BOOLEAN_TO_JSVALDOUBLE_TO_JSVALINT_FITS_IN_JSVALINT_TO_JSVALJS::Add*RootJS::AutoIdArrayJS::AutoSaveExceptionStateJS::AutoValueArrayJS::AutoVectorRooterJS::BooleanValueJS::CallJS::CallArgsJS::CloneFunctionObjectJS::CompileJS::CompileFunctionJS::CompileOffThreadJS::CompileOptionsJS::ConstructJS::CreateErrorJS::CurrentGlobalOrNullJS::DeflateStringToUTF8BufferJS::DoubleNaNValueJS::DoubleValueJS::EvaluateJS::FalseValueJS::Float32ValueJS::GetDeflatedUTF8StringLengthJS::GetFirstArgumentAsTypeHintJS::GetSelfHostedFunctionJS::HandleJS::HandleValueArrayJS::IdentifyStandardInstanceJS::Int32ValueJS::IsCallableJS::MutableHandleJS::NewFunctionFromSpecJS::NullHandleValueJS::NullValueJS::NumberValueJS::ObjectOrNullValueJS::ObjectValueJS::OrdinaryToPrimitiveJS::PersistentRootedJS::PropertySpecNameEqualsIdJS::PropertySpecNameIsSymbolJS::PropertySpecNameToPermanentIdJS::ProtoKeyToIdJS::Remove*RootJS::RootedJS::SetLargeAllocationFailureCallbackJS::SetOutOfMemoryCallbackJS::SourceBufferHolderJS::StringValueJS::SymbolValueJS::ToBooleanJS::ToInt32JS::ToInt64JS::ToNumberJS::ToPrimitiveJS::ToStringJS::ToUint16JS::ToUint32JS::ToUint64JS::TrueHandleValueJS::TrueValueJS::UndefinedHandleValueJS::UndefinedValueJS::ValueJSAutoByteStringJSAutoCompartmentJSBoolJSCheckAccessOpJSClassJSClass.callJSClass.flagsJSConstDoubleSpecJSConvertOpJSDeletePropertyOpJSEnumerateOpJSErrorFormatStringJSErrorReportJSExceptionStateJSExnTypeJSExtendedClassJSExtendedClass.outerObjectJSExtendedClass.wrappedObjectJSFUN_BOUND_METHODJSFUN_GLOBAL_PARENTJSFastNativeJSFinalizeOpJSFreeOpJSFunctionJSFunctionSpecJSGetObjectOpsJSHasInstanceOpJSID_EMPTYJSID_IS_EMPTYJSID_IS_GCTHINGJSID_IS_INTJSID_IS_STRINGJSID_IS_SYMBOLJSID_IS_VOIDJSID_IS_ZEROJSID_VOIDJSIdArrayJSIteratorOpJSMarkOpJSNativeJSNewEnumerateOpJSNewResolveOpJSObjectJSObjectOpJSObjectOps.defaultValueJSObjectOps.definePropertyJSObjectOps.destroyObjectMapJSObjectOps.dropPropertyJSObjectOps.enumerateJSObjectOps.getAttributesJSObjectOps.getPropertyJSObjectOps.getRequiredSlotJSObjectOps.lookupPropertyJSObjectOps.newObjectMapJSObjectOps.setProtoJSObjectPrincipalsFinderJSPRINCIPALS_HOLDJSPrincipalsJSPrincipalsTranscoderJSPropertyJSPropertyDescriptorJSPropertyOpJSPropertySpecJSProtoKeyJSReserveSlotsOpJSResolveOpJSRuntimeJSSecurityCallbacks.contentSecurityPolicyAllowsJSStringJSStringFinalizerJSTraceOpJSTypeJSVAL_IS_BOOLEANJSVAL_IS_DOUBLEJSVAL_IS_GCTHINGJSVAL_IS_INTJSVAL_IS_NULLJSVAL_IS_NUMBERJSVAL_IS_OBJECTJSVAL_IS_PRIMITIVEJSVAL_IS_STRINGJSVAL_IS_VOIDJSVAL_LOCKJSVAL_NULLJSVAL_ONEJSVAL_TO_BOOLEANJSVAL_TO_DOUBLEJSVAL_TO_GCTHINGJSVAL_TO_INTJSVAL_TO_OBJECTJSVAL_TO_STRINGJSVAL_TRUEJSVAL_UNLOCKJSVAL_VOIDJSVAL_ZEROJSVersionJSXDRObjectOpJS_ASSERT_STRING_IS_FLATJS_Add*RootJS_AddArgumentFormatterJS_AddExternalStringFinalizerJS_AddFinalizeCallbackJS_AliasElementJS_AliasPropertyJS_AlreadyHasOwnPropertyJS_BeginRequestJS_BindCallableJS_BufferIsCompilableUnitJS_CStringsAreUTF8JS_CallFunctionJS_CheckAccessJS_CheckForInterruptJS_ClearContextThreadJS_ClearDateCachesJS_ClearNewbornRootsJS_ClearNonGlobalObjectJS_ClearPendingExceptionJS_ClearRegExpStaticsJS_ClearScopeJS_CloneFunctionObjectJS_CompareStringsJS_CompileFileHandleForPrincipalsJS_CompileFileHandleForPrincipalsVersionJS_CompileFunctionJS_CompileFunctionForPrincipalsJS_CompileScriptJS_CompileScriptForPrincipalsJS_CompileUCFunctionForPrincipalsVersionJS_CompileUTF8FileJS_CompileUTF8FileHandleJS_ConcatStringsJS_ConstructObjectJS_ContextIteratorJS_ConvertArgumentsJS_ConvertArgumentsVAJS_ConvertValueJS_DecompileFunctionJS_DecompileFunctionBodyJS_DecompileScriptJS_DecompileScriptObjectJS_DeepFreezeObjectJS_DefaultValueJS_DefineConstDoublesJS_DefineElementJS_DefineFunctionJS_DefineFunctionsJS_DefineObjectJS_DefineOwnPropertyJS_DefinePropertiesJS_DefinePropertyJS_DefinePropertyWithTinyIdJS_DeleteElementJS_DeleteElement2JS_DeletePropertyJS_DeleteProperty2JS_DestroyContextJS_DestroyIdArrayJS_DestroyRuntimeJS_DestroyScriptJS_DoubleIsInt32JS_DoubleToInt32JS_DropExceptionStateJS_DumpHeapJS_DumpNamedRootsJS_EncodeCharactersJS_EncodeStringJS_EncodeStringToBufferJS_EnterCompartmentJS_EnterCrossCompartmentCallJS_EnterLocalRootScopeJS_EnumerateJS_EnumerateDiagnosticMemoryRegionsJS_EnumerateResolvedStandardClassesJS_EnumerateStandardClassesJS_ErrorFromExceptionJS_EvaluateScriptJS_EvaluateScriptForPrincipalsJS_ExecuteRegExpJS_ExecuteScriptJS_ExecuteScriptPartJS_ExecuteScriptVersionJS_FORGET_STRING_FLATNESSJS_FSJS_FileEscapedStringJS_FinishJS_FlattenStringJS_FlushCachesJS_ForgetLocalRootJS_ForwardGetPropertyToJS_FreezeObjectJS_GCJS_GET_CLASSJS_GetArrayLengthJS_GetArrayPrototypeJS_GetClassJS_GetClassObjectJS_GetClassPrototypeJS_GetCompartmentPrivateJS_GetConstructorJS_GetContextPrivateJS_GetContextThreadJS_GetDefaultFreeOpJS_GetElementJS_GetEmptyStringJS_GetEmptyStringValueJS_GetErrorPrototypeJS_GetExternalStringClosureJS_GetExternalStringFinalizerJS_GetFlatStringCharsJS_GetFunctionArityJS_GetFunctionCallbackJS_GetFunctionFlagsJS_GetFunctionIdJS_GetFunctionNameJS_GetFunctionObjectJS_GetFunctionPrototypeJS_GetFunctionScriptJS_GetGCParameterJS_GetGlobalForCompartmentOrNullJS_GetGlobalForObjectJS_GetGlobalForObject3JS_GetGlobalForScopeChainJS_GetGlobalObjectJS_GetImplementationVersionJS_GetInstancePrivateJS_GetInternedStringCharsJS_GetLatin1FlatStringCharsJS_GetLatin1InternedStringCharsJS_GetLatin1StringCharsAndLengthJS_GetLocaleCallbacksJS_GetNaNValueJS_GetObjectPrototypeJS_GetObjectRuntimeJS_GetOptionsJS_GetOwnPropertyDescriptorJS_GetParentJS_GetParentRuntimeJS_GetPendingExceptionJS_GetPositiveInfinityValueJS_GetPrivateJS_GetPropertyJS_GetPropertyAttributesJS_GetPropertyAttrsGetterAndSetterJS_GetPropertyDefaultJS_GetPropertyDescriptorJS_GetPrototypeJS_GetRegExpFlagsJS_GetRegExpSourceJS_GetReservedSlotJS_GetRuntimeJS_GetRuntimePrivateJS_GetScopeChainJS_GetSecurityCallbacksJS_GetStringBytesJS_GetStringCharAtJS_GetStringCharsJS_GetStringCharsAndLengthJS_GetStringEncodingLengthJS_GetStringLengthJS_GetTwoByteExternalStringCharsJS_GetTypeNameJS_GetVersionJS_HasArrayLengthJS_HasElementJS_HasInstanceJS_HasOwnPropertyJS_HasPropertyJS_IdArrayGetJS_IdArrayLengthJS_IdToProtoKeyJS_IdToValueJS_InitJS_InitCTypesClassJS_InitClassJS_InitStandardClassesJS_InstanceOfJS_InternJSStringJS_InternStringJS_IsArrayObjectJS_IsAssigningJS_IsBuiltinEvalFunctionJS_IsBuiltinFunctionConstructorJS_IsConstructingJS_IsConstructing_PossiblyWithGivenThisObjectJS_IsConstructorJS_IsExceptionPendingJS_IsExtensibleJS_IsExternalStringJS_IsGlobalObjectJS_IsIdentifierJS_IsNativeJS_IsNativeFunctionJS_IsRunningJS_IsStopIterationJS_IterateCompartmentsJS_LeaveCompartmentJS_LeaveCrossCompartmentCallJS_LeaveLocalRootScopeJS_LeaveLocalRootScopeWithResultJS_LinkConstructorAndPrototypeJS_LockJS_LockGCThingJS_LookupElementJS_LookupPropertyJS_LooselyEqualJS_MakeStringImmutableJS_MapGCRootsJS_MaybeGCJS_NewJS_NewArrayObjectJS_NewCompartmentAndGlobalObjectJS_NewContextJS_NewDateObjectJS_NewDateObjectMsecJS_NewDependentStringJS_NewDoubleJS_NewDoubleValueJS_NewExternalStringJS_NewFunctionJS_NewGlobalObjectJS_NewNumberValueJS_NewObjectJS_NewObjectForConstructorJS_NewPlainObjectJS_NewPropertyIteratorJS_NewRegExpObjectJS_NewRuntimeJS_NewScriptObjectJS_NewStringCopyNJS_NewStringCopyZJS_NewUCStringJS_NextPropertyJS_NowJS_NumberValueJS_ObjectIsDateJS_ObjectIsFunctionJS_ObjectIsRegExpJS_PSGSJS_ParseJSONJS_PopArgumentsJS_PreventExtensionsJS_PropertyStubJS_PushArgumentsJS_PutEscapedStringJS_Remove*RootJS_RemoveExternalStringFinalizerJS_RemoveRootRTJS_ReportErrorJS_ReportErrorNumberJS_ReportOutOfMemoryJS_ReportPendingExceptionJS_ResolveStandardClassJS_RestoreExceptionStateJS_SET_TRACING_DETAILSJS_SameValueJS_SaveExceptionStateJS_SaveFrameChainJS_ScheduleGCJS_SealObjectJS_SetAllNonReservedSlotsToUndefinedJS_SetArrayLengthJS_SetBranchCallbackJS_SetCallReturnValue2JS_SetCheckObjectAccessCallbackJS_SetCompartmentNameCallbackJS_SetContextCallbackJS_SetDefaultLocaleJS_SetDestroyCompartmentCallbackJS_SetElementJS_SetErrorReporterJS_SetExtraGCRootsJS_SetFunctionCallbackJS_SetGCCallbackJS_SetGCParametersBasedOnAvailableMemoryJS_SetGCZealJS_SetGlobalObjectJS_SetICUMemoryFunctionsJS_SetInterruptCallbackJS_SetNativeStackQuotaJS_SetObjectPrincipalsFinderJS_SetOperationCallbackJS_SetOptionsJS_SetParentJS_SetPendingExceptionJS_SetPrincipalsTranscoderJS_SetPrivateJS_SetPropertyJS_SetPropertyAttributesJS_SetPrototypeJS_SetRegExpInputJS_SetScriptStackQuotaJS_SetThreadStackLimitJS_SetVersionJS_SetVersionForCompartmentJS_ShutDownJS_StrictlyEqualJS_StringEqualsAsciiJS_StringHasBeenInternedJS_StringHasLatin1CharsJS_StringIsFlatJS_StringToVersionJS_SuspendRequestJS_THREADSAFEJS_ThrowStopIterationJS_ToggleOptionsJS_TracerInitJS_TypeOfValueJS_UnlockJS_ValueToBooleanJS_ValueToECMAInt32JS_ValueToFunctionJS_ValueToIdJS_ValueToInt32JS_ValueToNumberJS_ValueToObjectJS_ValueToSourceJS_ValueToStringJS_VersionToStringJS_YieldRequestJS_freeopJS_mallocJS_updateMallocCounterOBJECT_TO_JSVALPRIVATE_TO_JSVALProperty attributesSTRING_TO_JSVALStored valuejscharjsdoublejsidjsintSpiderMonkey has a mark-sweep garbage collection (GC) with incremental marking mode, generational collection, and compaction. Much of the GC work is performed on helper threads.
A Cell is the unit of memory that is allocated and collected by the GC, as used externally. In other words, from the point of view of the rest of the engine, the job of the GC is to allocate cells and automatically collect them.
Cell is the base class for all classes that are allocated by the GC, e.g., JSObject.
Cells are classified by allocation kind. The allocation kind determines the size of the object and the finalization behavior. Allocation kind is defined by enum AllocKind.
Arenas always hold objects of the same allocation kind. Thus, an arena holds objects all of the same size and finalization behavior.
The JS heap is partitioned into compartments. Some key properties of compartments are:
Compartments are a fundamental cross-cutting concept in SpiderMonkey (see also Compartments), though anything related to memory is now more concerned with Zones, especially GC.
A zone is a collection of compartments. Zones mainly serve as boundaries for GCs: the garbage collector collects at the level of a zone, not an individual compartment. Unlike compartments, zones have no special security properties. Some properties of zones are:
A Chunk is the largest internal unit of memory allocation.
A chunk is 1MB and contains Arenas, padding, the mark bitmap (ChunkBitmap), a bitmap of decommitted arenas, and a chunk header (ChunkInfo).
The ChunkInfo contains a list of unallocated Arenas, starting at ChunkInfo::freeArenasHead and linked through ArenaHeader::next. The ChunkInfo also contains some basic stats, such as the number of free arenas.
An Arena is an internal unit of memory allocation.
An Arena is one page (4096 bytes on almost all platforms) and contains an ArenaHeader, a few pad bytes, and then an array of aligned elements. All elements in an Arena have the same allocation kind and size.
Every Arena maintains a list of free spans, starting at ArenaHeader::firstFreeSpanOffets. The last cell in each free span (except the last one) holds a FreeSpan for the next free span.
struct FreeSpan represents a contiguous sequence of free cells [first,last] within an Arena. FreeSpan contains functions to allocate from the free span.
The mark bitmap is represented by ChunkBitmap.
The mark bitmap has two bits per GC cell, so that it can represent both regular liveness marking ("marked black") as well as reachability from cycle-collected objects ("marked gray"). Mark bits are allocated based on the minimum cell size, thus an object comprised of larger cells consumes multiple bits in the bitmap (but only uses two of them.)
Note: the information here is about the implementation of GC roots and their use within SpiderMonkey. For information on how the rooting APIs should be used by embedders, read: GC Rooting Guide.
This information has been split out into a separate article: Exact Stack Rooting.
TODO
Incremental marking means being able to do a bit of marking work, then let the mutator (JavaScript program) run a bit, then do another bit of marking work. Thus, instead of one long pause for marking, the GC does a series of short pauses. The pauses can be set to be 10ms or less.
There is always a possibility that a long pause will be required. If the allocation rate is high during incremental GC, the engine may run out of memory before finishing the incremental GC. If so, the engine must immediately restart a full, non-incremental GC in order to reclaim some memory and continue execution.
Incremental GC requires a write barrier for correctness.
TODO decent diagrams
The basic problem is as follows (see Dictionary for color terms). Say object A is black and contains a pointer field. Let object B be white. Now let the incremental slice stop, so the mutator resumes. If the mutator stores B into A, so that A contains a pointer to B, and deletes all existing pointers to B, then:
The write barrier is a piece of code that runs just before a pointer store occurs and records just enough information to make sure that live objects don't get collected.
SpiderMonkey uses a (relatively!) simple, common incremental write barrier called a snapshot-at-the-beginning allocate-black barrier.
To understand how this barrier works, first assume that we're going to do an incremental GC during which no new objects are allocated, just to keep things simple. How do we make sure the GC doesn't collect any live objects? One way would be to make sure that every object that was live at the beginning of the incremental GC gets marked. (This means if an object has all references to it dropped during this incremental GC, it will be collected on the next incremental GC.) This is called snapshot-at-the-beginning because it is conceptually equivalent to taking a snapshot of live objects at the beginning of the incremental GC and marking all those objects. No such snapshot is physically taken--doing so would require a full nonincremental mark!
The implementation of the snapshot-at-the-beginning barrier is simple. The barrier fires whenever the mutator is about to overwrite a location that holds a GC pointer. The barrier marks the pointed-to object black, and pushes any outgoing edges onto the mark stack. The key observation is that the only way an object can get 'lost' and not marked is if all pointers to the object are overwritten. Thus, if whenever we're about to overwrite a pointer to an object we mark the object black first, then no objects can get 'lost'.
Now consider allocations. A newly allocated object wasn't present at the beginning of the GC, so the snapshot-at-the-beginning barrier doesn't do it any good. But we do need to make sure the object doesn't get collected if it's live. This is easily done by simply marking new objects immediately upon allocation during an incremental GC, thus the name allocate-black.
The textbook version of incremental GC has only a write barrier. SpiderMonkey also needs a read barrier for weak references (see Dictionary). This is because weak references have a similar problem as is solved by the incremental write barrier above, but cannot use the same solution.
By definition, a weak reference should not hold a target live by itself. That means that we can't trace weak references when we encounter them during GC graph traversal. Instead, we append them to a list. After marking everything live we scan through the list to null out references to garbage.
But this also means that pre-barriers are inadequate to prevent incremental GC from missing edges due to graph mutation. Live cells will be marked either because they're reachable or because they were marked by a pre-barrier before being removed from the graph. But reachable weak references aren't traced! So you could read one out and write it behind the frontier and no pre-barriered removal will mark it (it's not being removed, just read). So we barrier the read instead; if you ever read a weak reference in the middle of an ongoing incremental GC, then the target of the weak ref will be marked.
Write barriers have a runtime cost, so SpiderMonkey tries to skip them when an incremental GC cycle is not active. Each Zone has a flag needsIncrementalBarrier() that indicates whether barriers are required.
For each type T such that fields of type T* need a write barrier, there is a functionT::writeBarrierPre(old). For example, fields of type JSObject* need a write barrier, so there is a function JSObject::writeBarrierPre(JSObject* old). If zone->needsIncrementalBarrier(), then writeBarrierPre() marks old. That's it.
The class Heap<T> is provided to make it easy to invoke write barriers. A Heap<T> encapsulates a T* and invokes the write barrier whenever assigned to. Thus, object fields of GC-pointer type should normally be defined as type Heap<T>. The class HeapValue does the same thing for Value. HeapSlot (and the related class HeapSlotArray) is the same, but for object slots. HeapId is the same, but for jsid.
Object private fields must be handled specially. The private field itself is opaque to the engine, but it may point to things that need to be marked, e.g., an array of JSObject pointers. In this example, if the private field is overwritten, the JSObject pointers could be 'lost', so a write barrier must be invoked to mark them. js::NativeObject::privateWriteBarrierPre takes care of this by invoking the JSObject's class trace hook before the private field is set.
Another detail is that write barriers can be skipped when initializing fields of newly allocated objects, because no pointer is being overwritten.
TODO
TODO
You can access the light statistics the GC keeps at runtime through the GC Statistics API.
gc/GC.{h,cpp} Defines GC internal API functions, including entry points to trigger GC.
gc/Barrier[-inl].h Implements incremental and generational write barriers.
gc/Cell.h Defines Cell and TenuredCell.
gc/Heap.h Defines Chunk, ChunkInfo, ChunkBitmap, Arena, ArenaHeader, Cell, and FreeSpan structures that define the heart of the GC heap's structures.
gc/Marking.{h,cpp} Defines all marking functions for the various garbage-collected things.
gc/Memory.{h,cpp} Contains a few functions for mapping and unmapping pages, along with platform-specific implementations. The map/unmap functions are used by GC.cpp to allocate and release chunks. There are also functions to commit or decommit memory, i.e., tell the OS that certain pages are not being used and can be thrown away instead of paged to disk.
gc/Root.h Defines classes for noting variables as GC roots.
gc/Statistics.{h,cpp} Defines struct Statistics, which stores SpiderMonkey GC performance counters.
black In common CS terminology, an object is black during the mark phase if it has been marked and its children are gray (have been queued for marking). An object is black after the mark phase if it has been marked. In SpiderMonkey, an object is black if its black mark bit is set.
gray In common CS terminology, an object is gray during the mark phase if it has been queued for marking. In SpiderMonkey, an object is queued for marking if it is on the mark stack and is not black. Thus, the gray objects from CS literature are not represented explicitly. See also: gray, below.
gray SpiderMonkey instead uses "gray" to refer to objects that are not black, but are reachable from "gray roots". Gray roots are used by the Gecko cycle collector to find cycles that pass through the JS heap.
Handle In our GC, a Handle is a pointer that has elsewhere been registered by a root. In other words, it is an updatable pointer to a GC thing (it is essentially a Cell** that the GC knows about.)
root A starting point to the GC graph traversal, a root is known to be alive for some external reason (one other than being reachable by some other part of the GC heap.)
weak pointer In common CS terminology, a weak pointer is one that doesn't keep the pointed-to value live for GC purposes. Typically, a weak pointer value has a get() method that returns a null pointer if the object has been GC'd. In Gecko/SpiderMonkey, a weak pointer is a pointer to an object that can be GC'd that is not marked through. Thus, there is no get() method and no protection against the pointed-to value getting GC'd--the programmer must ensure that the lifetime of the pointed-to object contains the lifetime of the weak pointer. TODO make sure this is correct.
white In common CS terminology, an object is white during the mark phase if it has not been seen yet. An object is white after the mark phase if it has not been marked. In SpiderMonkey, an object is white if it is not gray or black; i.e., it is not marked and it is not on the mark stack.