Changeset 238421 in webkit

Timestamp:

Nov 21, 2018 9:37:54 AM (5 years ago)

Author:

mark.lam@apple.com

Message:

Remove invalid assertion in VMTraps::SignalSender's SignalAction.
​https://bugs.webkit.org/show_bug.cgi?id=191856
<rdar://problem/46089992>

Reviewed by Yusuke Suzuki.

JSTests:

• stress/regress-191856.js: Added.
• this test is skipped for now until we have a fix for webkit.org/b/191855.

Source/JavaScriptCore:

The ASSERT(vm.traps().needTrapHandling()) assertion in SignalSender's SigAction
function is invalid because we can't be sure that the trap has been handled yet
by the time the trap fires. This is because the main thread may also check traps
(in LLInt, baseline JIT and VM runtime code). There's a race to handle the trap.
Hence, the SigAction cannot assume that the trap still needs handling by the time
it is executed. This patch removed the invalid assertion.

Also renamed m_trapSet to m_condition because it is a AutomaticThreadCondition,
and all the ways it is used is as a condvar. The m_trapSet name doesn't seem
appropriate nor meaningful.

• runtime/VMTraps.cpp:

(JSC::VMTraps::tryInstallTrapBreakpoints):

• Added a !needTrapHandling() check as an optimization: there's no need to install VMTrap breakpoints if someone already beat us to handling the trap (remember, the main thread is racing against the VMTraps signalling thread to handle the trap too). We only need to install the VMTraps breakpoints if we need DFG/FTL compiled code to deopt so that they can check and handle pending traps. If the trap has already been handled, it's better to not deopt any DFG/FTL functions.

(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::fireTrap):
(JSC::VMTraps::VMTraps):

• runtime/VMTraps.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/regress-191856.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/VMTraps.cpp (modified) (7 diffs)
• Source/JavaScriptCore/runtime/VMTraps.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-11-20  Mark Lam  <mark.lam@apple.com>
+
+        Remove invalid assertion in VMTraps::SignalSender's SignalAction.
+        https://bugs.webkit.org/show_bug.cgi?id=191856
+        <rdar://problem/46089992>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/regress-191856.js: Added.
+        - this test is skipped for now until we have a fix for webkit.org/b/191855.
+
 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-11-20  Mark Lam  <mark.lam@apple.com>
+
+        Remove invalid assertion in VMTraps::SignalSender's SignalAction.
+        https://bugs.webkit.org/show_bug.cgi?id=191856
+        <rdar://problem/46089992>
+
+        Reviewed by Yusuke Suzuki.
+
+        The ASSERT(vm.traps().needTrapHandling()) assertion in SignalSender's SigAction
+        function is invalid because we can't be sure that the trap has been handled yet
+        by the time the trap fires.  This is because the main thread may also check traps
+        (in LLInt, baseline JIT and VM runtime code).  There's a race to handle the trap.
+        Hence, the SigAction cannot assume that the trap still needs handling by the time
+        it is executed.  This patch removed the invalid assertion.
+
+        Also renamed m_trapSet to m_condition because it is a AutomaticThreadCondition,
+        and all the ways it is used is as a condvar.  The m_trapSet name doesn't seem
+        appropriate nor meaningful.
+
+        * runtime/VMTraps.cpp:
+        (JSC::VMTraps::tryInstallTrapBreakpoints):
+        - Added a !needTrapHandling() check as an optimization: there's no need to install
+          VMTrap breakpoints if someone already beat us to handling the trap (remember,
+          the main thread is racing against the VMTraps signalling thread to handle the
+          trap too).  We only need to install the VMTraps breakpoints if we need DFG/FTL
+          compiled code to deopt so that they can check and handle pending traps.  If the
+          trap has already been handled, it's better to not deopt any DFG/FTL functions.
+
+        (JSC::VMTraps::willDestroyVM):
+        (JSC::VMTraps::fireTrap):
+        (JSC::VMTraps::VMTraps):
+        * runtime/VMTraps.h:
+
 2018-11-21  Dominik Infuehr  <dinfuehr@igalia.com>
 

trunk/Source/JavaScriptCore/runtime/VMTraps.cpp

@@ -149 +149 @@
             return; // Let the SignalSender try again later.
 
+        if (!needTrapHandling()) {
+            // Too late. Someone else already handled the trap.
+            return;
+        }
+
         if (!foundCodeBlock->hasInstalledVMTrapBreakpoints())
             foundCodeBlock->installVMTrapBreakpoints();
@@ -191 +196 @@
     using Base = AutomaticThread;
     SignalSender(const AbstractLocker& locker, VM& vm)
-        : Base(locker, vm.traps().m_lock, vm.traps().m_trapSet.copyRef())
+        : Base(locker, vm.traps().m_lock, vm.traps().m_condition.copyRef())
         , m_vm(vm)
     {
@@ -212 +217 @@
                 ASSERT(currentCodeBlock->hasInstalledVMTrapBreakpoints());
                 VM& vm = *currentCodeBlock->vm();
-                ASSERT(vm.traps().needTrapHandling()); // We should have already jettisoned this code block when we handled the trap.
-
-                // We are in JIT code so it's safe to aquire this lock.
+
+                // We are in JIT code so it's safe to acquire this lock.
                 auto codeBlockSetLocker = holdLock(vm.heap.codeBlockSet().getLock());
                 bool sawCurrentCodeBlock = false;
@@ -280 +284 @@
             if (traps().m_isShuttingDown)
                 return WorkResult::Stop;
-            traps().m_trapSet->waitFor(*traps().m_lock, 1_ms);
+            traps().m_condition->waitFor(*traps().m_lock, 1_ms);
         }
         return WorkResult::Continue;
@@ -300 +304 @@
             auto locker = holdLock(*m_lock);
             if (!m_signalSender->tryStop(locker))
-                m_trapSet->notifyAll(locker);
+                m_condition->notifyAll(locker);
         }
         m_signalSender->join();
@@ -321 +325 @@
     if (!Options::usePollingTraps()) {
         // sendSignal() can loop until it has confirmation that the mutator thread
-        // has received the trap request. We'll call it from another trap so that
+        // has received the trap request. We'll call it from another thread so that
         // fireTrap() does not block.
         auto locker = holdLock(*m_lock);
         if (!m_signalSender)
             m_signalSender = adoptRef(new SignalSender(locker, vm()));
-        m_trapSet->notifyAll(locker);
+        m_condition->notifyAll(locker);
     }
 #endif
@@ -385 +389 @@
 VMTraps::VMTraps()
     : m_lock(Box<Lock>::create())
-    , m_trapSet(AutomaticThreadCondition::create())
+    , m_condition(AutomaticThreadCondition::create())
 {
 }

trunk/Source/JavaScriptCore/runtime/VMTraps.h

@@ -147 +147 @@
 
     Box<Lock> m_lock;
-    Ref<AutomaticThreadCondition> m_trapSet;
+    Ref<AutomaticThreadCondition> m_condition;
     union {
         BitField m_needTrapHandling { 0 };