Ignore:
Timestamp:
Oct 14, 2013, 12:34:44 PM (12 years ago)
Author:
[email protected]
Message:

llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
https://bugs.webkit.org/show_bug.cgi?id=122667

Reviewed by Filip Pizlo.

The issue this patch is attempting to fix is that there are places in our codebase
where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
operations that can initiate a garbage collection. Garbage collection then calls
some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
always necessarily run during garbage collection). This causes a deadlock.

To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores
into a thread-local field that indicates that it is unsafe to perform any operation
that could trigger garbage collection on the current thread. In debug builds,
ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly
detect deadlocks.

This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
which uses the DeferGC mechanism to prevent collections from occurring while the
lock is held.

  • CMakeLists.txt:
  • GNUmakefile.list.am:
  • JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
  • JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
  • JavaScriptCore.xcodeproj/project.pbxproj:
  • heap/DeferGC.cpp: Added.
  • heap/DeferGC.h:

(JSC::DisallowGC::DisallowGC):
(JSC::DisallowGC::~DisallowGC):
(JSC::DisallowGC::isGCDisallowedOnCurrentThread):
(JSC::DisallowGC::initialize):

  • jit/JITStubs.cpp:

(JSC::tryCachePutByID):
(JSC::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):

  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

  • runtime/ConcurrentJITLock.h:

(JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::unlockEarly):
(JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
(JSC::ConcurrentJITLocker::ConcurrentJITLocker):

  • runtime/InitializeThreading.cpp:

(JSC::initializeThreadingOnce):

  • runtime/JSCellInlines.h:

(JSC::allocateCell):

  • runtime/Structure.cpp:

(JSC::Structure::materializePropertyMap):
(JSC::Structure::putSpecificValue):
(JSC::Structure::createPropertyMap):

  • runtime/Structure.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r157411 r157413  
     12013-10-11  Mark Hahnenberg  <[email protected]>
     2
     3        llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
     4        https://bugs.webkit.org/show_bug.cgi?id=122667
     5
     6        Reviewed by Filip Pizlo.
     7
     8        The issue this patch is attempting to fix is that there are places in our codebase
     9        where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
     10        operations that can initiate a garbage collection. Garbage collection then calls
     11        some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
     12        always necessarily run during garbage collection). This causes a deadlock.
     13
     14        To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores
     15        into a thread-local field that indicates that it is unsafe to perform any operation
     16        that could trigger garbage collection on the current thread. In debug builds,
     17        ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly
     18        detect deadlocks.
     19
     20        This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
     21        which uses the DeferGC mechanism to prevent collections from occurring while the
     22        lock is held.
     23
     24        * CMakeLists.txt:
     25        * GNUmakefile.list.am:
     26        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
     27        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
     28        * JavaScriptCore.xcodeproj/project.pbxproj:
     29        * heap/DeferGC.cpp: Added.
     30        * heap/DeferGC.h:
     31        (JSC::DisallowGC::DisallowGC):
     32        (JSC::DisallowGC::~DisallowGC):
     33        (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
     34        (JSC::DisallowGC::initialize):
     35        * jit/JITStubs.cpp:
     36        (JSC::tryCachePutByID):
     37        (JSC::tryCacheGetByID):
     38        (JSC::DEFINE_STUB_FUNCTION):
     39        * llint/LLIntSlowPaths.cpp:
     40        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
     41        * runtime/ConcurrentJITLock.h:
     42        (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
     43        (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
     44        (JSC::ConcurrentJITLockerBase::unlockEarly):
     45        (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
     46        (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
     47        * runtime/InitializeThreading.cpp:
     48        (JSC::initializeThreadingOnce):
     49        * runtime/JSCellInlines.h:
     50        (JSC::allocateCell):
     51        * runtime/Structure.cpp:
     52        (JSC::Structure::materializePropertyMap):
     53        (JSC::Structure::putSpecificValue):
     54        (JSC::Structure::createPropertyMap):
     55        * runtime/Structure.h:
     56
    1572013-10-14  Filip Pizlo  <[email protected]>
    258
Note: See TracChangeset for help on using the changeset viewer.