| Title | SNC walks and scans dead objects |
| Status | closed |
| Priority | optional |
| Assigned user | Gareth Rees |
| Organization | Ravenbrook |
| Description | If you do some allocation in an SNC pool, free some objects (by popping an allocation frame) and then call mps_arena_formatted_objects_walk, the visitor function gets called on dead objects as well as live objects. |
| Analysis | There are two problems: 1. SNCWalk walks all segments that are not grey, and this includes free segments. 2. SNCWalk and SNCScan consider objects up to ap->init, but this is invalid if there is a pop pending. Fixing problem (1) is straightforward (we can pad out freed segments), but problem (2) is hard. What do we do when there's a pop pending from segment A to an address in segment B? When looking at segment B there's no way to know that some of its objects are dead. |
| How found | automated_test |
| Evidence | None |
| Test procedure | walkt0 |
| Created by | Gareth Rees |
| Created on | 2014-10-12 12:38:40 |
| Last modified by | Gareth Rees |
| Last modified on | 2014-10-20 17:06:13 |
| History | 2014-10-12 GDR Created. |
| Change | Effect | Date | User | Description |
|---|---|---|---|---|
| 187224 | closed | 2014-10-12 15:20:57 | Gareth Rees | Fix scanning/walking for SNC: Record which segments are free and don't walk them (objects in these segments are dead). If a buffered segment has a pending pop, don't scan or walk objects beyond the address that's going to be popped to (these objects are also dead). Don't try to do a lightweight pop to an address that's not in the segment attached to the buffer -- the segment being popped to (and any other segments on the stack in between) are now dead, and the only way to mark them as being dead is to do a heavyweight pop. |