RESOLVED FIXED 237402
AX ITM: Updating m_pendingLoadingProgress can cause deadlock on AXIsolatedTree::m_changeLogLock 
https://bugs.webkit.org/show_bug.cgi?id=237402
Summary AX ITM: Updating m_pendingLoadingProgress can cause deadlock on AXIsolatedTre...
Tyler Wilcock
Reported 2022-03-02 18:38:36 PST
AXIsolatedTree::m_pendingLoadingProgress is currently guarded by AXIsolatedTree::m_changeLogLock. Because loading can happen at any time, deadlocks can happen in this sequence: 1. AXIsolatedTree::updateLoadingProgress is called on the main thread while the secondary thread holds the lock 2. The secondary thread is holding the lock to service an AX request, and said AX request does something to call into the main thread (e.g. AXLOGs an isolated object, which causes a dispatch to the main thread as part of AXIsolatedObject::outerHTML) 3. Deadlock
Attachments
Patch (3.66 KB, patch)
2022-03-02 18:43 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (4.47 KB, patch)
2022-03-02 19:23 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (4.85 KB, patch)
2022-03-03 12:06 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-03-02 18:38:48 PST
<rdar://problem/89726179>
Tyler Wilcock
Comment 2 2022-03-02 18:43:37 PST
Created attachment 453689 [details] Patch
chris fleizach
Comment 3 2022-03-02 18:47:51 PST
Comment on attachment 453689 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=453689&action=review > Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp:534 > + I’m still worried about this logging happening inside the lock
Tyler Wilcock
Comment 4 2022-03-02 19:23:22 PST
Created attachment 453691 [details] Patch
Andres Gonzalez
Comment 5 2022-03-03 09:06:10 PST
(In reply to Tyler Wilcock from comment #4) > Created attachment 453691 [details] > Patch --- a/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp +++ a/Source/WebCore/accessibility/isolatedtree/AXIsolatedTree.cpp + ASSERT(!isMainThread()); AXTRACE("AXIsolatedTree::focusedNode"); AXTRACE is the first line in all functions, by convention, so that when you look at the logs, the { } encompasses the scope of that function as accurate as possible. - double m_pendingLoadingProgress WTF_GUARDED_BY_LOCK(m_changeLogLock) { 0 }; + std::atomic<double> m_pendingLoadingProgress { 0 }; If you are going to make the loading progress atomic, make m_loadingProgress and get rid of m_pendingLoadingProgress, no need to keep a pending variable. std::atomic<double> guaranties that access to that variable is thread safe.
Tyler Wilcock
Comment 6 2022-03-03 09:12:28 PST
> - double m_pendingLoadingProgress WTF_GUARDED_BY_LOCK(m_changeLogLock) { > 0 }; > + std::atomic<double> m_pendingLoadingProgress { 0 }; > > If you are going to make the loading progress atomic, make m_loadingProgress > and get rid of m_pendingLoadingProgress, no need to keep a pending variable. > std::atomic<double> guaranties that access to that variable is thread safe. The thought here was that continuing to keep them separate will be more performant since any reads of m_loadingProgress will not be atomic.
Tyler Wilcock
Comment 7 2022-03-03 12:06:26 PST
Created attachment 453773 [details] Patch
EWS
Comment 8 2022-03-04 08:52:47 PST
Committed r290833 (248069@main): <https://commits.webkit.org/248069@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 453773 [details].
Note You need to log in before you can comment on or make changes to this bug.