WebKit Bugzilla
Attachment 339088 Details for
Bug 185117
: Fixed a very unlikely race condition in WTF::WordLock
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185117-20180428213407.patch (text/plain), 3.14 KB, created by
Geoffrey Garen
on 2018-04-28 21:34:07 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Geoffrey Garen
Created:
2018-04-28 21:34:07 PDT
Size:
3.14 KB
patch
obsolete
>Index: Source/WTF/ChangeLog >=================================================================== >--- Source/WTF/ChangeLog (revision 231145) >+++ Source/WTF/ChangeLog (working copy) >@@ -1,3 +1,36 @@ >+2018-04-28 Geoffrey Garen <ggaren@apple.com> >+ >+ Fixed a very unlikely race condition in WTF::WordLock >+ https://bugs.webkit.org/show_bug.cgi?id=185117 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ The race goes like this: >+ >+ Thread L is in lockSlowCase() and thread U is in unlockSlowCase(); >+ >+ - U acquires queueHead->parkingLock. >+ - U sets queueHead->shouldPark = false >+ - U releases queueHead->parkingLock. >+ - L spuriously wakes up from queueHead->parkingLock.wait() >+ - L acquires queueHead->parkingLock. >+ - L notices that queueHead->shouldPark = false, and acquires the WordLock >+ - L finishes all its work and exits, freeing queueHead >+ - U notifies queueHead->parkingLock (after free) and crashes or deadlocks >+ >+ These conditions are currently so unlikely that I don't know how to test >+ them. I noticed this race because I changed WordLock's allocation pattern >+ to allow queueHead to be freed more often, and I crashed / deadlocked 100%. >+ >+ Shout out to <http://en.cppreference.com/w/cpp/thread/condition_variable/notify_one> >+ for explaining this. >+ >+ * benchmarks/ToyLocks.h: Fixed build. >+ >+ * wtf/WordLock.cpp: >+ (WTF::WordLock::unlockSlow): Hold the lock a little longer to avoid >+ this race. >+ > 2018-04-27 David Kilzer <ddkilzer@apple.com> > > Add logging when SpringBoard enables WebThread >Index: Source/WTF/benchmarks/ToyLocks.h >=================================================================== >--- Source/WTF/benchmarks/ToyLocks.h (revision 228023) >+++ Source/WTF/benchmarks/ToyLocks.h (working copy) >@@ -31,6 +31,7 @@ > #include <wtf/Atomics.h> > #include <wtf/Lock.h> > #include <wtf/ParkingLot.h> >+#include <wtf/Threading.h> > #include <wtf/WordLock.h> > > #if __has_include(<os/lock.h>) >Index: Source/WTF/wtf/WordLock.cpp >=================================================================== >--- Source/WTF/wtf/WordLock.cpp (revision 228023) >+++ Source/WTF/wtf/WordLock.cpp (working copy) >@@ -254,12 +254,15 @@ NEVER_INLINE void WordLock::unlockSlow() > // We do this carefully because this may run either before or during the parkingLock critical > // section in lockSlow(). > { >+ // Be sure to hold the lock across our call to notify_one() because a spurious wakeup could >+ // cause the thread at the head of the queue to exit and delete queueHead. > std::lock_guard<std::mutex> locker(queueHead->parkingLock); > queueHead->shouldPark = false; >+ >+ // Doesn't matter if we notify_all() or notify_one() here since the only thread that could be >+ // waiting is queueHead. >+ queueHead->parkingCondition.notify_one(); > } >- // Doesn't matter if we notify_all() or notify_one() here since the only thread that could be >- // waiting is queueHead. >- queueHead->parkingCondition.notify_one(); > > // The old queue head can now contend for the lock again. We're done! > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=339088">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
saam
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185117
: 339088