Open
Bug 1281390
Opened 9 years ago
Updated 2 years ago
Make template objects less racy
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Core
JavaScript Engine: JIT
Tracking
()
NEW
People
(Reporter: jandem, Unassigned)
References
(Blocks 1 open bug)
Details
The template objects we use during Ion compilation are racy. MacroAssembler::createGCObject uses the object's shape, group, unboxed layout, etc, and it's very easy to race with the main thread, especially on shape/group flag words (although it's usually on unrelated flags).
One option is to copy everything we need from the template object to some new ObjectTemplate class and then use that off-thread instead of the template object.
It requires some copying, but a compromise is for ObjectTemplate to be able to access the template object's internal slots - just dereferencing the group/shape would be forbidden.
|
||
Updated•8 years ago
|
Priority: -- → P3
|
|
||
Comment 2•4 years ago
|
||
Callling getAllocKind() can also conflict with delayed marking flags which are stored in the same word (if we're marking while compling off-thread).
|
||
Comment 3•4 years ago
|
||
Removing this from the tsan blocklist since objects that may produce a race should produce an intermittent and have their own tsan-related bugs.
No longer blocks: tsan
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•