Bug 237402 - AX ITM: Updating m_pendingLoadingProgress can cause deadlock on AXIsolatedTree::m_changeLogLock
Summary: AX ITM: Updating m_pendingLoadingProgress can cause deadlock on AXIsolatedTre...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Tyler Wilcock
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-03-02 18:38 PST by Tyler Wilcock
Modified: 2022-03-04 08:52 PST (History)
10 users (show)

See Also:

Attachments
Patch (3.66 KB, patch)
2022-03-02 18:43 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Patch (4.47 KB, patch)
2022-03-02 19:23 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Patch (4.85 KB, patch)
2022-03-03 12:06 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tyler Wilcock 2022-03-02 18:38:36 PST 
AXIsolatedTree::m_pendingLoadingProgress is currently guarded by AXIsolatedTree::m_changeLogLock. Because loading can happen at any time, deadlocks can happen in this sequence:

1. AXIsolatedTree::updateLoadingProgress is called on the main thread while the secondary thread holds the lock
2. The secondary thread is holding the lock to service an AX request, and said AX request does something to call into the main thread (e.g. AXLOGs an isolated object, which causes a dispatch to the main thread as part of AXIsolatedObject::outerHTML)
3. Deadlock
Comment 1 Radar WebKit Bug Importer 2022-03-02 18:38:48 PST 
<rdar://problem/89726179>
Comment 2 Tyler Wilcock 2022-03-02 18:43:37 PST 
Created attachment 453689 [details]
Patch
Comment 3 chris fleizach 2022-03-02 18:47:51 PST 
Comment on attachment 453689 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=453689&action=review

> Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:534
> +

Iā€™m still worried about this logging happening inside the lock
Comment 4 Tyler Wilcock 2022-03-02 19:23:22 PST 
Created attachment 453691 [details]
Patch
Comment 5 Andres Gonzalez 2022-03-03 09:06:10 PST 
(In reply to Tyler Wilcock from comment #4)
> Created attachment 453691 [details]
> Patch

--- a/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp
+++ a/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp

+    ASSERT(!isMainThread());
     AXTRACE("AXIsolatedTree::focusedNode");

AXTRACE is the first line in all functions, by convention, so that when you look at the logs, the { } encompasses the scope of that function as accurate as possible.

-    double m_pendingLoadingProgress WTF_GUARDED_BY_LOCK(m_changeLogLock) { 0 };
+    std::atomic<double> m_pendingLoadingProgress { 0 };

If you are going to make the loading progress atomic, make m_loadingProgress and get rid of m_pendingLoadingProgress, no need to keep a pending variable. std::atomic<double> guaranties that access to that variable is thread safe.
Comment 6 Tyler Wilcock 2022-03-03 09:12:28 PST 
> -    double m_pendingLoadingProgress WTF_GUARDED_BY_LOCK(m_changeLogLock) {
> 0 };
> +    std::atomic<double> m_pendingLoadingProgress { 0 };
> 
> If you are going to make the loading progress atomic, make m_loadingProgress
> and get rid of m_pendingLoadingProgress, no need to keep a pending variable.
> std::atomic<double> guaranties that access to that variable is thread safe.
The thought here was that continuing to keep them separate will be more performant since any reads of m_loadingProgress will not be atomic.
Comment 7 Tyler Wilcock 2022-03-03 12:06:26 PST 
Created attachment 453773 [details]
Patch
Comment 8 EWS 2022-03-04 08:52:47 PST 
Committed r290833 (248069@main): <https://commits.webkit.org/248069@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 453773 [details].