Bug 154841 - regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out because of a lock ordering deadlock involving InferredType and CodeBlock
Summary: regress/script-tests/double-pollution-putbyoffset.js.ftl-eager timed out beca...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-29 16:48 PST by Filip Pizlo
Modified: 2016-02-29 19:19 PST (History)
5 users (show)

See Also:

Attachments
the patch (7.09 KB, patch)
2016-02-29 17:33 PST, Filip Pizlo 		benjamin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2016-02-29 16:48:57 PST 
Yucky!
Comment 1 Filip Pizlo 2016-02-29 16:56:17 PST 
Here's the deadlock:

Main thread:
    1) Change an InferredType.  This acquires InferredType::m_lock.
    2) Fire watchpoint set.  This triggers CodeBlock invalidation, which acquires CodeBlock::m_lock.

DFG thread:
    1) Iterate over the information in a CodeBlock.  This acquires CodeBlock::m_lock.
    2) Ask an InferredType for its descriptor().  This acquires InferredType::m_lock.

I think that the DFG thread's ordering should be legal, because the best logic for lock hierarchies is that locks that protect the largest set of stuff should be acquired first.

This means that the main thread shouldn't be holding the InferredType::m_lock when firing watchpoint sets.  I think that we already do magic for this in other places.
Comment 2 Filip Pizlo 2016-02-29 17:33:46 PST 
Created attachment 272533 [details]
the patch
Comment 3 Filip Pizlo 2016-02-29 19:19:18 PST 
Landed in http://trac.webkit.org/changeset/197381