Changeset 167692 in webkit


Ignore:
Timestamp:
Apr 22, 2014 5:36:49 PM (10 years ago)
Author:
mark.lam@apple.com
Message:

DFG::Worklist should acquire the m_lock before iterating DFG plans.
<https://webkit.org/b/132032>

Reviewed by Filip Pizlo.

Currently, there's a rightToRun mechanism that ensures that no compilation
threads are running when the GC is iterating through the DFG worklists.
However, this does not prevent a Worker thread from doing a DFG compilation
and modifying the plans in the worklists thereby invalidating the plan
iterator that the GC is using. This patch fixes the issue by acquiring
the worklist m_lock before iterating the worklist plans.

This issue was uncovered by running the fast/workers layout tests with
COLLECT_ON_EVERY_ALLOCATION enabled.

  • dfg/DFGWorklist.cpp:

(JSC::DFG::Worklist::isActiveForVM):
(JSC::DFG::Worklist::visitChildren):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r167685 r167692  
     12014-04-22  Mark Lam  <mark.lam@apple.com>
     2
     3        DFG::Worklist should acquire the m_lock before iterating DFG plans.
     4        <https://webkit.org/b/132032>
     5
     6        Reviewed by Filip Pizlo.
     7
     8        Currently, there's a rightToRun mechanism that ensures that no compilation
     9        threads are running when the GC is iterating through the DFG worklists.
     10        However, this does not prevent a Worker thread from doing a DFG compilation
     11        and modifying the plans in the worklists thereby invalidating the plan
     12        iterator that the GC is using.  This patch fixes the issue by acquiring
     13        the worklist m_lock before iterating the worklist plans.
     14
     15        This issue was uncovered by running the fast/workers layout tests with
     16        COLLECT_ON_EVERY_ALLOCATION enabled.
     17
     18        * dfg/DFGWorklist.cpp:
     19        (JSC::DFG::Worklist::isActiveForVM):
     20        (JSC::DFG::Worklist::visitChildren):
     21
    1222014-04-22  Brent Fulgham  <bfulgham@apple.com>
    223

  • trunk/Source/JavaScriptCore/dfg/DFGWorklist.cpp

    r165687 r167692  
    7777bool Worklist::isActiveForVM(VM& vm) const
    7878{
     79    MutexLocker locker(m_lock);
    7980    PlanMap::const_iterator end = m_plans.end();
    8081    for (PlanMap::const_iterator iter = m_plans.begin(); iter != end; ++iter) {
     
    223224{
    224225    VM* vm = visitor.heap()->vm();
    225     for (PlanMap::iterator iter = m_plans.begin(); iter != m_plans.end(); ++iter) {
    226         Plan* plan = iter->value.get();
    227         if (&plan->vm != vm)
    228             continue;
    229         iter->key.visitChildren(codeBlocks);
    230         iter->value->visitChildren(visitor, codeBlocks);
    231     }
    232    
     226    {
     227        MutexLocker locker(m_lock);
     228        for (PlanMap::iterator iter = m_plans.begin(); iter != m_plans.end(); ++iter) {
     229            Plan* plan = iter->value.get();
     230            if (&plan->vm != vm)
     231                continue;
     232            iter->key.visitChildren(codeBlocks);
     233            iter->value->visitChildren(visitor, codeBlocks);
     234        }
     235    }
     236   
     237    // This loop doesn't need further locking because:
     238    // (1) no new threads can be added to m_threads. Hence, it is immutable and needs no locks.
     239    // (2) ThreadData::m_safepoint is protected by that thread's m_rightToRun which we must be
     240    //     holding here because of a prior call to suspendAllThreads().
    233241    for (unsigned i = m_threads.size(); i--;) {
    234242        ThreadData* data = m_threads[i].get();
Note: See TracChangeset for help on using the changeset viewer.