Fix caml_obj_truncate

[lpw25]

Since sweeping can now occur before the ref table is emptied,
overflow objects created by Obj.truncate must be marked Caml_black
to avoid them being reallocated whilst still in the ref table.
Using Caml_black means that Abstract_tag should be used instead
of 1 in case the contents of the block are not safe to scan.

[lpw25]

This patch fixes a segfault which would occasionally happen during the tests for Core. The sequence of events that leads to a segfault is as follows:

1. Modify a value in some object (an array in this case) to point to a value on the minor heap -- which adds the modified address to the ref table (i.e. the remembered set).
2. Call Obj.truncate on the modified object. This creates a new "overflow" object containing the discarded part of the old object. This new object is marked white. Note that there is still a reference to this new object in the ref table.
3. The GC decides to do some sweeping (without performing a minor collection). This adds the overflow object to the free list because it is marked white.
4. The GC decides to do a minor collection. It starts by allocating objects on the major heap for each object being promoted from the minor heap, and adding a pointer from the minor heap object to the fresh major heap object. It also makes a linked list of these new values (called the todo list) by adding a pointer from each fresh major heap object to the previous minor heap object. Unfortunately, one of the fresh allocated major heap objects was made from part of the overflow object. This means there is a reference in the ref table to an item on the todo list.
5. As part of the minor collection, the references in the ref table are forwarded from the old minor heap objects to the corresponding major heap objects. Since one entry in the ref table refers not to a real pointer but to one of the pointers used to implement the todo list, it incorrectly forwards this pointer breaking the structure of the todo list.
6. Whilst attempting to finish the minor collection by traversing the todo list, the GC veers off into uninitialised bits of memory and segfaults.

This sequence of events was not possible in the old GC as the collector would never sweep until the ref table was empty. The solution is to mark the overflow object black. This forces it to stay around for a full cycle -- which ensures that we will have performed at least one minor collection.

[damiendoligez]

Note that if you make it black, the GC will not scan it, but yes Abstract_tag looks like a good idea anyway.

[lpw25]

Note that if you make it black, the GC will not scan it, but yes Abstract_tag looks like a good idea anyway.

Won't the sweep change it from black to white before it is finally collected?

[damiendoligez]

Yes but it's already unreachable at that point.

[lpw25]

I really thought there was a way for it to get scanned if the tag was 1. Perhaps it was compaction I was worried about. If the collection which turns it from black to white decides to do a compaction straight afterwards, would that cause the block to be scanned for pointers?

[damiendoligez]

No because compaction is always preceeded by a full major GC anyway.

[lpw25]

No because compaction is always preceeded by a full major GC anyway.

Ok, I see where I was confused now. caml_compact_heap_maybe only calls caml_finish_major_cycle which finishes the current cycle, but caml_compact_heap_maybe is only called by caml_major_collection_slice after a cycle has just completed so there has indeed been a full major GC.