Bug 1565272 - Prevent races with the background decommit task r=sfink

Differential Revision: https://phabricator.services.mozilla.com/D38043 --HG-- extra : moz-landing-system : lando
2024-10-26 03:35:33 +00:00 · 2019-07-17 01:24:29 +00:00 · 2019-07-17 01:24:29 +00:00 · 22d5ff3c4e
commit 22d5ff3c4e
parent 047d362780
2 changed files with 28 additions and 0 deletions
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@ -322,6 +322,9 @@ void js::Nursery::disable() {
    return;
  }

+  // Freeing the chunks must not race with decommitting part of one of our
+  // chunks. So join the decommitTask here and also below.
+  decommitTask.join();
  freeChunksFrom(0);
  capacity_ = 0;

@ -363,6 +366,11 @@ bool js::Nursery::isEmpty() const {
 void js::Nursery::enterZealMode() {
  if (isEnabled()) {
    if (isSubChunkMode()) {
+      // The poisoning call below must not race with background decommit,
+      // which could be attempting to decommit the currently-unused part of this
+      // chunk.
+      decommitTask.join();
+
      // It'd be simpler to poison the whole chunk, but we can't do that
      // because the nursery might be partially used.
      chunk(0).poisonRange(capacity_, NurseryChunkUsableSize - capacity_,
--- a/js/src/jit-test/tests/gc/bug-1565272.js
+++ b/js/src/jit-test/tests/gc/bug-1565272.js
@ -0,0 +1,20 @@
+// |jit-test| --fuzzing-safe; --ion-offthread-compile=off; --ion-warmup-threshold=10
+
+// Test that Nursery::disable() waits for poisoning to finish before
+// discarding and re-poisoning its chunks.
+
+for(var i = 0; i < 100; i++) {
+  try {
+    evalInWorker(`
+      function testOneSize(current_size) {
+        var eval_string = 'obj = {';
+        for (var current = 0; current <= current_size; ++current)
+          eval_string += 'k' + current + ':' + current + ','
+      }
+      testOneSize(1023);
+      testOneSize(1024);
+      gczeal(4);
+    `);
+  } catch (exc) {}
+}
+