Bug 128537 - Dedicated worker crash caused by global DFG worklists + GC
Summary: Dedicated worker crash caused by global DFG worklists + GC
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Mark Hahnenberg
URL:
Keywords: InRadar
: 128745 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-02-10 09:20 PST by Filip Pizlo
Modified: 2014-02-19 11:09 PST (History)
12 users (show)

See Also:

Attachments
Patch (7.18 KB, patch)
2014-02-18 18:31 PST, Mark Hahnenberg 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Filip Pizlo 2014-02-10 09:26:46 PST 
This allegedly began with:

http://trac.webkit.org/log/?verbose=on&rev=163691&stop_rev=163691

But the assertion failure is:

ASSERTION FAILED: m_totalBytesCopied <= m_storageSpace.size()

This implies a long-standing GC copying bug.
Comment 2 Filip Pizlo 2014-02-10 09:32:47 PST 
Skipped in r163791
Comment 3 Alexey Proskuryakov 2014-02-11 22:42:45 PST 
<rdar://problem/16045493>
Comment 4 Mark Hahnenberg 2014-02-18 17:11:43 PST 
(In reply to comment #1)
> This allegedly began with:
> 
> http://trac.webkit.org/log/?verbose=on&rev=163691&stop_rev=163691
> 
> But the assertion failure is:
> 
> ASSERTION FAILED: m_totalBytesCopied <= m_storageSpace.size()
> 
> This implies a long-standing GC copying bug.

After some investigation, it appears that the process-global DFG worklists are causing objects to participate in the garbage collections of VMs other than the one they were allocated in. This started manifesting in the worker tests because they're one of the few WebKit tests that do multithreaded JS.
Comment 5 Filip Pizlo 2014-02-18 17:15:04 PST 
(In reply to comment #4)
> (In reply to comment #1)
> > This allegedly began with:
> > 
> > http://trac.webkit.org/log/?verbose=on&rev=163691&stop_rev=163691
> > 
> > But the assertion failure is:
> > 
> > ASSERTION FAILED: m_totalBytesCopied <= m_storageSpace.size()
> > 
> > This implies a long-standing GC copying bug.
> 
> After some investigation, it appears that the process-global DFG worklists are causing objects to participate in the garbage collections of VMs other than the one they were allocated in. This started manifesting in the worker tests because they're one of the few WebKit tests that do multithreaded JS.

Whoa!  That's pretty awesome.  So, the fix is just for the following methods:

    bool isActive() const { return !!m_plans.size(); }
    
    void visitChildren(SlotVisitor&, CodeBlockSet&); // Only called on the main thread after suspending all threads.

to filter based on VM.  That implies passing the VM& in each of them.

That also means that:

    void suspendAllThreads();
    void resumeAllThreads();

need to be smart enough to not allow "double suspension" of threads.  Or to handle it gracefully.  You could accomplish that super easily by having an internal Mutex that suspendAllThreads() locks before doing anything else, and resumeAllThreads() unlocks after.
Comment 6 Mark Hahnenberg 2014-02-18 18:31:19 PST 
Created attachment 224574 [details]
Patch
Comment 7 WebKit Commit Bot 2014-02-19 10:36:10 PST 
Comment on attachment 224574 [details]
Patch

Clearing flags on attachment: 224574

Committed r164371: <http://trac.webkit.org/changeset/164371>
Comment 8 WebKit Commit Bot 2014-02-19 10:36:13 PST 
All reviewed patches have been landed.  Closing bug.
Comment 9 Mark Hahnenberg 2014-02-19 11:09:53 PST 
*** Bug 128745 has been marked as a duplicate of this bug. ***