Closed Bug 815258 Opened 7 years ago Closed 7 years ago

IonMonkey: clone type sets that might be accessed off thread by compiler

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla20

People

(Reporter: bhackett, Assigned: bhackett)

References

Details

Attachments

(2 files)

Almost all uses of TypeSets in Ion occur on the main thread during IonBuilder.  A few MIR nodes keep pointers to these type sets though, which are used during backend compilation.  Currently, the main thread can update type sets without first canceling related off thread compilations, so these reads and writes can race and cause crashes (though not incorrect codegen, since the compilation will be canceled later in the type set write).

One of the patches in bug 785905 would fix this by ensuring the main thread cancels compilations before modifying type sets, thus allowing the compiler backend to read type sets with no fear of racing.  That patch is a substantial amount of new code though, and would be completely gone after bug 804676.  Bug 804676 will be structured to allow off thread compilers to read from any type sets without fear of races, and will be the longer term solution here.

For now, this patch just changes the affected MIR nodes to use a type set that was cloned into the compiler's lifo allocator during IonBuilder.
Attachment #685264 - Flags: review?(dvander)
Attachment #685264 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/de5da369a1c8
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Earlier patch missed a point where cloneTypeSet is needed.
Assignee: general → bhackett1024
Attachment #690362 - Flags: review?(dvander)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #690362 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/c73e30eaccdd
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.