Bug 31639 - Add asserts to RefCounted to make sure ref/deref happens on the right thread.
: Add asserts to RefCounted to make sure ref/deref happens on the right thread.
Status: RESOLVED FIXED
: WebKit
WebCore Misc.
: 528+ (Nightly build)
: All All
: P2 Normal
Assigned To:
:
:
: 32689 59754 59762 59984 64404 64577 65609
: 58091 58092 58093 58105 58171 58174 65827
  Show dependency treegraph
 
Reported: 2009-11-18 12:43 PST by
Modified: 2012-07-25 23:36 PST (History)


Attachments
Intermediate patch (5.33 KB, patch)
2009-11-19 20:26 PST, Dmitry Titov
no flags Review Patch | Details | Formatted Diff | Diff
Proposed patch. (8.40 KB, patch)
2009-12-02 18:49 PST, Dmitry Titov
levin: review-
dimich: commit‑queue-
Review Patch | Details | Formatted Diff | Diff
Updated per David's comments. (18.23 KB, patch)
2009-12-07 12:21 PST, Dmitry Titov
dimich: commit‑queue-
Review Patch | Details | Formatted Diff | Diff
Patch (37.68 KB, patch)
2011-04-04 14:05 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (24.89 KB, patch)
2011-04-07 16:21 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (24.91 KB, patch)
2011-04-07 17:16 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (27.01 KB, patch)
2011-04-08 16:43 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (26.56 KB, patch)
2011-04-08 18:32 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (24.54 KB, patch)
2011-04-25 11:10 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (25.32 KB, patch)
2011-04-27 16:22 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (25.32 KB, patch)
2011-04-27 16:33 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (24.72 KB, patch)
2011-07-20 18:01 PST, David Levin
no flags Review Patch | Details | Formatted Diff | Diff
Patch (23.85 KB, patch)
2011-08-01 17:52 PST, David Levin
dimich: review+
levin: commit‑queue-
Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2009-11-18 12:43:04 PST
See bug 30612 and bug 31615 for history and comments.

The idea is that there should be an assert that a RefCounted is used on the right thread. For cases when RefCounted is used cross-thread in a specific way intentionally, there should be a mechanism to relax the check.
------- Comment #1 From 2009-11-19 20:26:31 PST -------
Created an attachment (id=43545) [details]
Intermediate patch

I've tried to experiment with something like this... Intermediate patch.

There is makeExemptFromThreadCheck() function that stores a per-instance flag which I was hoping to use to have some sort of 'dynamic opt-out'. To make it possible to 'temporarily exclude' an instance of RefCounted from the requirement to be refcounted on the same thread - and then use it for things like String, relaxing the check in certain portions of code and still asserting in others. But IconDatabase quickly discouraged me from this... It is very hard, looking at code, to know where to enable/disable the check. Usage on different threads can happen in way distant codepaths.
------- Comment #2 From 2009-12-02 18:49:45 PST -------
Created an attachment (id=44201) [details]
Proposed patch.

Adds ASSERT to RefCountedBase to verify the ref()/deref() and hasOneref(), refCount() happen on the same thread.

For objects that are intentionally used in cross-process scenario, there is disableThreadVerification() which excludes them from the checks. I used this to exclude Stringimpl and classes used in IconDatabase.

Also, the checks only are activated when refcount becomes >= 2 and deactivated when refcount goes below 2 (borrowed the idea from CrossThreadRefCounted). This prevents the assertions in a very typical scenario when object is created on one thread and then passed via PassRefPtr to another thread where it is used exclusively and then destroyed. It seems it's mostly ok to transfer an object with refcount 1 between threads - so the asserts are only activated when refcount is >1, meaning the object is actually 'shared'.

Perf impact on Debug build is about 2% on run-webkit-tests, and there are no asserts fired during the run.
------- Comment #3 From 2009-12-02 21:14:15 PST -------
style-queue ran check-webkit-style on attachment 44201 [details] without any errors.
------- Comment #4 From 2009-12-04 10:13:53 PST -------
(From update of attachment 44201 [details])
> diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
> +        (WTF::ThreadVerifier::activate): Activates hecks. Called when ref count becomes above 2.

typo: hecks

> diff --git a/JavaScriptCore/runtime/Structure.cpp b/JavaScriptCore/runtime/Structure.cpp
> +    // Use of addressOfCount() in this calss prevents thread verification in RefCounted

typo: calss

> +    // since it modifies refcount via other means then ref()/deref().

s/then/than/

> diff --git a/JavaScriptCore/wtf/RefCounted.h b/JavaScriptCore/wtf/RefCounted.h
> +#ifndef NDEBUG
> +class ThreadVerifier {

This seems like it should be in its own file. (As a side benefit, the whole file can be ifndef NDEBUG include the wtf/Threading.h include.)

> +#endif

#endif // NDEBUG
Since this is a long ifdef.


> +#ifndef NDEBUG
> +    void disableThreadVerification()
> +    {

Personally, I'd prefer moving the ifndef inside of the method. This would still make the call a no-op when NDEBUG is defined, but every call site wouldn't need a ifndef NDEBUG around it.

> +        m_threadVerifier.disableThreadVerification();
> +    }
> +#endif
> +
------- Comment #5 From 2009-12-07 12:21:13 PST -------
Created an attachment (id=44423) [details]
Updated per David's comments.
------- Comment #6 From 2009-12-07 12:23:35 PST -------
(In reply to comment #4)
> typo: hecks
> typo: calss
> s/then/than/

Fixed. 

> > diff --git a/JavaScriptCore/wtf/RefCounted.h b/JavaScriptCore/wtf/RefCounted.h
> > +#ifndef NDEBUG
> > +class ThreadVerifier {
> 
> This seems like it should be in its own file. (As a side benefit, the whole
> file can be ifndef NDEBUG include the wtf/Threading.h include.)

Moved to a new file, wtf/ThreadVerifier.h
This added a couple of build files and ForwardingHeaders to the patch.

> #endif // NDEBUG
> Since this is a long ifdef.

Added "// NDEBUG"

> > +#ifndef NDEBUG
> > +    void disableThreadVerification()
> > +    {
> 
> Personally, I'd prefer moving the ifndef inside of the method. This would still
> make the call a no-op when NDEBUG is defined, but every call site wouldn't need
> a ifndef NDEBUG around it.

Done.

Patch attached.
------- Comment #7 From 2009-12-07 12:24:09 PST -------
style-queue ran check-webkit-style on attachment 44423 [details] without any errors.
------- Comment #8 From 2009-12-07 13:13:02 PST -------
(From update of attachment 44423 [details])
The only thing I don't like about this is the name of disableThreadVerification. I would prefer a name that describes the threading regime being used rather than a simple "disable" call. But since the number of callers is extremely small at this time, it seems we can change this later.

I'd eventually like to see the cross-thread string use be turned on, not in the allocation of the StringImpl, but at the call sites. I know the class is used cross thread "everywhere", but I think eventually we could do that. There are tons of strings where it would be good to have the main thread assertion work.

> +        // Start thread verification as soon as the ref count gets to 2.
> +        // The class gets created with a ref count of 1 and then passed
> +        // to another thread where to ref count get increased.  This
> +        // is a heuristic but it seems to always work and has helped
> +        // find some bugs.

We use one space after a period, nottwo.

> +    ThreadVerifier()
> +        : m_isActive(false)
> +        , m_isThreadVerificationDisabled(false)
> +        , m_isOwnedByMainThread(false)
> +        , m_owningThread(0)
> +    { }

We'd normally put the braces on separate lines.

> @@ -44,7 +44,7 @@ IconRecord::IconRecord(const String& url)
>      , m_stamp(0)
>      , m_dataSet(false)
>  {
> -
> +    disableThreadVerification();
>  }

I'd like to see a comment at all the disableThreadVerification call sites about why this needs to be done.
------- Comment #9 From 2009-12-08 12:28:26 PST -------
(In reply to comment #8)
> (From update of attachment 44423 [details] [details])
> The only thing I don't like about this is the name of
> disableThreadVerification. I would prefer a name that describes the threading
> regime being used rather than a simple "disable" call. But since the number of
> callers is extremely small at this time, it seems we can change this later.

Agreed.

> I'd eventually like to see the cross-thread string use be turned on, not in the
> allocation of the StringImpl, but at the call sites. I know the class is used
> cross thread "everywhere", but I think eventually we could do that. There are
> tons of strings where it would be good to have the main thread assertion work.

Added FIXME to StringImpl, will experiment with enforcing checks since we should be able to use crossThreadString in those cases.

..
> We use one space after a period, nottwo.
..
> We'd normally put the braces on separate lines.
..
> I'd like to see a comment at all the disableThreadVerification call sites about
> why this needs to be done.

Fixed those and landed: http://trac.webkit.org/changeset/51869
------- Comment #10 From 2009-12-08 15:29:49 PST -------
Reopening since I've reverted it: http://trac.webkit.org/changeset/51875

It apparently caused stable crash of storage/change-version-handle-reuse.html on Leopard Debug bot. Also, the nmber of reported leaks increased about x10 on SnowLeopard leak-test-enabled bot.

Need to play with it a bit more.
------- Comment #11 From 2009-12-11 11:33:13 PST -------
(In reply to comment #10)
> Also, the number of reported leaks increased about x10 on SnowLeopard leak-test-enabled bot.

Wow, I wonder what that was about?

I really want this back!
------- Comment #12 From 2009-12-28 21:42:04 PST -------
(From update of attachment 44423 [details])
Clearing Darin Adler's review on this obsolete patch.
------- Comment #13 From 2011-04-04 14:05:06 PST -------
Created an attachment (id=88125) [details]
Patch
------- Comment #14 From 2011-04-04 16:07:01 PST -------
Attachment 88125 [details] did not build on win:
Build output: http://queues.webkit.org/results/8330130
------- Comment #15 From 2011-04-04 16:20:35 PST -------
(From update of attachment 88125 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=88125&action=review

review- because the Windows build is failing

> Source/JavaScriptCore/JavaScriptCore.exp:608
> +__ZN3WTF26singleThreadVerifierCreateEv
> +__ZN3WTF20noVerificationCreateEv
> +__ZN3WTF19mutexVerifierCreateERNS_5MutexE

This file is sorted with the sort tool. New entries in it should be sorted in the same way.

> Source/JavaScriptCore/jit/ExecutableAllocator.h:354
> +    setNonThreadSafeVerifier(WTF::NonThreadSafeVerifier::createNoVerficationDoNotUseThis());

Classes in WTF should make use of "using" in the WTF way and not have WTF:: at the call site.

> Source/JavaScriptCore/parser/SourceProvider.h:50
> +            setNonThreadSafeVerifier(WTF::NonThreadSafeVerifier::createNoVerficationDoNotUseThis());

While factoring-wise I think it’s OK to have the verifier be a separate object, I think that it involves tons of memory allocation in debug builds and so could slow them to a crawly, and the idiom of setting up a verifier is so wordy that it almost obscures the meaning of what’s being done.

> Source/JavaScriptCore/wtf/NonThreadSafeVerifier.cpp:52
> +    virtual void setShared(bool);
> +    virtual bool verifySafety() const;

I suggest making these private instead of public on the derived class.

> Source/JavaScriptCore/wtf/NonThreadSafeVerifier.cpp:76
> +    virtual void setShared(bool);
> +    virtual bool verifySafety() const;

Ditto.

> Source/JavaScriptCore/wtf/NonThreadSafeVerifier.cpp:183
> +PassOwnPtr<NonThreadSafeVerifier> singleThreadVerifierCreate()
> +{
> +    return 0;
> +}
> +
> +PassOwnPtr<NonThreadSafeVerifier> mutexVerifierCreate(Mutex&)
> +{
> +    return 0;
> +}
> +
> +PassOwnPtr<NonThreadSafeVerifier> noVerificationCreate()
> +{
> +    return 0;
> +}

Why define these at all in NDEBUG versions?

> Source/JavaScriptCore/wtf/NonThreadSafeVerifier.h:54
> +    static PassOwnPtr<NonThreadSafeVerifier> createNoVerficationDoNotUseThis();

Typo: Verfication

> Source/JavaScriptCore/wtf/NonThreadSafeVerifier.h:68
> +// Don't use these directly.
> +PassOwnPtr<NonThreadSafeVerifier> singleThreadVerifierCreate();
> +PassOwnPtr<NonThreadSafeVerifier> mutexVerifierCreate(Mutex&);
> +PassOwnPtr<NonThreadSafeVerifier> noVerificationCreate();

Why not? Why do we need the extra level of indirection?

If we don’t want them used directly, then we could obfuscate them a little more by putting them into a namespace or making them private static member functions. And we could not even define them if NDEBUG is set.

> Source/JavaScriptCore/wtf/RefCounted.h:45
> +        // to another thread where to ref count get increased. This

“where to ref count get increased”?

> Source/JavaScriptCore/wtf/RefCounted.h:88
> +    void setNonThreadSafeVerifier(PassOwnPtr<NonThreadSafeVerifier> nonThreadSafeVerifier)
> +    {
> +        UNUSED_PARAM(nonThreadSafeVerifier.get());
> +#ifndef NDEBUG
> +        m_nonThreadSafeVerifier = nonThreadSafeVerifier;
> +#endif
> +    }
> +
> +    void setMutexAsThreadSafeVerifier(Mutex& mutex)
> +    {
> +        UNUSED_PARAM(&mutex);
> +#ifndef NDEBUG
> +        setNonThreadSafeVerifier(NonThreadSafeVerifier::createMutexVerifier(mutex));
> +#endif
> +    }

I suggest putting the whole functions inside an #ifndef to avoid the awkward uses of UNUSED_PARAM.

I also question the need to inline the debug versions. I think you could just declare these in the class, define the NDEBUG versions below with inline, and for the debug versions have them in a cpp file.

> Source/JavaScriptCore/wtf/RefCounted.h:165
> +    OwnPtr<NonThreadSafeVerifier> m_nonThreadSafeVerifier;

I think this data member could just be named m_verifier without losing clarity.
------- Comment #16 From 2011-04-04 16:41:54 PST -------
(From update of attachment 88125 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=88125&action=review

>> Source/JavaScriptCore/wtf/NonThreadSafeVerifier.cpp:183
>> +}
> 
> Why define these at all in NDEBUG versions?

I couldn't figure out a way to have DEBUG only exports from JavaScriptCore.exp or if there was a separate file.
------- Comment #17 From 2011-04-04 16:45:06 PST -------
(In reply to comment #16)
> > Why define these at all in NDEBUG versions?
> 
> I couldn't figure out a way to have DEBUG only exports from JavaScriptCore.exp or if there was a separate file.

Good point. I’m not sure there is a good way to do that.
------- Comment #18 From 2011-04-07 16:21:18 PST -------
Created an attachment (id=88725) [details]
Patch
------- Comment #19 From 2011-04-07 16:32:30 PST -------
I fixed most things. I did a few things due to the exports issue.

Also, I left functions defined in the header even in release mode but empty so that the calling sites would not have to have ifndef NDEBUG whereever these methods were called.

But I'm willing to change any of this.

I tried to check out the speed of this build compared to without these checks and it seemed comparable for running layout tests.
------- Comment #20 From 2011-04-07 17:07:29 PST -------
Attachment 88725 [details] did not build on chromium:
Build output: http://queues.webkit.org/results/8347778
------- Comment #21 From 2011-04-07 17:13:06 PST -------
(In reply to comment #20)
> Attachment 88725 [details] [details] did not build on chromium:
> Build output: http://queues.webkit.org/results/8347778

I will put the code NonThreadSafeVerifier.h inside of "#ifndef NDEBUG"
------- Comment #22 From 2011-04-07 17:16:07 PST -------
Created an attachment (id=88739) [details]
Patch
------- Comment #23 From 2011-04-08 09:50:10 PST -------
(From update of attachment 88739 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=88739&action=review

Looks good. Not sure why it’s not applying with the EWS. I’m going to say review- because I want you to think over the naming a little more.

> Source/JavaScriptCore/jit/ExecutableAllocator.h:353
> +    reviewCarefullyTurnOffVerifier();

I applaud the notion of building the advice to review the use of a function carefully right into the function name, but I think we should do it in a way that’s more grammatically sound. One type of name along those lines is this:

turnOffVerifierNotingThatIsRarelyNeededAndRequiresCarefulReview

Of course that is comically long, but maybe you see my point? Once we figure out what we should say, we should try to state it rather than just putting words in there without grammatical glue.

> Source/JavaScriptCore/wtf/NonThreadSafeVerifier.h:46
> +class NonThreadSafeVerifier {

I think that “non-safe” is an unpleasant and not entirely clear way to describe something that is designed to be used on a single thread.

I would call this ThreadRestrictionsVerifier or SingleThreadUsageVerifier or something roughly along those lines. What I don’t like about “not safe” is that clearly you can’t build a good computer program out of pieces that are “unsafe”. The use of “safety” as the metaphor for threads programming is one of the things that makes it harder for people. Instead of placing the emphasis on clear rules, there’s the implication that this is about risk taking, things might work if you just look both ways before crossing the street, and bold adventurous programmers might chose to take risks. That’s why the safety metaphor seems the wrong one to me.

> Source/JavaScriptCore/wtf/RefCounted.h:44
> +        // Start thread verification as soon as the ref count gets to 2. This
> +        // is a heuristic but it seems to work and has helped find some bugs.

It would be better to explain where this heuristic comes from. There must be a relatively clear way to explain it. Maybe what you mean is that it’s common to create an object and then hand it over to another thread; always recording the thread where it was created would lead to too many false failures.

This is an OK policy for existing code, but it seems inelegant for new code, so we might want to consider a way that future uses of RefCount could start verifying immediately. I would like to catch an object created on one thread and destroyed on another without ever being ref'd.

Again, we can probably defend this policy, and I think it’s better to do that with a little more specifics even if not many more words.

> Source/JavaScriptCore/wtf/SizeLimits.cpp:45
> +struct FakeDebugRefCounted {

I don’t entirely understand the meaning of the word “Fake” in this structure’s name. You should choose an even clearer name or add a comment.
------- Comment #24 From 2011-04-08 09:50:25 PST -------
Thanks very much for tackling this!
------- Comment #25 From 2011-04-08 09:52:45 PST -------
(In reply to comment #24)
> Thanks very much for tackling this!

Thanks for carefully reviewing it! :)
------- Comment #26 From 2011-04-08 16:43:29 PST -------
Created an attachment (id=88896) [details]
Patch
------- Comment #27 From 2011-04-08 16:48:10 PST -------
(In reply to comment #23)
> (From update of attachment 88739 [details] [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=88739&action=review
> 
>Not sure why it’s not applying with the EWS.

I had not sync'ed in a bit. Now I have.

> 
> > Source/JavaScriptCore/jit/ExecutableAllocator.h:353
> > +    reviewCarefullyTurnOffVerifier();
> 
> I applaud the notion of building the advice to review the use of a function carefully right into the function name,


I made what the method does totally opaque now from the calling site but made it clear that no one should call it --  "neverCallThis". It is my goal to get rid of the method all together (and my current hope is to not get more instances of it in the code base).


> > Source/JavaScriptCore/wtf/NonThreadSafeVerifier.h:46
> > +class NonThreadSafeVerifier {
> I would call this ThreadRestrictionsVerifier 

Done.
> 
> > Source/JavaScriptCore/wtf/RefCounted.h:44
> > +        // Start thread verification as soon as the ref count gets to 2. This
> > +        // is a heuristic but it seems to work and has helped find some bugs.
> 
> I would like to catch an object created on one thread and destroyed on another without ever being ref'd.

Added a bug for being more strict. I think we can get there but it will take a bit of time.

> 
> Again, we can probably defend this policy, and I think it’s better to do that with a little more specifics even if not many more words.

Attempted to explain it better.

> > Source/JavaScriptCore/wtf/SizeLimits.cpp:45
> > +struct FakeDebugRefCounted {
> 
> I don’t entirely understand the meaning of the word “Fake” in this structure’s name. You should choose an even clearer name or add a comment.

Attempted to clarify the wording.
------- Comment #28 From 2011-04-08 18:32:07 PST -------
Created an attachment (id=88910) [details]
Patch
------- Comment #29 From 2011-04-12 18:09:43 PST -------
(From update of attachment 88910 [details])
From ggaren, "deprecatedXXX" is usually how we migrate off of old patterns, as opposed to "neverCallThis" so, "deprecatedTurnOffThreadingVerification", or something like that)
------- Comment #30 From 2011-04-25 11:10:42 PST -------
Created an attachment (id=90933) [details]
Patch
------- Comment #31 From 2011-04-27 16:22:02 PST -------
Created an attachment (id=91371) [details]
Patch
------- Comment #32 From 2011-04-27 16:27:08 PST -------
(From update of attachment 91371 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=91371&action=review

> Source/WebCore/ChangeLog:5
> +

Extra line?

> Source/WebCore/ForwardingHeaders/wtf/ThreadRestrictionVerifier.h:2
> +#define WebCore_FWD_ThreadRestrictionVerifier_h

Is this the standard?  I don't know.
------- Comment #33 From 2011-04-27 16:33:24 PST -------
Created an attachment (id=91374) [details]
Patch
------- Comment #34 From 2011-04-27 16:34:29 PST -------
(In reply to comment #32)
> (From update of attachment 91371 [details] [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=91371&action=review
> 
> > Source/WebCore/ChangeLog:5
> > +
> 
> Extra line?
Fixed.

> 
> > Source/WebCore/ForwardingHeaders/wtf/ThreadRestrictionVerifier.h:2
> > +#define WebCore_FWD_ThreadRestrictionVerifier_h
> 
> Is this the standard?
Yep (I checked several files at random in that dir and they all followed this pattern).
------- Comment #35 From 2011-04-28 11:44:06 PST -------
(From update of attachment 91374 [details])
I should probably land this by hand when it gets r+. Although I've tried hard to make sure there won't be issues, this is a patch that has a higher probability of causing issues.
------- Comment #36 From 2011-04-28 12:43:30 PST -------
(From update of attachment 91374 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=91374&action=review

> Source/JavaScriptCore/wtf/RefCounted.h:77
> +        UNUSED_PARAM(&mutex);
> +#ifndef NDEBUG
> +        m_verifier.setMutexMode(mutex);
> +#endif

We should only use UNUSED_PARAM when it’s actually unused. So it should be in an #else. But, better, I suggest writing it like this:

    void setMutexForVerifier(Mutex&);

    ...

    #ifdef NDEBUG
    inline void RefCountedBase::setMutexForVerifier(Mutex&)
    {
    }
    #else
    inline void RefCountedBase::setMutexForVerifier(Mutex& mutex)
    {
        m_verifier.setMutexMode(mutex);
    }
    #endif

Or like this:


    #ifdef NDEBUG
    void setMutexForVerifier(Mutex&) { }
    #else
    void setMutexForVerifier(Mutex& mutex)
    {
        m_verifier.setMutexMode(mutex);
    }
    #endif

> Source/JavaScriptCore/wtf/ThreadRestrictionVerifier.h:95
> +    // Is it ok to use the object at this moment on the current thread?

Normally "ok" is spelled "OK".

> Source/JavaScriptCore/wtf/ThreadRestrictionVerifier.h:104
> +            // isMainThread() is way faster than currentThread() on many platforms, so use it first.
> +            return (m_isOwnedByMainThread && isMainThread()) || (m_owningThread == currentThread());

If m_isOwnedByMainThread is false, then m_owningThread is not something we should look at; sure, it’s initialized to 0, but I’m not sure that’s even meaningful. So I suggest writing:

    return m_isOwnedByMainThread ? isMainThread() : (m_owningThread == currentThread());

Or factoring the code some other way, but doing that same effective check. I don’t think it’s good to look at m_owningThread at all if it wasn’t set to a thread.
------- Comment #37 From 2011-04-28 13:50:30 PST -------
Committed as http://trac.webkit.org/changeset/85233.

(In reply to comment #36)
> (From update of attachment 91374 [details] [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=91374&action=review
> 
> > Source/JavaScriptCore/wtf/RefCounted.h:77
> But, better, I suggest writing it like this:

Thanks for the detailed explanation. You said this before, and it is trivial to understand what you meant now that you wrote it out, but I just didn't get it previously.

> > Source/JavaScriptCore/wtf/ThreadRestrictionVerifier.h:104
> I don’t think it’s good to look at m_owningThread at all if it wasn’t set to a thread.

Thanks. That shouldn't have been written that way and was essentially a bug. Fixed (as you suggested).
------- Comment #38 From 2011-04-28 13:52:40 PST -------
http://trac.webkit.org/changeset/85233 might have broken Qt Linux ARMv7 Release and EFL Linux Release (Build)
------- Comment #39 From 2011-04-28 13:57:14 PST -------
Fixed build -- inverted ifdef (that I reversed during my last round of fixes) here: http://trac.webkit.org/changeset/85235

(I did another debug build but not another release build which would have caught this.)
------- Comment #40 From 2011-04-28 16:57:26 PST -------
Had to rollout due to jsc issue.
------- Comment #41 From 2011-04-28 17:10:34 PST -------
(From update of attachment 91374 [details])
This broke the jsc api/jsc command line app because they don't have a sense of what is the main thread and may never set the main thread.

I need to add some code to handle this case.
------- Comment #42 From 2011-07-20 18:01:21 PST -------
Created an attachment (id=101538) [details]
Patch
------- Comment #43 From 2011-07-20 18:04:25 PST -------
Same patch as what I checked in (which is the last patch with the suggested changes) plus the following changes:
1. This no longer relies on isMainThread since currentThread is now nearly as fast in debug.
2. I fixed the inverted ifndef that I changed here: http://trac.webkit.org/changeset/85235
------- Comment #44 From 2011-08-01 17:52:54 PST -------
Created an attachment (id=102601) [details]
Patch
------- Comment #45 From 2011-08-01 17:53:54 PST -------
Removed the exception for CString since the Chromium test code causing a failure has been fixed.
------- Comment #46 From 2011-08-01 18:51:14 PST -------
(From update of attachment 102601 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=102601&action=review

r=me, one tiny nit.
It's so cool you are doing this! The amount of things already fixed in order to land this patch is already worth the trouble :-)

> Source/JavaScriptCore/wtf/ThreadRestrictionVerifier.h:45
> +// The mode may be change by calling useMutexMode (or turnOffVerification).

"may be change" -> "may be changed"
------- Comment #47 From 2011-08-01 23:56:59 PST -------
(From update of attachment 102601 [details])
Marking cq- as it looks like this triggers asserts in Chromium. I suspect this are due to access of WebKit before calling WebKit::initialize.
------- Comment #48 From 2011-08-02 19:29:42 PST -------
Committed as http://trac.webkit.org/changeset/92254
------- Comment #49 From 2011-09-02 21:44:18 PST -------
(In reply to comment #48)
> Committed as http://trac.webkit.org/changeset/92254


If a SharedBuffer is set with MutexVerificationMode, then how can user own/lock it for further operation?

For example, while user gets a image via :

WebCore::Image *icon = WebCore::iconDatabase().synchronousIconForPageURL(kurl.string(), WebCore::IntSize(16, 16));


How to make sure calling "icon->nativeImageForCurrentFrame()" is safe?
------- Comment #50 From 2011-09-03 22:26:50 PST -------
(In reply to comment #49)
> (In reply to comment #48)
> > Committed as http://trac.webkit.org/changeset/92254
> 
> 
> If a SharedBuffer is set with MutexVerificationMode, then how can user own/lock it for further operation?
> 
> For example, while user gets a image via :
> 
> WebCore::Image *icon = WebCore::iconDatabase().synchronousIconForPageURL(kurl.string(), WebCore::IntSize(16, 16));
> 
> 
> How to make sure calling "icon->nativeImageForCurrentFrame()" is safe?

If an object is using MutexVerificationMode, it means that a mutex must be taken (locked) when the object is being used. The specific mutex depends on the object but you should be able to determine if by looking at the place where the mutex verification mode is set up.
------- Comment #51 From 2011-09-04 07:32:38 PST -------
> 
> If an object is using MutexVerificationMode, it means that a mutex must be taken (locked) when the object is being used. The specific mutex depends on the object but you should be able to determine if by looking at the place where the mutex verification mode is set up.

Yes, thanks. 
However I am calling 'ewk_history_item_icon_surface_get()' recently(in  Source/WebKit/efl/ewk/ewk_history.cpp), it always gets exception like this:

ASSERTION FAILED: m_verifier.isSafeToUse()
../Source/JavaScriptCore/wtf/RefCounted.h(53) : void WTF::RefCountedBase::ref()


Below is the code, it gets exception at "icon->nativeImageForCurrentFrame()". And have no idea how to take/lock the data before further operation?
-----------------------------------------------------------------------
However, cairo_surface_t* ewk_history_item_icon_surface_get(const Ewk_History_Item* item)
{
    EWK_HISTORY_ITEM_CORE_GET_OR_RETURN(item, core, 0);

    WebCore::Image* icon = WebCore::iconDatabase().synchronousIconForPageURL(core->url(), WebCore::IntSize(16, 16));
    if (!icon) {
        ERR("icon is NULL.");
        return 0;
    }
    return icon->nativeImageForCurrentFrame();
}
------- Comment #52 From 2011-09-04 10:08:30 PST -------
(In reply to comment #51)
> However I am calling 'ewk_history_item_icon_surface_get()' recently(in  Source/WebKit/efl/ewk/ewk_history.cpp), it always gets exception like this:
> 
> ASSERTION FAILED: m_verifier.isSafeToUse()
> ../Source/JavaScriptCore/wtf/RefCounted.h(53) : void WTF::RefCountedBase::ref()
> 
> 
> Below is the code, it gets exception at "icon->nativeImageForCurrentFrame()". And have no idea how to take/lock the data before further operation?

We’ll need the whole backtrace to understand what the issue is. I suggest opening a new bug report to track this.
------- Comment #53 From 2011-09-04 19:43:06 PST -------
(In reply to comment #52)
> 
> We’ll need the whole backtrace to understand what the issue is. I suggest opening a new bug report to track this.

New bug opened at https://bugs.webkit.org/show_bug.cgi?id=67582