Changeset 216608 in webkit


Ignore:
Timestamp:
May 10, 2017, 1:07:03 PM (8 years ago)
Author:
mark.lam@apple.com
Message:

Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
https://bugs.webkit.org/show_bug.cgi?id=160337
<rdar://problem/27611733>

Reviewed by Filip Pizlo and Geoffrey Garen.

This is a workaround for <rdar://problem/27607384>. During thread initialization,
for some target platforms, thread state is momentarily set to 0 before being
filled in with the target thread's real register values. As a result, there's
a race condition that may result in us getting a null stackPointer during a GC scan.
This issue may manifest with workqueue threads where the OS may choose to recycle
a thread for an expired task.

The workaround is simply to indicate that there's nothing to copy and return.
This is correct because we will only ever observe a null pointer during thread
initialization. Hence, by definition, there's nothing there that we need to scan
yet, and therefore, nothing that needs to be copied.

  • heap/MachineStackMarker.cpp:

(JSC::MachineThreads::tryCopyOtherThreadStack):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TabularUnified trunk/Source/JavaScriptCore/ChangeLog

    r216597 r216608  
     12017-05-10  Mark Lam  <mark.lam@apple.com>
     2
     3        Crash in JavaScriptCore GC when using JSC on dispatch queues (thread_get_state returns NULL stack pointer).
     4        https://bugs.webkit.org/show_bug.cgi?id=160337
     5        <rdar://problem/27611733>
     6
     7        Reviewed by Filip Pizlo and Geoffrey Garen.
     8
     9        This is a workaround for <rdar://problem/27607384>. During thread initialization,
     10        for some target platforms, thread state is momentarily set to 0 before being
     11        filled in with the target thread's real register values. As a result, there's
     12        a race condition that may result in us getting a null stackPointer during a GC scan.
     13        This issue may manifest with workqueue threads where the OS may choose to recycle
     14        a thread for an expired task.
     15
     16        The workaround is simply to indicate that there's nothing to copy and return.
     17        This is correct because we will only ever observe a null pointer during thread
     18        initialization. Hence, by definition, there's nothing there that we need to scan
     19        yet, and therefore, nothing that needs to be copied.
     20
     21        * heap/MachineStackMarker.cpp:
     22        (JSC::MachineThreads::tryCopyOtherThreadStack):
     23
    1242017-05-10  JF Bastien  <jfbastien@apple.com>
    225
  • TabularUnified trunk/Source/JavaScriptCore/heap/MachineStackMarker.cpp

    r215671 r216608  
    312312    MachineThread::Registers registers;
    313313    size_t registersSize = thread->getRegisters(registers);
     314
     315    // This is a workaround for <rdar://problem/27607384>. During thread initialization,
     316    // for some target platforms, thread state is momentarily set to 0 before being
     317    // filled in with the target thread's real register values. As a result, there's
     318    // a race condition that may result in us getting a null stackPointer.
     319    // This issue may manifest with workqueue threads where the OS may choose to recycle
     320    // a thread for an expired task.
     321    //
     322    // The workaround is simply to indicate that there's nothing to copy and return.
     323    // This is correct because we will only ever observe a null pointer during thread
     324    // initialization. Hence, by definition, there's nothing there that we need to scan
     325    // yet, and therefore, nothing that needs to be copied.
     326    if (UNLIKELY(!registers.stackPointer())) {
     327        *size = 0;
     328        return;
     329    }
     330
    314331    std::pair<void*, size_t> stack = thread->captureStack(registers.stackPointer());
    315332
Note: See TracChangeset for help on using the changeset viewer.