Skip to site navigation (Press enter)

[webkit-changes] [241655] trunk

sbarati Sun, 17 Feb 2019 17:28:44 -0800

Title: [241655] trunk

Revision: 241655
Author: sbar...@apple.com
Date: 2019-02-17 17:27:22 -0800 (Sun, 17 Feb 2019)

Log Message

Deadlock when adding a Structure property transition and then doing incremental marking
https://bugs.webkit.org/show_bug.cgi?id=194767


Reviewed by Mark Lam.

JSTests:

* stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.

Source/_javascript_Core:

This can happen in the following scenario:

You have a Structure S. S is on the mark stack. Then:
1. S grabs its lock
2. S adds a new property transition
3. We find out we need to do some incremental marking
4. We mark S
5. visitChildren on S will try to grab its lock
6. We are now in a deadlock

* heap/Heap.cpp:
(JSC::Heap::performIncrement):
* runtime/Structure.cpp:
(JSC::Structure::addNewPropertyTransition):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/heap/Heap.cpp
trunk/Source/_javascript_Core/runtime/Structure.cpp

Added Paths

trunk/JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js

Diff

Modified: trunk/JSTests/ChangeLog (241654 => 241655)


--- trunk/JSTests/ChangeLog	2019-02-18 00:11:24 UTC (rev 241654)
+++ trunk/JSTests/ChangeLog	2019-02-18 01:27:22 UTC (rev 241655)
@@ -1,3 +1,12 @@
+2019-02-17  Saam Barati  <sbar...@apple.com>
+
+        Deadlock when adding a Structure property transition and then doing incremental marking
+        https://bugs.webkit.org/show_bug.cgi?id=194767
+
+        Reviewed by Mark Lam.
+
+        * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
+
 2019-02-15  Michael Saboff  <msab...@apple.com>
 
         RELEASE_ASSERT at com.apple._javascript_Core: JSC::jsSubstringOfResolved

Added: trunk/JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js (0 => 241655)


--- trunk/JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js	                        (rev 0)
+++ trunk/JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js	2019-02-18 01:27:22 UTC (rev 241655)
@@ -0,0 +1,12 @@
+//@ runDefault("--gcIncrementScale=100", "--gcIncrementBytes=10", "--numberOfGCMarkers=1")
+
+let a = [];
+
+for (let i = 0; i < 1000000; ++i) {
+    let o = {};
+    let p1 = `f${ (Math.random() * 10000000000) | 0 }`
+    let p2 = `f${ (Math.random() * 10000000000) | 0 }`
+    o[p1] = 20;
+    o[p2] = 42;
+    a.push(o);
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (241654 => 241655)


--- trunk/Source/_javascript_Core/ChangeLog	2019-02-18 00:11:24 UTC (rev 241654)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-02-18 01:27:22 UTC (rev 241655)
@@ -1,3 +1,25 @@
+2019-02-17  Saam Barati  <sbar...@apple.com>
+
+        Deadlock when adding a Structure property transition and then doing incremental marking
+        https://bugs.webkit.org/show_bug.cgi?id=194767
+
+        Reviewed by Mark Lam.
+
+        This can happen in the following scenario:
+        
+        You have a Structure S. S is on the mark stack. Then:
+        1. S grabs its lock
+        2. S adds a new property transition
+        3. We find out we need to do some incremental marking
+        4. We mark S
+        5. visitChildren on S will try to grab its lock
+        6. We are now in a deadlock
+
+        * heap/Heap.cpp:
+        (JSC::Heap::performIncrement):
+        * runtime/Structure.cpp:
+        (JSC::Structure::addNewPropertyTransition):
+
 2019-02-17  David Kilzer  <ddkil...@apple.com>
 
         Unreviewed, rolling out r241620.

Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (241654 => 241655)


--- trunk/Source/_javascript_Core/heap/Heap.cpp	2019-02-18 00:11:24 UTC (rev 241654)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp	2019-02-18 01:27:22 UTC (rev 241655)
@@ -2887,6 +2887,9 @@
     if (!m_objectSpace.isMarking())
         return;
 
+    if (isDeferred())
+        return;
+
     m_incrementBalance += bytes * Options::gcIncrementScale();
 
     // Save ourselves from crazy. Since this is an optimization, it's OK to go back to any consistent

Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (241654 => 241655)


--- trunk/Source/_javascript_Core/runtime/Structure.cpp	2019-02-18 00:11:24 UTC (rev 241654)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp	2019-02-18 01:27:22 UTC (rev 241655)
@@ -510,6 +510,7 @@
     checkOffset(transition->m_offset, transition->inlineCapacity());
     {
         ConcurrentJSLocker locker(structure->m_lock);
+        DeferGC deferGC(vm.heap);
         structure->m_transitionTable.add(vm, transition);
     }
     transition->checkOffsetConsistency();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes