Closed
Description
This example:
main() {
List root = List(128);
var last = root;
for (int i = 0; i < 10 * 1024; ++i) {
final nc = List(128);
last[0] = nc;
last = nc;
}
print(root.length);
}Will hit the write barrier verification code in AOT for the store into the array inside the loop. The write barrier got eliminated for this store, but our code in the GC that will restore invariants after GC explicitly does not take arrays into account:
class RestoreWriteBarrierInvariantVisitor : public ObjectPointerVisitor {
public:
RestoreWriteBarrierInvariantVisitor(IsolateGroup* group,
Thread* thread,
Thread::RestoreWriteBarrierInvariantOp op)
: ObjectPointerVisitor(group),
thread_(thread),
current_(Thread::Current()),
op_(op) {}
void VisitPointers(ObjectPtr* first, ObjectPtr* last) {
...
// To avoid adding too much work into the remembered set, skip
// arrays. Write barrier elimination will not remove the barrier
// if we can trigger GC between array allocation and store.
if (obj->GetClassId() == kArrayCid) continue;
// Dart code won't store into VM-internal objects except Contexts and
// UnhandledExceptions. This assumption is checked by an assertion in
// WriteBarrierElimination::UpdateVectorForBlock.
if (!obj->IsDartInstance() && !obj->IsContext() &&
!obj->IsUnhandledException())
continue;
...
}
...
}/cc @rmacnak-google @a-siva @mraleph This might be our GC related bug!
Activity