Closed Bug 325521 Opened 20 years ago Closed 19 years ago

JS_YieldRequest() allows the garbage collector to race

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8.1beta1

People

(Reporter: daumling, Assigned: daumling)

Details

(Keywords: fixed1.8.1)

Attachments

(1 file)

Patch as desrbied in bug.
918 bytes, patch
brendan
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
JS_YieldRequest() is IMHO a quick replacement for a JS_SuspendRequest/JS_ResumeRequest combo. If used, a garbage collector on a separate thread races. It appears that the function does not wait for any garbage collector to succeed. I do not have the latest Trucnk code installed, so please forgive me if I submit my proposed fix here. This fix appears to work well. JS_PUBLIC_API(void) JS_YieldRequest(JSContext *cx) { JSRuntime *rt; JS_ASSERT(cx->thread); CHECK_REQUEST(cx); rt = cx->runtime; JS_LOCK_GC(rt); JS_ASSERT(rt->requestCount > 0); rt->requestCount--; if (rt->requestCount == 0) JS_NOTIFY_REQUEST_DONE(rt); JS_UNLOCK_GC(rt); /* XXXbe give the GC or another request calling it a chance to run here? Assumes FIFO scheduling */ JS_LOCK_GC(rt); /* BEGIN FIX */ if (rt->gcThread != cx->thread) { while (rt->gcLevel > 0) JS_AWAIT_GC_DONE(rt); } /* END FIX */ rt->requestCount++; JS_UNLOCK_GC(rt); } Brendan, please review if this fix is correct.
shaver, what do you think? Looks like the right fix to me. /be
Yeah, it does.
Since you agree that this is the fix, I'll take the bug.
Assignee: general → daumling
Status: NEW → ASSIGNED
Attachment #210984 - Flags: review?(brendan)
Comment on attachment 210984 [details] [diff] [review] Patch as desrbied in bug. Checking in, and I took the opportunity to trim trailing spaces from unrelated lines in this file. /be
Attachment #210984 - Flags: review?(brendan) → review+
Blocks: js1.6rc1
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Flags: testcase-
Flags: blocking1.8.1?
There's a blocking1.8.1? nomination on this bug. Should it be landed on the 1.8 branch for 1.8.1?
Attachment #210984 - Flags: approval1.8.1+
Flags: blocking1.8.1? → blocking1.8.1+
Whiteboard: [checkin needed]
Is this part of the JS 1.7 landing? If not, can we get it checked in to the 1.8.1 branch?
Target Milestone: --- → mozilla1.8.1beta1
Fixed with JS1.7 landing. /be
Whiteboard: [checkin needed]
Keywords: fixed1.8.1
not on 1.8.0, not making js16
No longer blocks: js1.6rc1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: