Bug 154841 - regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
Summary: regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out beca...
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
Depends on:
Reported: 2016-02-29 16:48 PST by Filip Pizlo
Modified: 2016-02-29 19:19 PST (History)
5 users (show)

See Also:

the patch (7.09 KB, patch)
2016-02-29 17:33 PST, Filip Pizlo
benjamin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2016-02-29 16:48:57 PST
Comment 1 Filip Pizlo 2016-02-29 16:56:17 PST
Here's the deadlock:

Main thread:
    1) Change an InferredType.  This acquires InferredType::m_lock.
    2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires CodeBlock::m_lock.

DFG thread:
    1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
    2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.

I think that the DFG thread's ordering should be legal, because the best logic for lock hierarchies is that locks that protect the largest set of stuff should be acquired first.

This means that the main thread shouldn't be holding the InferredType::m_lock when firing watchpoint sets.  I think that we already do magic for this in other places.
Comment 2 Filip Pizlo 2016-02-29 17:33:46 PST
Created attachment 272533 [details]
the patch
Comment 3 Filip Pizlo 2016-02-29 19:19:18 PST
Landed in http://trac.webkit.org/changeset/197381