Modified: trunk/Source/_javascript_Core/ChangeLog (217076 => 217077)
--- trunk/Source/_javascript_Core/ChangeLog 2017-05-18 23:27:37 UTC (rev 217076)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-05-18 23:47:23 UTC (rev 217077)
@@ -1,3 +1,29 @@
+2017-05-18 Saam Barati <[email protected]>
+
+ We need to destroy worker threads in jsc.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=170751
+ <rdar://problem/31800412>
+
+ Reviewed by Filip Pizlo.
+
+ This patch fixes a bug where a $ agent worker would still
+ have compilation threads running after the thread the worker
+ was created on dies. This manifested itself inside DFG AI where
+ we would notice a string constant is atomic, then the worker
+ thread would die, destroying its atomic string table, then
+ we'd notice the same string is no longer atomic, and we'd crash
+ because we'd fail to see the same speculated type for the same
+ JSValue.
+
+ This patch makes it so that $ agent workers destroy their VM when
+ they're done executing. Before a VM gets destroyed, it ensures that
+ all its compilation threads finish.
+
+ * jsc.cpp:
+ (functionDollarAgentStart):
+ (runJSC):
+ (jscmain):
+
2017-05-18 Michael Saboff <[email protected]>
Add FTL whitelist debugging option
Modified: trunk/Source/_javascript_Core/jsc.cpp (217076 => 217077)
--- trunk/Source/_javascript_Core/jsc.cpp 2017-05-18 23:27:37 UTC (rev 217076)
+++ trunk/Source/_javascript_Core/jsc.cpp 2017-05-18 23:47:23 UTC (rev 217077)
@@ -939,7 +939,7 @@
class Workers;
template<typename Func>
-int runJSC(CommandLine, const Func&);
+int runJSC(CommandLine, bool isWorker, const Func&);
static void checkException(GlobalObject*, bool isLastFile, bool hasException, JSValue, const String& uncaughtExceptionName, bool alwaysDumpUncaughtException, bool dump, bool& success);
class Message : public ThreadSafeRefCounted<Message> {
@@ -2551,7 +2551,7 @@
CommandLine commandLine(0, nullptr);
commandLine.m_interactive = false;
runJSC(
- commandLine,
+ commandLine, true,
[&] (VM&, GlobalObject* globalObject) {
// Notify the thread that started us that we have registered a worker.
{
@@ -3792,7 +3792,7 @@
}
template<typename Func>
-int runJSC(CommandLine options, const Func& func)
+int runJSC(CommandLine options, bool isWorker, const Func& func)
{
Worker worker(Workers::singleton());
@@ -3871,6 +3871,13 @@
#endif
}
+ if (isWorker) {
+ JSLockHolder locker(vm);
+ // This is needed because we don't want the worker's main
+ // thread to die before its compilation threads finish.
+ vm.deref();
+ }
+
return result;
}
@@ -3895,7 +3902,7 @@
int result;
result = runJSC(
- options,
+ options, false,
[&] (VM&, GlobalObject* globalObject) {
return runWithScripts(globalObject, options.m_scripts, options.m_uncaughtExceptionName, options.m_alwaysDumpUncaughtException, options.m_dump, options.m_module);
});
