
2642 /* Delete defaultCompartment only during runtime shutdown */
2650 /* Remove dead wrappers from the compartment map. */
2658 }
2659 }
2661 }
2663 /*
2664 * Common cache invalidation and so forth that must be done before GC. Even if
2665 * GCUntilDone calls GC several times, this work needs to be done only once.
2666 */
2667 static void
2669 {
2672 /* Clear gcIsNeeded now, when we are about to start a normal GC cycle. */
2675 /* Reset malloc counter. */
2678 #ifdef JS_DUMP_SCOPE_METERS
2679 {
2682 }
2683 #endif
2685 /*
2686 * Reset the property cache's type id generator so we can compress ids.
2687 * Same for the protoHazardShape proxy-shape standing in for all object
2688 * prototypes having readonly or setter properties.
2689 */
2691 #ifdef JS_GC_ZEAL
2693 #endif
2694 ) {
2698 }
2701 {
2705 }
2706 }
2708 /*
2709 * Perform mark-and-sweep GC.
2710 *
2711 * In a JS_THREADSAFE build, the calling thread must be rt->gcThread and each
2712 * other thread must be either outside all requests or blocked waiting for GC
2713 * to finish. Note that the caller does not hold rt->gcLock.
2714 */
2715 static void
2717 {
2721 /*
2722 * Mark phase.
2723 */
2735 /*
2736 * Mark children of things that caused too deep recursion during the above
2737 * tracing.
2738 */
2746 #ifdef JS_THREADSAFE
2750 #endif
2752 /*
2753 * Sweep phase.
2754 *
2755 * Finalize as we sweep, outside of rt->gcLock but with rt->gcRunning set
2756 * so that any attempt to allocate a GC-thing from a finalizer will fail,
2757 * rather than nest badly and leave the unmarked newborn to be swept.
2758 *
2759 * We first sweep atom state so we can use js_IsAboutToBeFinalized on
2760 * JSString held in a hashtable to check if the hashtable entry can be
2761 * freed. Note that even after the entry is freed, JSObject finalizers can
2762 * continue to access the corresponding JSString* assuming that they are
2763 * unique. This works since the atomization API must not be called during
2764 * the GC.
2765 */
2769 /* Finalize watch points associated with unreachable objects. */
2772 #ifdef DEBUG
2773 /* Save the pre-sweep count of scope-mapped properties. */
2775 #endif
2777 #ifdef JS_METHODJIT
2778 /* Fix-up call ICs guarding against unreachable objects. */
2780 #endif
2782 /*
2783 * We finalize iterators before other objects so the iterator can use the
2784 * object which properties it enumerates over to finalize the enumeration
2785 * state. We finalize objects before other GC things to ensure that
2786 * object's finalizer can access them even if they will be freed.
2787 */
2791 #if JS_HAS_XML_SUPPORT
2793 #endif
2796 /*
2797 * We sweep the deflated cache before we finalize the strings so the
2798 * cache can safely use js_IsAboutToBeFinalized..
2799 */
2808 }
2811 GC_ARENA_ALLOCATION_TRIGGER :
2818 /*
2819 * Sweep the runtime's property trees after finalizing objects, in case any
2820 * had watchpoints referencing tree nodes.
2821 */
2824 /*
2825 * Sweep script filenames after sweeping functions in the generic loop
2826 * above. In this way when a scripted function's finalizer destroys the
2827 * script and calls rt->destroyScriptHook, the hook can still access the
2828 * script's filename. See bug 323267.
2829 */
2832 /* Slowify arrays we have accumulated. */
2835 /*
2836 * Destroy arenas after we finished the sweeping so finalizers can safely
2837 * use js_IsAboutToBeFinalized().
2838 */
2842 #ifdef JS_THREADSAFE
2846 }
2847 #endif
2851 #ifdef DEBUG_srcnotesize
2855 }
2856 #endif
2858 #ifdef JS_SCOPE_DEPTH_METER
2860 #endif
2862 #ifdef JS_DUMP_LOOP_STATS
2864 #endif
2865 }
2867 #ifdef JS_THREADSAFE
2869 /*
2870 * If the GC is running and we're called on another thread, wait for this GC
2871 * activation to finish. We can safely wait here without fear of deadlock (in
2872 * the case where we are called within a request on another thread's context)
2873 * because the GC doesn't set rt->gcRunning until after it has waited for all
2874 * active requests to end.
2875 *
2876 * We call here js_CurrentThreadId() after checking for rt->gcState to avoid
2877 * an expensive call when the GC is not running.
2878 */
2879 void
2881 {
2886 }
2887 }
2889 /*
2890 * GC is running on another thread. Temporarily suspend all requests running
2891 * on the current thread and wait until the GC is done.
2892 */
2893 static void
2895 {
2902 #ifdef JS_TRACER
2904 #endif
2906 #ifdef JS_TRACER
2908 /*
2909 * Leave trace before we decrease rt->requestCount and notify the
2910 * GC. Otherwise the GC may start immediately after we unlock while
2911 * this thread is still on trace.
2912 */
2915 }
2916 #endif
2920 }
2922 /* See comments before another call to js_ShareWaitingTitles below. */
2926 /*
2927 * Check that we did not release the GC lock above and let the GC to
2928 * finish before we wait.
2929 */
2932 /*
2933 * Wait for GC to finish on the other thread, even if requestDebit is 0
2934 * and even if GC has not started yet because the gcThread is waiting in
2935 * AutoGCSession. This ensures that js_GC never returns without a full GC
2936 * cycle happening.
2937 */
2944 }
2946 #endif
2956 /* Disable copy constructor or assignments */
2959 };
2961 /*
2962 * Start a new GC session. Together with LetOtherGCFinish this function
2963 * contains the rendezvous algorithm by which we stop the world for GC.
2964 *
2965 * This thread becomes the GC thread. Wait for all other threads to quiesce.
2966 * Then set rt->gcRunning and return.
2967 */
2970 {
2973 #ifdef JS_THREADSAFE
2976 #endif
2980 #ifdef JS_THREADSAFE
2981 /* No other thread is in GC, so indicate that we're now in GC. */
2985 /*
2986 * Notify operation callbacks on other threads, which will give them a
2987 * chance to yield their requests. Threads without requests perform their
2988 * callback at some later point, which then will be unnecessary, but
2989 * harmless.
2990 */
2995 }
2997 /*
2998 * Discount the request on the current thread from contributing to
2999 * rt->requestCount before we wait for all other requests to finish.
3000 * JS_NOTIFY_REQUEST_DONE, which will wake us up, is only called on
3001 * rt->requestCount transitions to 0.
3002 */
3008 /*
3009 * Share any title that is owned by the GC thread before we wait, to
3010 * avoid a deadlock with ClaimTitle. We also set the gcWaiting flag so
3011 * that ClaimTitle can claim the title ownership from the GC thread if
3012 * that function is called while the GC is waiting.
3013 */
3021 }
3025 /*
3026 * Set rt->gcRunning here within the GC lock, and after waiting for any
3027 * active requests to end. This way js_WaitForGC called outside a request
3028 * would not block on the GC that is waiting for other requests to finish
3029 * with rt->gcThread set while JS_BeginRequest would do such wait.
3030 */
3032 }
3034 /* End the current GC session and allow other threads to proceed. */
3036 {
3039 #ifdef JS_THREADSAFE
3043 #endif
3044 }
3046 /*
3047 * GC, repeatedly if necessary, until we think we have not created any new
3048 * garbage and no other threads are demanding more GC.
3049 */
3050 static void
3052 {
3058 /* Recursive GC or a call from another thread restarts the GC cycle. */
3061 #ifdef JS_THREADSAFE
3064 /* We do not return until another GC finishes. */
3066 }
3067 #endif
3069 }
3085 }
3088 // GC again if:
3089 // - another thread, not in a request, called js_GC
3090 // - js_GC was called recursively
3091 // - a finalizer called js_RemoveRoot or js_UnlockGCThingRT.
3097 }
3099 /*
3100 * The gckind flag bit GC_LOCK_HELD indicates a call from js_NewGCThing with
3101 * rt->gcLock already held, so the lock should be kept on return.
3102 */
3103 void
3105 {
3108 /*
3109 * Don't collect garbage if the runtime isn't up, and cx is not the last
3110 * context in the runtime. The last context must force a GC, and nothing
3111 * should suppress that final collection or there may be shutdown leaks,
3112 * or runtime bloat until the next context is created.
3113 */
3122 /*
3123 * Let the API user decide to defer a GC if it wants to (unless this
3124 * is the last context). Invoke the callback regardless. Sample the
3125 * callback in case we are freely racing with a JS_SetGCCallback{,RT}
3126 * on another thread.
3127 */
3132 }
3134 {
3135 /* Lock out other GC allocator and collector invocations. */
3139 }
3141 /* We re-sample the callback again as the finalizers can change it. */
3146 }
3148 /*
3149 * On shutdown, iterate until the JSGC_END callback stops creating
3150 * garbage.
3151 */
3155 }
3159 bool
3161 {
3162 /*
3163 * This function cannot be called during the GC and always requires a
3164 * request.
3165 */
3166 #ifdef JS_THREADSAFE
3169 /*
3170 * This is only necessary if AutoGCSession below would wait for GC to
3171 * finish on another thread, but to capture the minimal stack space and
3172 * for code simplicity we do it here unconditionally.
3173 */
3175 #endif
3188 }
3190 }
3195 }
3197 void
3199 {
3202 #ifdef JS_THREADSAFE
3203 {
3214 }
3215 }
3216 #else
3218 #endif
3220 /*
3221 * Calls from inside a normal GC or a recursive calls are OK and do not
3222 * require session setup.
3223 */
3225 }
3227 JSCompartment *
3229 {
3235 }
3240 }
3242 {
3249 }
3250 }
3257 }
3260 }
3262 }