Changeset 219114 in webkit


Ignore:
Timestamp:
Jul 3, 2017 10:18:15 PM (7 years ago)
Author:
sbarati@apple.com
Message:

LayoutTest workers/bomb.html is a Crash
https://bugs.webkit.org/show_bug.cgi?id=167757
<rdar://problem/33086462>

Reviewed by Keith Miller.

Source/JavaScriptCore:

VMTraps::SignalSender was accessing VM fields even after
the VM was destroyed. This happened when the SignalSender
thread was in the middle of its work() function while VMTraps
was notified that the VM was shutting down. The VM would proceed
to run its destructor even after the SignalSender thread finished
doing its work. This means that the SignalSender thread was accessing
VM field eve after VM was destructed (including itself, since it is
transitively owned by the VM). The VM must wait for the SignalSender
thread to shutdown before it can continue to destruct itself.

  • runtime/VMTraps.cpp:

(JSC::VMTraps::willDestroyVM):

Source/WTF:

  • wtf/AutomaticThread.cpp:

(WTF::AutomaticThreadCondition::waitFor):

  • wtf/AutomaticThread.h:

LayoutTests:

  • platform/mac-wk2/TestExpectations:
Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r219107 r219114  
     12017-07-03  Saam Barati  <sbarati@apple.com>
     2
     3        LayoutTest workers/bomb.html is a Crash
     4        https://bugs.webkit.org/show_bug.cgi?id=167757
     5        <rdar://problem/33086462>
     6
     7        Reviewed by Keith Miller.
     8
     9        * platform/mac-wk2/TestExpectations:
     10
    1112017-07-03  Matt Lewis  <jlewis3@apple.com>
    212
  • trunk/LayoutTests/platform/mac-wk2/TestExpectations

    r219107 r219114  
    707707webkit.org/b/173608 webrtc/video-replace-muted-track.html [ Pass Failure ]
    708708
    709 webkit.org/b/167757 workers/bomb.html [ Skip ]
    710 
     709webkit.org/b/167757 workers/bomb.html [ Pass Timeout ]
     710
  • trunk/Source/JavaScriptCore/ChangeLog

    r219111 r219114  
     12017-07-03  Saam Barati  <sbarati@apple.com>
     2
     3        LayoutTest workers/bomb.html is a Crash
     4        https://bugs.webkit.org/show_bug.cgi?id=167757
     5        <rdar://problem/33086462>
     6
     7        Reviewed by Keith Miller.
     8
     9        VMTraps::SignalSender was accessing VM fields even after
     10        the VM was destroyed. This happened when the SignalSender
     11        thread was in the middle of its work() function while VMTraps
     12        was notified that the VM was shutting down. The VM would proceed
     13        to run its destructor even after the SignalSender thread finished
     14        doing its work. This means that the SignalSender thread was accessing
     15        VM field eve after VM was destructed (including itself, since it is
     16        transitively owned by the VM). The VM must wait for the SignalSender
     17        thread to shutdown before it can continue to destruct itself.
     18
     19        * runtime/VMTraps.cpp:
     20        (JSC::VMTraps::willDestroyVM):
     21
    1222017-07-03  Saam Barati  <sbarati@apple.com>
    223
  • trunk/Source/JavaScriptCore/runtime/VMTraps.cpp

    r219105 r219114  
    255255    WorkResult work() override
    256256    {
    257 
    258         // We need a nested scope so that we'll release the lock before we sleep below.
    259257        VM& vm = m_vm;
    260258
     
    292290        }
    293291
    294         sleepMS(1);
     292        {
     293            auto locker = holdLock(*traps().m_lock);
     294            if (traps().m_isShuttingDown)
     295                return WorkResult::Stop;
     296            traps().m_trapSet->waitFor(*traps().m_lock, 1_ms);
     297        }
    295298        return WorkResult::Continue;
    296299    }
     
    306309{
    307310    m_isShuttingDown = true;
    308     WTF::storeStoreFence();
    309311#if ENABLE(SIGNAL_BASED_VM_TRAPS)
    310312    if (m_signalSender) {
     
    314316                m_trapSet->notifyAll(locker);
    315317        }
    316         if (!ASSERT_DISABLED)
    317             m_signalSender->join();
     318        m_signalSender->join();
    318319        m_signalSender = nullptr;
    319320    }
  • trunk/Source/WTF/ChangeLog

    r219105 r219114  
     12017-07-03  Saam Barati  <sbarati@apple.com>
     2
     3        LayoutTest workers/bomb.html is a Crash
     4        https://bugs.webkit.org/show_bug.cgi?id=167757
     5        <rdar://problem/33086462>
     6
     7        Reviewed by Keith Miller.
     8
     9        * wtf/AutomaticThread.cpp:
     10        (WTF::AutomaticThreadCondition::waitFor):
     11        * wtf/AutomaticThread.h:
     12
    1132017-07-03  Commit Queue  <commit-queue@webkit.org>
    214
  • trunk/Source/WTF/wtf/AutomaticThread.cpp

    r217055 r219114  
    8080{
    8181    m_condition.wait(lock);
     82}
     83
     84bool AutomaticThreadCondition::waitFor(Lock& lock, Seconds time)
     85{
     86    return m_condition.waitFor(lock, time);
    8287}
    8388
  • trunk/Source/WTF/wtf/AutomaticThread.h

    r218872 r219114  
    8383    // its partner.
    8484    WTF_EXPORT_PRIVATE void wait(Lock&);
     85    WTF_EXPORT_PRIVATE bool waitFor(Lock&, Seconds);
    8586   
    8687private:
Note: See TracChangeset for help on using the changeset viewer.