Hi,
I am currently debugging a nasty GC bug. (This one:
https://bugs.webkit.org/show_bug.cgi?id=60881) In short,
inspector/styles/metrics-box-sizing.html fails in the interpreter with
ASSERT_GC_OBJECT_LOOKS_VALID(cell) if all inspector/ tests are running by
run-webkit-tests (32 bit, debug mode), but it passes if you test it alone.
Actually for tracking memory related issues the valgrind tool has an
excellent approach: never reuse the same address. This way we can keep
track of the freed chunks. Would it be possible to implement something
similar in the GC for JavaScriptCore (disabled by default with some
directives)? We would still run the GC as usual, but instead of reusing
the cells, we would always allocate a new chunk bz mmap. Naturally the
freed cells would contain some invalid pointers to cause crashes, and
perhaps a descriptor which describes where it was originally allocated.
Would it be feasible to add such feature to JavaScriptCore?
Besides I saw a lot of improvements in GC. Is it still a mark and don't
sweep allocator? Is it still allocates fixed size cells? Does it move
cells? Does Weak<T> contains a GC'ed pointer?
Regards,
Zoltan