Deadlock when adding a Structure property transition and then doing incremental marking
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Feb 2019 01:27:22 +0000 (01:27 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Feb 2019 01:27:22 +0000 (01:27 +0000)
commit3a41f50efcbafdd26413926033e020a6688beb3d
tree10f768e1114e2aadbff0972a5d0c333fb3bcb6e8
parent06f93fc233649c1698bc30bdd559b6a95a3fecce
Deadlock when adding a Structure property transition and then doing incremental marking
https://bugs.webkit.org/show_bug.cgi?id=194767

Reviewed by Mark Lam.

JSTests:

* stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js: Added.

Source/JavaScriptCore:

This can happen in the following scenario:

You have a Structure S. S is on the mark stack. Then:
1. S grabs its lock
2. S adds a new property transition
3. We find out we need to do some incremental marking
4. We mark S
5. visitChildren on S will try to grab its lock
6. We are now in a deadlock

* heap/Heap.cpp:
(JSC::Heap::performIncrement):
* runtime/Structure.cpp:
(JSC::Structure::addNewPropertyTransition):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241655 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/incremental-marking-should-not-dead-lock-in-new-property-transition.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/heap/Heap.cpp
Source/JavaScriptCore/runtime/Structure.cpp