WebKit Bugzilla
Attachment 372242 Details for
Bug 198913
: Concurrent GC should check the conn before starting a new collection cycle
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198913-20190617140900.patch (text/plain), 2.51 KB, created by
Tadeu Zagallo
on 2019-06-17 05:09:01 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2019-06-17 05:09:01 PDT
Size:
2.51 KB
patch
obsolete
>Subversion Revision: 246349 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 1c08f6039c11084d1187a15c60f0e13526899bdd..89832e0023db347f60bcf08ff59909b6362be8f5 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,26 @@ >+2019-06-17 Tadeu Zagallo <tzagallo@apple.com> >+ >+ Concurrent GC should check the conn before starting a new collection cycle >+ https://bugs.webkit.org/show_bug.cgi?id=198913 >+ <rdar://problem/49515149> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Heap::requestCollection tries to steal the conn as an optimization to avoid waking up the collector >+ thread if it's idle. We determine if the collector is idle by ensuring that there are no pending collections >+ and that the current GC phase is NotRunning. However, that's not safe immediately after the concurrent >+ GC has finished processing the last pending request. The collector thread will runEndPhase and immediately >+ start runNotRunningPhase, without checking if it still has the conn. If the mutator has stolen the conn in >+ the mean time, this will lead to both threads collecting concurrently, and eventually we'll crash in checkConn, >+ since the collector is running but doesn't have the conn anymore. >+ >+ To solve this, we check if we still have the conn after holding the lock in runNotRunningPhase, in case the mutator >+ has stolen the conn. Ideally, we wouldn't let the mutator steal the conn in the first place, but that doesn't seem >+ trivial to determine. >+ >+ * heap/Heap.cpp: >+ (JSC::Heap::runNotRunningPhase): >+ > 2019-06-11 Alexey Shvayka <shvaikalesh@gmail.com> > > JSC should throw if proxy set returns falsish in strict mode context >diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp >index a85207f12cf603f047881d164cc678274483ffee..d9a7ebe26312138da25677ed004f99b4883990f6 100644 >--- a/Source/JavaScriptCore/heap/Heap.cpp >+++ b/Source/JavaScriptCore/heap/Heap.cpp >@@ -1234,6 +1234,9 @@ NEVER_INLINE bool Heap::runNotRunningPhase(GCConductor conn) > auto locker = holdLock(*m_threadLock); > if (m_requests.isEmpty()) > return false; >+ // Check if the mutator has stolen the conn while the collector transitioned from End to NotRunning >+ if (conn == GCConductor::Collector && !!(m_worldState.load() & mutatorHasConnBit)) >+ return false; > } > > return changePhase(conn, CollectorPhase::Begin);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=372242">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198913
: 372242