[Webkit-unassigned] [Bug 164576] New: We probably have some races between how we validate that structures are registered and how we tell AI what structures we produce

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Nov 9 17:34:08 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=164576

            Bug ID: 164576
           Summary: We probably have some races between how we validate
                    that structures are registered and how we tell AI what
                    structures we produce
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sbarati at apple.com
                CC: benjamin at webkit.org, fpizlo at apple.com,
                    ggaren at apple.com, gskachkov at gmail.com,
                    jfbastien at apple.com, keith_miller at apple.com,
                    mark.lam at apple.com, msaboff at apple.com,
                    oliver at apple.com, ticaiolima at gmail.com,
                    utatane.tea at gmail.com

For example, consider two threads, the JS thread (JST), and the compiler thread (CT)
Consider this interleaving of execution:

CT: Runs structure registration phase and registers arrayStructureForIndexingTypeDuringAllocation(ArrayWithInt32)
JST: fires having a bad time
CT: We tell AI that this node results in a value with arrayStructureForIndexingTypeDuringAllocation(ArrayWithInt32) structure.

We will no longer properly verify this code. I think this is mostly an innocuous bug, since such array allocation nodes will usually watch the having a bad time node, so if it fires during the compilation, we will eventually invalidate the compilation. However, it's probably worth having a more sound story here. What I'm doing in the patch I'm writing now is always registering and telling AI that I'm producing the original allocation structure if the compilation is watching the having a bad time watchpoint. Otherwise, I register the current allocation structure. The assumption here is that the compilation will always watch the having a bad time watchpoint for this particular node if it hasn't fired. If it's already fired, then using the current allocation structure is OK. However, this probably still leaves us a window to be racy about what structure we say we're producing.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161110/4e73defb/attachment.html>

More information about the webkit-unassigned mailing list