Closed
Bug 815258
Opened 7 years ago
Closed 7 years ago
IonMonkey: clone type sets that might be accessed off thread by compiler
Categories
(Core :: JavaScript Engine, defect)
Not set
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: bhackett, Assigned: bhackett)
References
Details
Attachments
(2 files)
|
17.90 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
|
773 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
Almost all uses of TypeSets in Ion occur on the main thread during IonBuilder. A few MIR nodes keep pointers to these type sets though, which are used during backend compilation. Currently, the main thread can update type sets without first canceling related off thread compilations, so these reads and writes can race and cause crashes (though not incorrect codegen, since the compilation will be canceled later in the type set write). One of the patches in bug 785905 would fix this by ensuring the main thread cancels compilations before modifying type sets, thus allowing the compiler backend to read type sets with no fear of racing. That patch is a substantial amount of new code though, and would be completely gone after bug 804676. Bug 804676 will be structured to allow off thread compilers to read from any type sets without fear of races, and will be the longer term solution here. For now, this patch just changes the affected MIR nodes to use a type set that was cloned into the compiler's lifo allocator during IonBuilder.
Attachment #685264 -
Flags: review?(dvander)
Attachment #685264 -
Flags: review?(dvander) → review+
|
Assignee | |
Comment 1•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/de5da369a1c8
|
||
Comment 2•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/de5da369a1c8
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
|
Assignee | |
Comment 3•7 years ago
|
||
Earlier patch missed a point where cloneTypeSet is needed.
Assignee: general → bhackett1024
Attachment #690362 -
Flags: review?(dvander)
|
|
Assignee | |
Updated•7 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #690362 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 4•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c73e30eaccdd
|
|
||
Comment 5•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c73e30eaccdd
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•