[Webkit-unassigned] [Bug 26839] New: Reference counting in JSC::UString is not thread safe

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 30 06:28:37 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=26839

           Summary: Reference counting in JSC::UString is not thread safe
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: martin.zoubek at acision.com


In multithread build of JavaScriptCore helgrind reports a lot of unprotected
concurrent accesses to reference counters in class JSC::UString, e.g.:

==24999== Possible data race during read of size 4 at 0x6b386b8 by thread #2
==24999==    at 0x4B550E4: JSC::UString::Rep::ref() (UString.h:133)
==24999==    by 0x4B57817:
WTF::RefPtr<JSC::UString::Rep>::RefPtr(WTF::RefPtr<JSC::UString::Rep> const&)
(RefPtr.h:40)
==24999==    by 0x4B57836: JSC::UString::UString(JSC::UString const&)
(UString.h:242)
==24999==    by 0x4B7C115: OpaqueJSString::ustring() const
(OpaqueJSString.cpp:46)
==24999==    by 0x4B5E456: JSEvaluateScript (JSBase.cpp:53)
==24999==    by 0x400FE4: worker (jstest.c:61)
==24999==    by 0x4A1ECE4: mythread_wrapper (hg_intercepts.c:194)
==24999==    by 0x514AC2A: start_thread (in /lib64/tls/libpthread-0.60.so)
==24999==    by 0x4FD903F: clone (in /lib64/tls/libc-2.3.2.so)
==24999==  This conflicts with a previous write of size 4 by thread #1
==24999==    at 0x4B550EE: JSC::UString::Rep::ref() (UString.h:133)
==24999==    by 0x4B579E3:
WTF::RefPtr<JSC::UString::Rep>::RefPtr(JSC::UString::Rep*) (RefPtr.h:39)
==24999==    by 0x4B57A02: JSC::UString::UString() (UString.h:493)
==24999==    by 0x4C8CEA6:
JSC::RegExpConstructorPrivate::RegExpConstructorPrivate()
(RegExpConstructor.cpp:95)
==24999==    by 0x4C8C8F3:
JSC::RegExpConstructor::RegExpConstructor(JSC::ExecState*,
WTF::PassRefPtr<JSC::Structure>, JSC::RegExpPrototype*)
(RegExpConstructor.cpp:108)
==24999==    by 0x4C697A9: JSC::JSGlobalObject::reset(JSC::JSValue)
(JSGlobalObject.cpp:267)
==24999==    by 0x4C6C05B: JSC::JSGlobalObject::init(JSC::JSObject*)
(JSGlobalObject.cpp:149)
==24999==    by 0x4B71868: JSC::JSGlobalObject::JSGlobalObject()
(JSGlobalObject.h:156)

Attached patch fixes this by using atomic operations provided by Threading.h.
For single-threaded builds the original code is preserved, therefore there
should be no performance penalty.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list