Bug 199053

Summary: [bmalloc] IsoHeap's initialization is racy with IsoHeap::isInitialized
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cdumez, cmarcelo, dbates, ews-watchlist, fpizlo, ggaren, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch saam: review+

Yusuke Suzuki
Reported 2019-06-19 18:39:31 PDT
Allocator offset is configured before deallocator offset is configured. But isInitialized just checks Allocator offset. As a result, if there are two thread A and B, 1. A has just initialized IsoHeap's allocator offset. 2. B sees it and B think IsoHeap is initialized 3. B does `std::max(handle.allocatorOffset(), handle.deallocatorOffset())` 4. Since deallocator offset is not configured yet at (1)'s point, it returns `0 - 1` => 0xffffffff 5. (3)'s result becomes 0xffffffff
Attachments
Patch (104.88 KB, patch)
2019-06-19 19:12 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-06-19 18:40:49 PDT
<rdar://problem/51517867>
Yusuke Suzuki
Comment 2 2019-06-19 19:12:58 PDT
Created attachment 372514 [details] Patch
Saam Barati
Comment 3 2019-06-19 20:16:38 PDT
Comment on attachment 372514 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=372514&action=review Nice!!! r=me > Source/bmalloc/bmalloc/IsoHeapInlines.h:86 > + auto* heap = new IsoHeapImpl<Config>(); > + setAllocatorOffset(heap->allocatorOffset()); > + setDeallocatorOffset(heap->deallocatorOffset()); > + auto* atomic = reinterpret_cast<std::atomic<IsoHeapImpl<Config>*>*>(&m_impl); > + atomic->store(heap, std::memory_order_release); Can you comment on this ordering being important?
Saam Barati
Comment 4 2019-06-19 20:17:43 PDT
(In reply to Saam Barati from comment #3) > Comment on attachment 372514 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=372514&action=review > > Nice!!! r=me > > > Source/bmalloc/bmalloc/IsoHeapInlines.h:86 > > + auto* heap = new IsoHeapImpl<Config>(); > > + setAllocatorOffset(heap->allocatorOffset()); > > + setDeallocatorOffset(heap->deallocatorOffset()); > > + auto* atomic = reinterpret_cast<std::atomic<IsoHeapImpl<Config>*>*>(&m_impl); > > + atomic->store(heap, std::memory_order_release); > > Can you comment on this ordering being important? And by important, I mean necessary. It'd just be good to briefly describe the protocol of stores/loads we're using
Yusuke Suzuki
Comment 5 2019-06-19 21:19:46 PDT
Comment on attachment 372514 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=372514&action=review Thank you for your review! >>> Source/bmalloc/bmalloc/IsoHeapInlines.h:86 >>> + atomic->store(heap, std::memory_order_release); >> >> Can you comment on this ordering being important? > > And by important, I mean necessary. It'd just be good to briefly describe the protocol of stores/loads we're using Sounds really nice! I've added the comment here.
Yusuke Suzuki
Comment 6 2019-06-19 21:42:00 PDT
Committed r246630: <https://trac.webkit.org/changeset/246630>
Note You need to log in before you can comment on or make changes to this bug.