Changeset 164687 in webkit


Ignore:
Timestamp:
Feb 25, 2014, 6:12:57 PM (11 years ago)
Author:
mark.lam@apple.com
Message:

Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
<https://webkit.org/b/128766>

Reviewed by Geoffrey Garen.

Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
The reasoning is that we don't know of any clients that need unordered
re-entry into the VM from different threads. So, we're enforcing ordered
re-entry i.e. we must re-grab locks in the reverse order of dropping locks.

The crash in this bug happened because we were allowing unordered re-entry,
and the following type of scenario occurred:

  1. Thread T1 locks the VM, and enters the VM to execute some JS code.
  2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the first time it entered the VM. T1 sets VM::m_entryScope to T1's entryScope.
  3. T1 drops all locks.
  1. Thread T2 locks the VM, and enters the VM to execute some JS code. On entry, T2 sees that VM::m_entryScope is NOT null, and therefore does not set the entryScope.
  2. T2 drops all locks.
  1. T1 re-grabs locks.
  2. T1 returns all the way out of JS code. On exit from the outer most JS function, T1 clears VM::m_entryScope (because T1 was the one who set it).
  3. T1 unlocks the VM.
  1. T2 re-grabs locks.
  2. T2 proceeds to execute some code and expects VM::m_entryScope to be

NOT null, but it turns out to be null. Assertion failures and
crashes ensue.

With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
the VM. Hence, the issue will no longer manifest.

  • runtime/JSLock.cpp:

(JSC::JSLock::dropAllLocks):
(JSC::JSLock::grabAllLocks):

  • runtime/JSLock.h:

(JSC::JSLock::DropAllLocks::dropDepth):

Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • TabularUnified trunk/Source/JavaScriptCore/ChangeLog

    r164683 r164687  
     12014-02-25  Mark Lam  <mark.lam@apple.com>
     2
     3        Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
     4        <https://webkit.org/b/128766>
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
     9        The reasoning is that we don't know of any clients that need unordered
     10        re-entry into the VM from different threads. So, we're enforcing ordered
     11        re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
     12
     13        The crash in this bug happened because we were allowing unordered re-entry,
     14        and the following type of scenario occurred:
     15
     16        1. Thread T1 locks the VM, and enters the VM to execute some JS code.
     17        2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
     18           first time it entered the VM.
     19           T1 sets VM::m_entryScope to T1's entryScope.
     20        3. T1 drops all locks.
     21
     22        4. Thread T2 locks the VM, and enters the VM to execute some JS code.
     23           On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
     24           does not set the entryScope.
     25        5. T2 drops all locks.
     26
     27        6. T1 re-grabs locks.
     28        7. T1 returns all the way out of JS code. On exit from the outer most
     29           JS function, T1 clears VM::m_entryScope (because T1 was the one who
     30           set it).
     31        8. T1 unlocks the VM.
     32
     33        9. T2 re-grabs locks.
     34        10. T2 proceeds to execute some code and expects VM::m_entryScope to be
     35            NOT null, but it turns out to be null. Assertion failures and
     36            crashes ensue.
     37
     38        With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
     39        the VM. Hence, the issue will no longer manifest.
     40
     41        * runtime/JSLock.cpp:
     42        (JSC::JSLock::dropAllLocks):
     43        (JSC::JSLock::grabAllLocks):
     44        * runtime/JSLock.h:
     45        (JSC::JSLock::DropAllLocks::dropDepth):
     46
    1472014-02-25  Mark Lam  <mark.lam@apple.com>
    248

  • TabularUnified trunk/Source/JavaScriptCore/runtime/JSLock.cpp

    r164683 r164687  
    2727#include "JSObject.h"
    2828#include "JSCInlines.h"
    29 #if ENABLE(LLINT_C_LOOP)
    3029#include <thread>
    31 #endif
    3230
    3331namespace JSC {
     
    193191    ++m_lockDropDepth;
    194192
    195     UNUSED_PARAM(dropper);
    196 #if ENABLE(LLINT_C_LOOP)
    197193    dropper->setDropDepth(m_lockDropDepth);
    198 #endif
    199194
    200195    WTFThreadData& threadData = wtfThreadData();
     
    219214    lock(droppedLockCount);
    220215
    221     UNUSED_PARAM(dropper);
    222 #if ENABLE(LLINT_C_LOOP)
    223216    while (dropper->dropDepth() != m_lockDropDepth) {
    224217        unlock(droppedLockCount);
     
    226219        lock(droppedLockCount);
    227220    }
    228 #endif
    229221
    230222    --m_lockDropDepth;

  • TabularUnified trunk/Source/JavaScriptCore/runtime/JSLock.h

    r164683 r164687  
    113113            JS_EXPORT_PRIVATE ~DropAllLocks();
    114114           
    115 #if ENABLE(LLINT_C_LOOP)
    116115            void setDropDepth(unsigned depth) { m_dropDepth = depth; }
    117116            unsigned dropDepth() const { return m_dropDepth; }
    118 #endif
    119117
    120118        private:
    121119            intptr_t m_droppedLockCount;
    122120            RefPtr<VM> m_vm;
    123 #if ENABLE(LLINT_C_LOOP)
    124121            unsigned m_dropDepth;
    125 #endif
    126122        };
    127123
Note: See TracChangeset for help on using the changeset viewer.