201309 – Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.

Bug 201309 - Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.

Summary: Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-08-29 13:28 PDT by Mark Lam
Modified:	2019-09-03 23:16 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
proposed patch. (5.25 KB, patch) 2019-08-29 13:34 PDT, Mark Lam	no flags	Details \| Formatted Diff \| Diff
proposed patch. (5.25 KB, patch) 2019-09-03 16:18 PDT, Mark Lam	no flags	Details \| Formatted Diff \| Diff
proposed patch. (7.25 KB, patch) 2019-09-03 16:28 PDT, Mark Lam	no flags	Details \| Formatted Diff \| Diff
proposed patch. (7.28 KB, patch) 2019-09-03 18:02 PDT, Mark Lam	no flags	Details \| Formatted Diff \| Diff
proposed patch. (7.33 KB, patch) 2019-09-03 18:42 PDT, Mark Lam	ysuzuki: review+	Details \| Formatted Diff \| Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2019-08-29 13:28:38 PDT

<rdar://problem/54832121>

Comment 1 Mark Lam 2019-08-29 13:34:15 PDT

Created attachment 377620 [details]
proposed patch.

Comment 2 Yusuke Suzuki 2019-08-29 13:47:31 PDT

Comment on attachment 377620 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=377620&action=review

> Source/JavaScriptCore/runtime/JSArrayBufferView.h:177
> +    enum ResultQuality { AccurateResult, RacyResult };
> +    template<ResultQuality = AccurateResult> unsigned byteOffset();

This is OK for internal implementation. But I think usually we are using the name `xxxConcurrently()` for this type of function.
So, I think `byteOffsetConcurrently()` would be better.

> Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:86
>      ArrayBuffer* buffer = possiblySharedBuffer();

Is it safe to be called from DFG thread? If we go to JSArrayBufferView::slowDownAndWasteMemory, we allocate Butterfly in that function, and it is not allowed in concurrent compilers.

Comment 3 Mark Lam 2019-08-29 13:52:26 PDT

Comment on attachment 377620 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=377620&action=review

>> Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:86
>>      ArrayBuffer* buffer = possiblySharedBuffer();
> 
> Is it safe to be called from DFG thread? If we go to JSArrayBufferView::slowDownAndWasteMemory, we allocate Butterfly in that function, and it is not allowed in concurrent compilers.

Thanks.  I will investigate.

Comment 4 Mark Lam 2019-08-29 13:52:49 PDT

Comment on attachment 377620 [details]
proposed patch.

Take out of review while this is being investigated.

Comment 5 Mark Lam 2019-09-03 16:15:23 PDT

Comment on attachment 377620 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=377620&action=review

>>> Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:86
>>>      ArrayBuffer* buffer = possiblySharedBuffer();
>> 
>> Is it safe to be called from DFG thread? If we go to JSArrayBufferView::slowDownAndWasteMemory, we allocate Butterfly in that function, and it is not allowed in concurrent compilers.
> 
> Thanks.  I will investigate.

Turns out, this is safe because the hasArrayBuffer() check above ensures that mode() is never FastTypedArray or OversizeTypedArray, and hence, we'll never call JSArrayBufferView::slowDownAndWasteMemory().

Comment 6 Mark Lam 2019-09-03 16:18:31 PDT

Created attachment 377929 [details]
proposed patch.

Comment 7 Mark Lam 2019-09-03 16:28:18 PDT

Created attachment 377931 [details]
proposed patch.

Comment 8 Mark Lam 2019-09-03 17:58:48 PDT

Comment on attachment 377931 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=377931&action=review

> Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:91
> +        ASSERT(isMainThread());

Looks like I can't assert this.  Worker threads will not be happy.

Comment 9 Mark Lam 2019-09-03 18:02:33 PDT

Created attachment 377945 [details]
proposed patch.

Comment 10 Yusuke Suzuki 2019-09-03 18:36:18 PDT

Comment on attachment 377931 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=377931&action=review

>> Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:91
>> +        ASSERT(isMainThread());
> 
> Looks like I can't assert this.  Worker threads will not be happy.

You can use `ASSERT(!isCompilationThread());` instead.

Comment 11 Mark Lam 2019-09-03 18:40:49 PDT

(In reply to Yusuke Suzuki from comment #10)
> Comment on attachment 377931 [details]
> proposed patch.
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=377931&action=review
> 
> >> Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:91
> >> +        ASSERT(isMainThread());
> > 
> > Looks like I can't assert this.  Worker threads will not be happy.
> 
> You can use `ASSERT(!isCompilationThread());` instead.

Sounds good.  Fixing.

Comment 12 Mark Lam 2019-09-03 18:42:15 PDT

Created attachment 377947 [details]
proposed patch.

Comment 13 Yusuke Suzuki 2019-09-03 18:52:01 PDT

Comment on attachment 377947 [details]
proposed patch.

r=me

Comment 14 Saam Barati 2019-09-03 22:45:08 PDT

(In reply to Mark Lam from comment #8)
> Comment on attachment 377931 [details]
> proposed patch.
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=377931&action=review
> 
> > Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:91
> > +        ASSERT(isMainThread());
> 
> Looks like I can't assert this.  Worker threads will not be happy.

I think we made this mistake in another patch recently too, right?

Comment 15 Saam Barati 2019-09-03 22:46:32 PDT

(In reply to Saam Barati from comment #14)
> (In reply to Mark Lam from comment #8)
> > Comment on attachment 377931 [details]
> > proposed patch.
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=377931&action=review
> > 
> > > Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:91
> > > +        ASSERT(isMainThread());
> > 
> > Looks like I can't assert this.  Worker threads will not be happy.
> 
> I think we made this mistake in another patch recently too, right?

https://bugs.webkit.org/show_bug.cgi?id=201281

Comment 16 Mark Lam 2019-09-03 23:16:23 PDT

(In reply to Saam Barati from comment #15)
> (In reply to Saam Barati from comment #14)
> > (In reply to Mark Lam from comment #8)
> > > Comment on attachment 377931 [details]
> > > proposed patch.
> > > 
> > > View in context:
> > > https://bugs.webkit.org/attachment.cgi?id=377931&action=review
> > > 
> > > > Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:91
> > > > +        ASSERT(isMainThread());
> > > 
> > > Looks like I can't assert this.  Worker threads will not be happy.
> > 
> > I think we made this mistake in another patch recently too, right?
> 
> https://bugs.webkit.org/show_bug.cgi?id=201281

In 201281, the mistake reduces the strength of the assertion for worker threads instead of overly asserting it (which resulted in crashes) like this case.  Regardless, I'll fix it.

Comment 17 Mark Lam 2019-09-03 23:16:34 PDT

Thanks for the review.  Landed in r249458: <http://trac.webkit.org/r249458>.