Bug 172738

Summary:

Implementors of memoryCost() need to be thread-safe

Product:

WebKit

Reporter:

Simon Fraser (smfr) <simon.fraser>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, buildbot, cdumez, fpizlo, keith_miller, mark.lam, msaboff, sam, simon.fraser, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=200504

Attachments:

Description	Flags
proposed patch.	keith_miller: review+

Simon Fraser (smfr)

Reported 2017-05-30 16:01:13 PDT

JSC calls visitChildren(JSCell* cell, SlotVisitor& visitor) on its GC threads, yet I don't expect that any implementers of visitChildren() or memoryCost() are thread-safe. For example, AudioBuffer::memoryCost() loops over channels with no lock, HTMLCollection::memoryCost() does a bunch of math on map sizes, HTMLCanvasElement::memoryCost() consults the image buffer, which races with image buffer assignment etc.

Attachments
proposed patch. (18.39 KB, patch) 2017-07-12 12:03 PDT, Mark Lam	keith_miller: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2017-05-30 16:02:16 PDT

<rdar://problem/32474881>

Mark Lam

Comment 2 2017-05-30 16:49:36 PDT

1. It is safe for the GC to scan any JS object pointers in these DOM objects because the GC controls the life-cycle of JS objects referenced by those pointers. 2. It is safe for the GC to scan wrapped objects because: a. all JS DOM object wrappers extend JSDOMWrapper, and b. JSDOMWrapper has a Ref to the wrapped object. This means that the wrapped object is guaranteed to outlive the JS wrapper. Also, there's a 1 to 1 correspondence between the wrapper and the wrapped object. We never change the wrapped object after creation of the wrapper. Based on the above, the work in visitChildren should be safe because the "visiting" is should only be done on JS objects pointers. Calling memoryCost() on wrapped objects is safe because the wrapped object is guaranteed to be alive still. The remaining question is whether the various implementations of memoryCost() does anything with sub-objects that are not tied to the liveness of JS objects. We should still do a survey of the visitChildren implementations to see if they call any other C++ member functions that may also do thread unsafe work.

Mark Lam

Comment 3 2017-07-12 12:03:49 PDT

Created attachment 315267 [details] proposed patch.

Build Bot

Comment 4 2017-07-12 12:04:52 PDT

Attachment 315267 [details] did not pass style-queue: ERROR: Source/WebCore/dom/LiveNodeList.h:94: This { should be at the end of the previous line [whitespace/braces] [4] ERROR: Source/WebCore/html/CachedHTMLCollection.h:45: This { should be at the end of the previous line [whitespace/braces] [4] Total errors found: 2 in 13 files If any of these errors are false positives, please file a bug against check-webkit-style.

Keith Miller

Comment 5 2017-07-13 11:16:49 PDT

Comment on attachment 315267 [details] proposed patch. r=me.

Mark Lam

Comment 6 2017-07-13 12:17:46 PDT

Thanks for the review. Landed in r219460: <http://trac.webkit.org/r219460>.

Note You need to log in before you can comment on or make changes to this bug.