Changeset 183161 in webkit

Timestamp:

Apr 22, 2015, 7:29:14 PM (10 years ago)

Author:

mark.lam@apple.com

Message:

Fix assertion failure and race condition in Options::dumpSourceAtDFGTime().
​https://bugs.webkit.org/show_bug.cgi?id=143898

Reviewed by Filip Pizlo.

CodeBlock::dumpSource() will access SourceCode strings in a way that requires
ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary
compilation threads because StringImpls are not thread safe. As a result, we get
an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug
build.

This patch fixes the issue by only collecting the CodeBlock (and associated info)
into a DeferredSourceDump record while compiling, and stashing it away in a
deferredSourceDump list in the DeferredCompilationCallback object to be dumped
later.

When compilation is done, the callback object will be notified that
compilationDidComplete(). We will dump the SourceCode strings from there.
Since compilationDidComplete() is guaranteed to only be called on the thread
doing JS execution, it is safe to access the SourceCode strings there and ref
their underlying StringImpls as needed.

• CMakeLists.txt:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/DeferredCompilationCallback.cpp:

(JSC::DeferredCompilationCallback::compilationDidComplete):
(JSC::DeferredCompilationCallback::sourceDumpInfo):
(JSC::DeferredCompilationCallback::dumpCompiledSources):

• bytecode/DeferredCompilationCallback.h:
• bytecode/DeferredSourceDump.cpp: Added.

(JSC::DeferredSourceDump::DeferredSourceDump):
(JSC::DeferredSourceDump::dump):

• bytecode/DeferredSourceDump.h: Added.
• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseCodeBlock):

• dfg/DFGDriver.cpp:

(JSC::DFG::compileImpl):

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (2 diffs)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (modified) (2 diffs)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (6 diffs)
• bytecode/DeferredCompilationCallback.cpp (modified) (2 diffs)
• bytecode/DeferredCompilationCallback.h (modified) (2 diffs)
• bytecode/DeferredSourceDump.cpp (added)
• bytecode/DeferredSourceDump.h (added)
• dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• dfg/DFGDriver.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -81 +81 @@
     bytecode/DFGExitProfile.cpp
     bytecode/DeferredCompilationCallback.cpp
+    bytecode/DeferredSourceDump.cpp
     bytecode/ExecutionCounter.cpp
     bytecode/ExitKind.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-04-22  Mark Lam  <mark.lam@apple.com>
+
+        Fix assertion failure and race condition in Options::dumpSourceAtDFGTime().
+        https://bugs.webkit.org/show_bug.cgi?id=143898
+
+        Reviewed by Filip Pizlo.
+
+        CodeBlock::dumpSource() will access SourceCode strings in a way that requires
+        ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary
+        compilation threads because StringImpls are not thread safe. As a result, we get
+        an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug
+        build.
+
+        This patch fixes the issue by only collecting the CodeBlock (and associated info)
+        into a DeferredSourceDump record while compiling, and stashing it away in a
+        deferredSourceDump list in the DeferredCompilationCallback object to be dumped
+        later.
+
+        When compilation is done, the callback object will be notified that
+        compilationDidComplete().  We will dump the SourceCode strings from there. 
+        Since compilationDidComplete() is guaranteed to only be called on the thread
+        doing JS execution, it is safe to access the SourceCode strings there and ref
+        their underlying StringImpls as needed.        
+
+        * CMakeLists.txt:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/DeferredCompilationCallback.cpp:
+        (JSC::DeferredCompilationCallback::compilationDidComplete):
+        (JSC::DeferredCompilationCallback::sourceDumpInfo):
+        (JSC::DeferredCompilationCallback::dumpCompiledSources):
+        * bytecode/DeferredCompilationCallback.h:
+        * bytecode/DeferredSourceDump.cpp: Added.
+        (JSC::DeferredSourceDump::DeferredSourceDump):
+        (JSC::DeferredSourceDump::dump):
+        * bytecode/DeferredSourceDump.h: Added.
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseCodeBlock):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compileImpl):
+
 2015-04-22  Benjamin Poulain  <benjamin@webkit.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -327 +327 @@
     <ClCompile Include="..\bytecode\ConstantStructureCheck.cpp" />
     <ClCompile Include="..\bytecode\DeferredCompilationCallback.cpp" />
+    <ClCompile Include="..\bytecode\DeferredSourceDump.cpp" />
     <ClCompile Include="..\bytecode\DFGExitProfile.cpp" />
     <ClCompile Include="..\bytecode\ExecutionCounter.cpp" />
@@ -978 +979 @@
     <ClInclude Include="..\bytecode\DataFormat.h" />
     <ClInclude Include="..\bytecode\DeferredCompilationCallback.h" />
+    <ClInclude Include="..\bytecode\DeferredSourceDump.h" />
     <ClInclude Include="..\bytecode\DFGExitProfile.h" />
     <ClInclude Include="..\bytecode\EvalCodeCache.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters

@@ -1048 +1048 @@
       <Filter>bytecode</Filter>
     </ClCompile>
+    <ClCompile Include="..\bytecode\DeferredSourceDump.cpp">
+      <Filter>bytecode</Filter>
+    </ClCompile>
     <ClCompile Include="..\dfg\DFGCompilationKey.cpp">
       <Filter>dfg</Filter>
@@ -3317 +3320 @@
     </ClInclude>
     <ClInclude Include="..\bytecode\DeferredCompilationCallback.h">
+      <Filter>bytecode</Filter>
+    </ClInclude>
+    <ClInclude Include="..\bytecode\DeferredSourceDump.h">
       <Filter>bytecode</Filter>
     </ClInclude>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1662 +1662 @@
                 FE4BFF2C1AD476E700088F87 /* FunctionOverrides.h in Headers */ = {isa = PBXBuildFile; fileRef = FE4BFF2A1AD476E700088F87 /* FunctionOverrides.h */; };
                 FE4D55B81AE716CA0052E459 /* IterationStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = FE4D55B71AE716CA0052E459 /* IterationStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                FE5068651AE246390009DAB7 /* DeferredSourceDump.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5068641AE246390009DAB7 /* DeferredSourceDump.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                FE5068671AE25E280009DAB7 /* DeferredSourceDump.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE5068661AE25E280009DAB7 /* DeferredSourceDump.cpp */; };
                 FE5932A7183C5A2600A1ECCC /* VMEntryScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */; };
                 FE5932A8183C5A2600A1ECCC /* VMEntryScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -3183 +3185 @@
                 A7C1EAEA17987AB600299DB2 /* CallFrameInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CallFrameInlines.h; sourceTree = "<group>"; };
                 A7C1EAEB17987AB600299DB2 /* JSStackInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStackInlines.h; sourceTree = "<group>"; };
-                A7C1EAEC17987AB600299DB2 /* StackVisitor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = StackVisitor.cpp; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.cpp; };
+                A7C1EAEC17987AB600299DB2 /* StackVisitor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = StackVisitor.cpp; sourceTree = "<group>"; };
                 A7C1EAED17987AB600299DB2 /* StackVisitor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StackVisitor.h; sourceTree = "<group>"; };
                 A7C225CC139981F100FF1662 /* KeywordLookupGenerator.py */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.python; path = KeywordLookupGenerator.py; sourceTree = "<group>"; };
@@ -3455 +3457 @@
                 FE4BFF2A1AD476E700088F87 /* FunctionOverrides.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FunctionOverrides.h; sourceTree = "<group>"; };
                 FE4D55B71AE716CA0052E459 /* IterationStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IterationStatus.h; sourceTree = "<group>"; };
+                FE5068641AE246390009DAB7 /* DeferredSourceDump.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DeferredSourceDump.h; sourceTree = "<group>"; };
+                FE5068661AE25E280009DAB7 /* DeferredSourceDump.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DeferredSourceDump.cpp; sourceTree = "<group>"; };
                 FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = VMEntryScope.cpp; sourceTree = "<group>"; };
                 FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VMEntryScope.h; sourceTree = "<group>"; };
@@ -5307 +5311 @@
                                 1429D8830ED21C3D00B89619 /* SamplingTool.cpp */,
                                 1429D8840ED21C3D00B89619 /* SamplingTool.h */,
+                                FE5068661AE25E280009DAB7 /* DeferredSourceDump.cpp */,
+                                FE5068641AE246390009DAB7 /* DeferredSourceDump.h */,
                                 0F5541AF1613C1FB00CE3E25 /* SpecialPointer.cpp */,
                                 0F5541B01613C1FB00CE3E25 /* SpecialPointer.h */,
@@ -5593 +5599 @@
                                 52C0611F1AA51E1C00B4ADBA /* RuntimeType.h in Headers */,
                                 FE4D55B81AE716CA0052E459 /* IterationStatus.h in Headers */,
+                                FE5068651AE246390009DAB7 /* DeferredSourceDump.h in Headers */,
                                 C442CB251A6CDB8C005D3D7C /* JSInputs.json in Headers */,
                                 52678F911A04177C006A306D /* ControlFlowProfiler.h in Headers */,
@@ -7123 +7130 @@
                                 0FD82E56141DAF0800179C94 /* DFGOSREntry.cpp in Sources */,
                                 0FD8A32517D51F5700CA2C40 /* DFGOSREntrypointCreationPhase.cpp in Sources */,
+                                FE5068671AE25E280009DAB7 /* DeferredSourceDump.cpp in Sources */,
                                 0FC09791146A6F7100CF2442 /* DFGOSRExit.cpp in Sources */,
                                 0F235BEB17178E7300690C7F /* DFGOSRExitBase.cpp in Sources */,

trunk/Source/JavaScriptCore/bytecode/DeferredCompilationCallback.cpp

@@ -36 +36 @@
 void DeferredCompilationCallback::compilationDidComplete(CodeBlock* codeBlock, CompilationResult result)
 {
+    dumpCompiledSourcesIfNeeded();
+
     switch (result) {
     case CompilationFailed:
@@ -48 +50 @@
 }
 
+Vector<DeferredSourceDump>& DeferredCompilationCallback::ensureDeferredSourceDump()
+{
+    if (!m_deferredSourceDump)
+        m_deferredSourceDump = std::make_unique<Vector<DeferredSourceDump>>();
+    return *m_deferredSourceDump;
+}
+
+void DeferredCompilationCallback::dumpCompiledSourcesIfNeeded()
+{
+    if (!m_deferredSourceDump)
+        return;
+
+    ASSERT(Options::dumpSourceAtDFGTime());
+    unsigned index = 0;
+    for (auto& info : *m_deferredSourceDump) {
+        dataLog("[", ++index, "] ");
+        info.dump();
+    }
+}
+
 } // JSC
 

trunk/Source/JavaScriptCore/bytecode/DeferredCompilationCallback.h

@@ -28 +28 @@
 
 #include "CompilationResult.h"
+#include "DeferredSourceDump.h"
 #include <wtf/RefCounted.h>
+#include <wtf/Vector.h>
 
 namespace JSC {
@@ -43 +45 @@
     virtual void compilationDidBecomeReadyAsynchronously(CodeBlock*) = 0;
     virtual void compilationDidComplete(CodeBlock*, CompilationResult);
+
+    Vector<DeferredSourceDump>& ensureDeferredSourceDump();
+
+private:
+    void dumpCompiledSourcesIfNeeded();
+
+    std::unique_ptr<Vector<DeferredSourceDump>> m_deferredSourceDump;
 };
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -4052 +4052 @@
     }
     
-    bool shouldDumpSource = Options::dumpSourceAtDFGTime();
-    bool shouldDumpBytecode = Options::dumpBytecodeAtDFGTime();
-    if (shouldDumpSource || shouldDumpBytecode) {
+    if (UNLIKELY(Options::dumpSourceAtDFGTime())) {
+        Vector<DeferredSourceDump>& deferredSourceDump = m_graph.m_plan.callback->ensureDeferredSourceDump();
+        if (inlineCallFrame()) {
+            DeferredSourceDump dump(codeBlock->baselineVersion(), m_codeBlock, JITCode::DFGJIT, inlineCallFrame()->caller);
+            deferredSourceDump.append(dump);
+        } else
+            deferredSourceDump.append(DeferredSourceDump(codeBlock->baselineVersion()));
+    }
+
+    if (Options::dumpBytecodeAtDFGTime()) {
         dataLog("Parsing ", *codeBlock);
         if (inlineCallFrame()) {
@@ -4064 +4071 @@
             ": needsActivation = ", codeBlock->needsActivation(),
             ", isStrictMode = ", codeBlock->ownerExecutable()->isStrictMode(), "\n");
-    }
-
-    if (shouldDumpSource) {
-        dataLog("==== begin source ====\n");
-        codeBlock->baselineVersion()->dumpSource();
-        dataLog("\n==== end source ====\n\n");
-    }
-    
-    if (shouldDumpBytecode)
         codeBlock->baselineVersion()->dumpBytecode();
+    }
     
     Vector<unsigned, 32> jumpTargets;

trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

@@ -102 +102 @@
         new Plan(codeBlock, profiledDFGCodeBlock, mode, osrEntryBytecodeIndex, mustHandleValues));
     
+    plan->callback = callback;
     if (Options::enableConcurrentJIT()) {
         Worklist* worklist = ensureGlobalWorklistFor(mode);
-        plan->callback = callback;
         if (logCompilationChanges(mode))
             dataLog("Deferring DFG compilation of ", *codeBlock, " with queue length ", worklist->queueLength(), ".\n");