Attachment 362257 Details for Bug 194767 – patch

[patch] patch

b-backup.diff (text/plain), 3.53 KB, created by Saam Barati on 2019-02-17 15:08:47 PST

(hide)

Description:

Filename:

MIME Type:

Creator: Saam Barati

Created: 2019-02-17 15:08:47 PST

Size: 3.53 KB

patch

obsolete

>Index: JSTests/ChangeLog
>===================================================================
>--- JSTests/ChangeLog	(revision 241652)
>+++ JSTests/ChangeLog	(working copy)
>@@ -1,3 +1,12 @@
>+2019-02-17  Saam Barati  <sbarati@apple.com>
>+
>+        Deadlock when adding a Structure property transition and then doing incremental marking
>+        https://bugs.webkit.org/show_bug.cgi?id=194767
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.
>+
> 2019-02-15  Michael Saboff  <msaboff@apple.com>
> 
>         RELEASE_ASSERT at com.apple.JavaScriptCore: JSC::jsSubstringOfResolved
>Index: JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js
>===================================================================
>--- JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js	(nonexistent)
>+++ JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js	(working copy)
>@@ -0,0 +1,12 @@
>+//@ runDefault("--gcIncrementScale=100", "--gcIncrementBytes=10", "--numberOfGCMarkers=1")
>+
>+let a = [];
>+
>+for (let i = 0; i < 1000000; ++i) {
>+    let o = {};
>+    let p1 = `f${ (Math.random() * 10000000000) | 0 }`
>+    let p2 = `f${ (Math.random() * 10000000000) | 0 }`
>+    o[p1] = 20;
>+    o[p2] = 42;
>+    a.push(o);
>+}
>Index: Source/JavaScriptCore/ChangeLog
>===================================================================
>--- Source/JavaScriptCore/ChangeLog	(revision 241651)
>+++ Source/JavaScriptCore/ChangeLog	(working copy)
>@@ -1,3 +1,25 @@
>+2019-02-17  Saam Barati  <sbarati@apple.com>
>+
>+        Deadlock when adding a Structure property transition and then doing incremental marking
>+        https://bugs.webkit.org/show_bug.cgi?id=194767
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        This can happen in the following scenario:
>+        
>+        You have a Structure S. S is on the mark stack. Then:
>+        1. S grabs its lock
>+        2. S adds a new property transition
>+        3. We find out we need to do some incremental marking
>+        4. We mark S
>+        5. visitChildren on S will try to grab its lock
>+        6. We are now in a deadlock
>+
>+        * heap/Heap.cpp:
>+        (JSC::Heap::performIncrement):
>+        * runtime/Structure.cpp:
>+        (JSC::Structure::addNewPropertyTransition):
>+
> 2019-02-17  Commit Queue  <commit-queue@webkit.org>
> 
>         Unreviewed, rolling out r241612.
>Index: Source/JavaScriptCore/heap/Heap.cpp
>===================================================================
>--- Source/JavaScriptCore/heap/Heap.cpp	(revision 241650)
>+++ Source/JavaScriptCore/heap/Heap.cpp	(working copy)
>@@ -2887,6 +2887,9 @@ void Heap::performIncrement(size_t bytes
>     if (!m_objectSpace.isMarking())
>         return;
> 
>+    if (isDeferred())
>+        return;
>+
>     m_incrementBalance += bytes * Options::gcIncrementScale();
> 
>     // Save ourselves from crazy. Since this is an optimization, it's OK to go back to any consistent
>Index: Source/JavaScriptCore/runtime/Structure.cpp
>===================================================================
>--- Source/JavaScriptCore/runtime/Structure.cpp	(revision 241650)
>+++ Source/JavaScriptCore/runtime/Structure.cpp	(working copy)
>@@ -510,6 +510,7 @@ Structure* Structure::addNewPropertyTran
>     checkOffset(transition->m_offset, transition->inlineCapacity());
>     {
>         ConcurrentJSLocker locker(structure->m_lock);
>+        DeferGC deferGC(vm.heap);
>         structure->m_transitionTable.add(vm, transition);
>     }
>     transition->checkOffsetConsistency();

Actions: View | Formatted Diff | Diff

Attachments on bug 194767: 362257