Closed Bug 815258 Opened 10 years ago Closed 10 years ago

IonMonkey: clone type sets that might be accessed off thread by compiler

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: bhackett1024, Assigned: bhackett1024)

References

Details

Attachments

(2 files)

patch (1817f6bc2681)
17.90 KB, patch
dvander
: review+
Details | Diff | Splinter Review
add missing cloneTypeSet
773 bytes, patch
dvander
: review+
Details | Diff | Splinter Review 
Almost all uses of TypeSets in Ion occur on the main thread during IonBuilder.  A few MIR nodes keep pointers to these type sets though, which are used during backend compilation.  Currently, the main thread can update type sets without first canceling related off thread compilations, so these reads and writes can race and cause crashes (though not incorrect codegen, since the compilation will be canceled later in the type set write).

One of the patches in bug 785905 would fix this by ensuring the main thread cancels compilations before modifying type sets, thus allowing the compiler backend to read type sets with no fear of racing.  That patch is a substantial amount of new code though, and would be completely gone after bug 804676.  Bug 804676 will be structured to allow off thread compilers to read from any type sets without fear of races, and will be the longer term solution here.

For now, this patch just changes the affected MIR nodes to use a type set that was cloned into the compiler's lifo allocator during IonBuilder.
Attachment #685264 - Flags: review?(dvander)
Attachment #685264 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/de5da369a1c8
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Earlier patch missed a point where cloneTypeSet is needed.
Assignee: general → bhackett1024
Attachment #690362 - Flags: review?(dvander)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #690362 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/c73e30eaccdd
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.