RESOLVED FIXED Bug 209266
[JSC] StructureStubInfo::bufferedStructures should not ref/deref UniquedStringImpl 
https://bugs.webkit.org/show_bug.cgi?id=209266
Summary [JSC] StructureStubInfo::bufferedStructures should not ref/deref UniquedStrin...
Yusuke Suzuki
Reported 2020-03-18 19:22:15 PDT
This data structure can be destroyed in CodeBlock::finalizeUnconditionally. So it should not include Strings. 1. Can we just set AtomStringTable when executing CodeBlock::finalizeUnconditionally? This does not work correctly. Our Web Worker implementation is releasing heapAccess() when finishing code execution and waiting for runloop message. This means that CodeBlock::finalizeUnconditionally can potentially work concurrently to Web Worker's main thread.
Attachments
Patch (18.75 KB, patch)
2020-03-18 19:59 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2020-03-18 19:22:46 PDT
<rdar://problem/60508312>
Yusuke Suzuki
Comment 2 2020-03-18 19:24:14 PDT
(In reply to Yusuke Suzuki from comment #0) > 1. Can we just set AtomStringTable when executing > CodeBlock::finalizeUnconditionally? > > This does not work correctly. Our Web Worker implementation is releasing > heapAccess() when finishing code execution and waiting for runloop message. > This means that CodeBlock::finalizeUnconditionally can potentially work > concurrently to Web Worker's main thread. 2. Can we fix this issue by giving up resetJITData call in CodeBlock::finalizeUnconditionally? No since we are calling visitWeakReferences(), which removes some of buffered-structures in CodeBlock::finalizeUnconditionally anyway.
Yusuke Suzuki
Comment 3 2020-03-18 19:59:53 PDT
Created attachment 393939 [details] Patch
Yusuke Suzuki
Comment 4 2020-03-18 20:00:53 PDT
Comment on attachment 393939 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393939&action=review > Source/JavaScriptCore/jit/JITOperations.cpp:-2239 > - if (stubInfo->considerCaching(vm, codeBlock, baseValue.structureOrNull())) This patch also fixes DeleteByVal's considerCaching. It was not getting CacheableIdentifier.
Saam Barati
Comment 5 2020-03-19 11:31:29 PDT
Comment on attachment 393939 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393939&action=review r=me Nice find > Source/JavaScriptCore/ChangeLog:25 > + concurrent collector to run this, we introduce m_bufferedStructuresLock in StructureStubInfo to guard m_bufferedStructures. aren't we always holding the code block's lock in both cases? > Source/JavaScriptCore/bytecode/StructureStubInfo.h:102 > + ALWAYS_INLINE bool considerCaching(VM& vm, CodeBlock* codeBlock, Structure* structure, CacheableIdentifier impl = CacheableIdentifier()) I wonder if making this have a default argument was a mistake > Source/JavaScriptCore/bytecode/StructureStubInfo.h:291 > + using KeyTraits = SimpleClassHashTraits<BufferedStructure>; nit: Maybe static assert that emptyValueIsZero for documentation purpose?
Yusuke Suzuki
Comment 6 2020-03-19 13:48:35 PDT
Comment on attachment 393939 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393939&action=review >> Source/JavaScriptCore/ChangeLog:25 >> + concurrent collector to run this, we introduce m_bufferedStructuresLock in StructureStubInfo to guard m_bufferedStructures. > > aren't we always holding the code block's lock in both cases? We are not holding a lock while executing considerCaching. I think fine-grained locking here is nice. >> Source/JavaScriptCore/bytecode/StructureStubInfo.h:102 >> + ALWAYS_INLINE bool considerCaching(VM& vm, CodeBlock* codeBlock, Structure* structure, CacheableIdentifier impl = CacheableIdentifier()) > > I wonder if making this have a default argument was a mistake I think, 1. Adding `considerCachingById` and `considerCachingByVal` 2. `considerCachingById` internally calls `considerCaching` with CacheableIdentifier() would be nice. Fixed. >> Source/JavaScriptCore/bytecode/StructureStubInfo.h:291 >> + using KeyTraits = SimpleClassHashTraits<BufferedStructure>; > > nit: Maybe static assert that emptyValueIsZero for documentation purpose? Sounds nice. Added.
Yusuke Suzuki
Comment 7 2020-03-19 14:59:36 PDT
Committed r258732: <https://trac.webkit.org/changeset/258732>
Note You need to log in before you can comment on or make changes to this bug.