815258 - IonMonkey: clone type sets that might be accessed off thread by compiler

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Brian Hackett [Laid off!]]

Attachment: patch (1817f6bc2681)

Almost all uses of TypeSets in Ion occur on the main thread during IonBuilder.  A few MIR nodes keep pointers to these type sets though, which are used during backend compilation.  Currently, the main thread can update type sets without first canceling related off thread compilations, so these reads and writes can race and cause crashes (though not incorrect codegen, since the compilation will be canceled later in the type set write).

One of the patches in bug 785905 would fix this by ensuring the main thread cancels compilations before modifying type sets, thus allowing the compiler backend to read type sets with no fear of racing.  That patch is a substantial amount of new code though, and would be completely gone after bug 804676.  Bug 804676 will be structured to allow off thread compilers to read from any type sets without fear of races, and will be the longer term solution here.

For now, this patch just changes the affected MIR nodes to use a type set that was cloned into the compiler's lifo allocator during IonBuilder.

Comment 1

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/de5da369a1c8

Comment 2

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/de5da369a1c8

Comment 3

[Brian Hackett [Laid off!]]

Attachment: add missing cloneTypeSet

Earlier patch missed a point where cloneTypeSet is needed.

Comment 4

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/c73e30eaccdd

Comment 5

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/c73e30eaccdd