Changeset 179753 in webkit

Timestamp:

Feb 6, 2015 12:57:45 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

MachineThreads should be ref counted.
<​https://webkit.org/b/141317>

Reviewed by Filip Pizlo.

The VM's MachineThreads registry object is being referenced from other
threads as a raw pointer. In a scenario where the VM is destructed on
the main thread, there is no guarantee that another thread isn't still
holding a reference to the registry and will eventually invoke
removeThread() on it on thread exit. Hence, there's a possible use
after free scenario here.

The fix is to make MachineThreads ThreadSafeRefCounted, and have all
threads that references keep a RefPtr to it to ensure that it stays
alive until the very last thread is done with it.

• API/tests/testapi.mm:

(useVMFromOtherThread): - Renamed to be more descriptive.
(useVMFromOtherThreadAndOutliveVM):

• Added a test that has another thread which uses the VM outlive the VM to confirm that there is no crash.

However, I was not actually able to get the VM to crash without this
patch because I wasn't always able to the thread destructor to be
called. With this patch applied, I did verify with some logging that
the MachineThreads registry is only destructed after all threads
have removed themselves from it.

(threadMain): Deleted.

• heap/Heap.cpp:

(JSC::Heap::Heap):
(JSC::Heap::~Heap):
(JSC::Heap::gatherStackRoots):

• heap/Heap.h:

(JSC::Heap::machineThreads):

• heap/MachineStackMarker.cpp:

(JSC::MachineThreads::Thread::Thread):
(JSC::MachineThreads::addCurrentThread):
(JSC::MachineThreads::removeCurrentThread):

• heap/MachineStackMarker.h:

Location:

trunk/Source/JavaScriptCore

Files:

• API/tests/testapi.mm (modified) (4 diffs)
• ChangeLog (modified) (1 diff)
• heap/Heap.cpp (modified) (4 diffs)
• heap/Heap.h (modified) (2 diffs)
• heap/MachineStackMarker.cpp (modified) (7 diffs)
• heap/MachineStackMarker.h (modified) (5 diffs)

trunk/Source/JavaScriptCore/API/tests/testapi.mm

@@ -473 +473 @@
 }
 
-static void* threadMain(void* contextPtr)
+static void* useVMFromOtherThread(void* contextPtr)
 {
     JSContext *context = (__bridge JSContext*)contextPtr;
@@ -480 +480 @@
     TestObject *testObject = [TestObject testObject];
     context[@"testObject"] = testObject;
+    pthread_exit(nullptr);
+}
+
+struct ThreadArgs {
+    JSContext* context;
+    volatile bool* mainThreadIsReadyToJoin;
+    volatile bool* otherThreadIsDoneWithJSWork;
+};
+
+static void* useVMFromOtherThreadAndOutliveVM(void* data)
+{
+    ThreadArgs* args = reinterpret_cast<ThreadArgs*>(data);
+    volatile bool& mainThreadIsReadyToJoin = *args->mainThreadIsReadyToJoin;
+    volatile bool& otherThreadIsDoneWithJSWork = *args->otherThreadIsDoneWithJSWork;
+
+    @autoreleasepool {
+        JSContext *context = args->context;
+
+        // Do something to enter the VM.
+        TestObject *testObject = [TestObject testObject];
+        context[@"testObject"] = testObject;
+    }
+    otherThreadIsDoneWithJSWork = true;
+
+    while (!mainThreadIsReadyToJoin)
+        usleep(10000);
     pthread_exit(nullptr);
 }
@@ -1376 +1402 @@
         
         pthread_t threadID;
-        pthread_create(&threadID, NULL, &threadMain, (__bridge void*)context);
+        pthread_create(&threadID, NULL, &useVMFromOtherThread, (__bridge void*)context);
         pthread_join(threadID, nullptr);
         JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]);
@@ -1382 +1408 @@
         checkResult(@"Did not crash after entering the VM from another thread", true);
     }
-    
+
+    @autoreleasepool {
+        pthread_t threadID;
+        volatile bool mainThreadIsReadyToJoin = false;
+        volatile bool otherThreadIsDoneWithJSWork = false;
+        @autoreleasepool {
+            JSContext *context = [[JSContext alloc] init];
+            ThreadArgs args = { context, &mainThreadIsReadyToJoin, &otherThreadIsDoneWithJSWork };
+
+            pthread_create(&threadID, NULL, &useVMFromOtherThreadAndOutliveVM, &args);
+            JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]);
+
+            while (!otherThreadIsDoneWithJSWork)
+                usleep(10000);
+        }
+
+        mainThreadIsReadyToJoin = true;
+        pthread_join(threadID, nullptr);
+        checkResult(@"Did not crash if the VM is destructed before another thread using the VM ends", true);
+    }
+
     currentThisInsideBlockGetterTest();
     runDateTests();

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-02-06  Mark Lam  <mark.lam@apple.com>
+
+        MachineThreads should be ref counted.
+        <https://webkit.org/b/141317>
+
+        Reviewed by Filip Pizlo.
+
+        The VM's MachineThreads registry object is being referenced from other
+        threads as a raw pointer.  In a scenario where the VM is destructed on
+        the main thread, there is no guarantee that another thread isn't still
+        holding a reference to the registry and will eventually invoke
+        removeThread() on it on thread exit.  Hence, there's a possible use
+        after free scenario here.
+
+        The fix is to make MachineThreads ThreadSafeRefCounted, and have all
+        threads that references keep a RefPtr to it to ensure that it stays
+        alive until the very last thread is done with it.
+
+        * API/tests/testapi.mm:
+        (useVMFromOtherThread): - Renamed to be more descriptive.
+        (useVMFromOtherThreadAndOutliveVM):
+        - Added a test that has another thread which uses the VM outlive the
+          VM to confirm that there is no crash.
+
+          However, I was not actually able to get the VM to crash without this
+          patch because I wasn't always able to the thread destructor to be
+          called.  With this patch applied, I did verify with some logging that
+          the MachineThreads registry is only destructed after all threads
+          have removed themselves from it.
+
+        (threadMain): Deleted.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::~Heap):
+        (JSC::Heap::gatherStackRoots):
+        * heap/Heap.h:
+        (JSC::Heap::machineThreads):
+        * heap/MachineStackMarker.cpp:
+        (JSC::MachineThreads::Thread::Thread):
+        (JSC::MachineThreads::addCurrentThread):
+        (JSC::MachineThreads::removeCurrentThread):
+        * heap/MachineStackMarker.h:
+
 2015-02-06  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -312 +312 @@
     , m_storageSpace(this)
     , m_extraMemoryUsage(0)
-    , m_machineThreads(this)
     , m_sharedData(vm)
     , m_slotVisitor(m_sharedData)
@@ -341 +340 @@
 #endif
 {
+    m_machineThreads = adoptRef(new MachineThreads(this));
     m_storageSpace.init();
     if (Options::verifyHeap())
@@ -348 +348 @@
 Heap::~Heap()
 {
+    // We need to remove the main thread explicitly here because the main thread
+    // may not terminate for a while though the Heap (and VM) is being shut down.
+    m_machineThreads->removeCurrentThread();
 }
 
@@ -588 +591 @@
     GCPHASE(GatherStackRoots);
     m_jitStubRoutines.clearMarks();
-    m_machineThreads.gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks, dummy, registers);
+    m_machineThreads->gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks, dummy, registers);
 }
 

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -120 +120 @@
     VM* vm() const { return m_vm; }
     MarkedSpace& objectSpace() { return m_objectSpace; }
-    MachineThreads& machineThreads() { return m_machineThreads; }
+    MachineThreads& machineThreads() { return *m_machineThreads; }
 
     const SlotVisitor& slotVisitor() const { return m_slotVisitor; }
@@ -356 +356 @@
     std::unique_ptr<HashSet<MarkedArgumentBuffer*>> m_markListSet;
 
-    MachineThreads m_machineThreads;
+    RefPtr<MachineThreads> m_machineThreads;
     
     GCThreadSharedData m_sharedData;

trunk/Source/JavaScriptCore/heap/MachineStackMarker.cpp

@@ -92 +92 @@
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    Thread(const PlatformThread& platThread, void* base)
+    Thread(PassRefPtr<MachineThreads> machineThreads, const PlatformThread& platThread, void* base)
         : platformThread(platThread)
         , stackBase(base)
+        , m_machineThreads(machineThreads)
     {
 #if USE(PTHREADS) && !OS(WINDOWS) && !OS(DARWIN) && defined(SA_RESTART)
@@ -114 +115 @@
     PlatformThread platformThread;
     void* stackBase;
+    RefPtr<MachineThreads> m_machineThreads;
 };
 
@@ -121 +123 @@
 #if !ASSERT_DISABLED
     , m_heap(heap)
+    , m_magicNumber(0x1234567890abcdef)
 #endif
 {
@@ -137 +140 @@
         t = next;
     }
+#if !ASSERT_DISABLED
+    m_magicNumber = 0xbaddbeefdeadbeef;
+#endif
 }
 
@@ -171 +177 @@
 
     threadSpecificSet(m_threadSpecific, this);
-    Thread* thread = new Thread(getCurrentPlatformThread(), wtfThreadData().stack().origin());
+    Thread* thread = new Thread(this, getCurrentPlatformThread(), wtfThreadData().stack().origin());
 
     MutexLocker lock(m_registeredThreadsMutex);
@@ -181 +187 @@
 void MachineThreads::removeThread(void* p)
 {
+    ASSERT(static_cast<MachineThreads*>(p)->m_magicNumber == 0x1234567890abcdef);
     static_cast<MachineThreads*>(p)->removeCurrentThread();
 }
@@ -188 +195 @@
     PlatformThread currentPlatformThread = getCurrentPlatformThread();
 
+    // This thread could be the last entity that holds a RefPtr to the
+    // MachineThreads registry. We don't want the registry to be deleted while
+    // we're deleting the the Thread entry, because:
+    //
+    // 1. ~MachineThread() will attempt to lock its m_registeredThreadsMutex
+    //    and we already hold it here. m_registeredThreadsMutex is not
+    //    re-entrant.
+    // 2. The MutexLocker will unlock m_registeredThreadsMutex at the end of
+    //    this function. We can't let it be destructed until before then.
+    //
+    // Using this RefPtr here will defer destructing the registry till after
+    // MutexLocker releases its m_registeredThreadsMutex.
+    RefPtr<MachineThreads> retainMachineThreadsRegistryUntilDoneRemovingThread = this;
+
+    ASSERT(m_magicNumber == 0x1234567890abcdef);
     MutexLocker lock(m_registeredThreadsMutex);
     if (equalThread(currentPlatformThread, m_registeredThreads->platformThread)) {

trunk/Source/JavaScriptCore/heap/MachineStackMarker.h

@@ -25 +25 @@
 #include <setjmp.h>
 #include <wtf/Noncopyable.h>
+#include <wtf/ThreadSafeRefCounted.h>
 #include <wtf/ThreadSpecific.h>
 #include <wtf/ThreadingPrimitives.h>
@@ -35 +36 @@
     class JITStubRoutineSet;
 
-    class MachineThreads {
+    class MachineThreads : public ThreadSafeRefCounted<MachineThreads> {
         WTF_MAKE_NONCOPYABLE(MachineThreads);
     public:
@@ -47 +48 @@
         JS_EXPORT_PRIVATE void addCurrentThread(); // Only needs to be called by clients that can use the same heap from multiple threads.
 
+        void removeCurrentThread();
+
     private:
         class Thread;
@@ -56 +59 @@
 
         static void removeThread(void*);
-        void removeCurrentThread();
 
         Mutex m_registeredThreadsMutex;
@@ -63 +65 @@
 #if !ASSERT_DISABLED
         Heap* m_heap;
+        uint64_t m_magicNumber; // Only used for detecting use after free.
 #endif
     };