Commit 28ead054 authored by Marja Hölttä's avatar Marja Hölttä Committed by Commit Bot

[Atomics.waitAsync] Fix removing multiple nodes when Isolate deinits

RemoveNode already nullifies the next_ pointer of FutexWaitListNode,
and DeleteAsyncNode was trying to retrieve it.

Bug: v8:10239
Change-Id: I595885de87f433d263eeacfc825a689efd467f5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2332812
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
Reviewed-by: 's avatarShu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69259}
parent e06ace6b
......@@ -1809,6 +1809,19 @@ void Shell::WorkerTerminate(const v8::FunctionCallbackInfo<v8::Value>& args) {
worker->Terminate();
}
void Shell::WorkerTerminateAndWait(
const v8::FunctionCallbackInfo<v8::Value>& args) {
Isolate* isolate = args.GetIsolate();
HandleScope handle_scope(isolate);
std::shared_ptr<Worker> worker =
GetWorkerFromInternalField(isolate, args.Holder());
if (!worker.get()) {
return;
}
worker->TerminateAndWaitForThread();
}
void Shell::QuitOnce(v8::FunctionCallbackInfo<v8::Value>* args) {
int exit_code = (*args)[0]
->Int32Value(args->GetIsolate()->GetCurrentContext())
......@@ -2138,6 +2151,10 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
isolate, "terminate",
FunctionTemplate::New(isolate, WorkerTerminate, Local<Value>(),
worker_signature));
worker_fun_template->PrototypeTemplate()->Set(
isolate, "terminateAndWait",
FunctionTemplate::New(isolate, WorkerTerminateAndWait, Local<Value>(),
worker_signature));
worker_fun_template->PrototypeTemplate()->Set(
isolate, "postMessage",
FunctionTemplate::New(isolate, WorkerPostMessage, Local<Value>(),
......@@ -3056,7 +3073,7 @@ void Worker::Terminate() {
task_runner_->PostTask(std::move(task));
}
void Worker::WaitForThread() {
void Worker::TerminateAndWaitForThread() {
Terminate();
thread_->Join();
}
......@@ -3917,7 +3934,7 @@ void Shell::WaitForRunningWorkers() {
}
for (auto& worker : workers_copy) {
worker->WaitForThread();
worker->TerminateAndWaitForThread();
}
// Now that all workers are terminated, we can re-enable Worker creation.
......
......@@ -183,7 +183,7 @@ class Worker : public std::enable_shared_from_this<Worker> {
void Terminate();
// Terminate and join the thread.
// This function can be called by any thread.
void WaitForThread();
void TerminateAndWaitForThread();
// Start running the given worker in another thread.
static bool StartWorkerThread(std::shared_ptr<Worker> worker);
......@@ -429,6 +429,8 @@ class Shell : public i::AllStatic {
const v8::FunctionCallbackInfo<v8::Value>& args);
static void WorkerGetMessage(const v8::FunctionCallbackInfo<v8::Value>& args);
static void WorkerTerminate(const v8::FunctionCallbackInfo<v8::Value>& args);
static void WorkerTerminateAndWait(
const v8::FunctionCallbackInfo<v8::Value>& args);
// The OS object on the global object contains methods for performing
// operating system calls:
//
......
......@@ -772,8 +772,10 @@ void FutexEmulation::IsolateDeinit(Isolate* isolate) {
// NativeContext. Also we don't need to cancel the timeout task, since it
// will be cancelled by Isolate::Deinit.
node->timeout_task_id_ = CancelableTaskManager::kInvalidTaskId;
auto next = node->next_;
g_wait_list.Pointer()->RemoveNode(node);
node = DeleteAsyncWaiterNode(node);
delete node;
node = next;
} else {
node = node->next_;
}
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --harmony-sharedarraybuffer --harmony-atomics-waitasync
(function test() {
const sab = new SharedArrayBuffer(16);
const i32a = new Int32Array(sab);
const location = 0;
(function createWorker() {
const script = `onmessage = function(msg) {
if (msg.sab) {
const i32a = new Int32Array(msg.sab);
// Start 2 async waits in the same location.
const result1 = Atomics.waitAsync(i32a, ${location}, 0);
const result2 = Atomics.waitAsync(i32a, ${location}, 0);
postMessage('worker waiting');
}
}`;
const w = new Worker(script, {type : 'string'});
w.postMessage({sab: sab});
const m = w.getMessage();
assertEquals('worker waiting', m);
w.terminateAndWait();
})();
const notify_return_value = Atomics.notify(i32a, location, 2);
// No waiters got notified, since they got cleaned up before it.
assertEquals(0, notify_return_value);
})();
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --harmony-sharedarraybuffer --harmony-atomics-waitasync
(function test() {
const sab = new SharedArrayBuffer(16);
const i32a = new Int32Array(sab);
const location = 0;
(function createWorker() {
const script = `onmessage = function(msg) {
if (msg.sab) {
const i32a = new Int32Array(msg.sab);
Atomics.waitAsync(i32a, ${location}, 0);
postMessage('worker waiting');
}
}`;
// Create 2 workers which wait on the same location.
let workers = [];
const worker_count = 2;
for (let i = 0; i < worker_count; ++i) {
workers[i] = new Worker(script, {type : 'string'});
workers[i].postMessage({sab: sab});
const m = workers[i].getMessage();
assertEquals('worker waiting', m);
}
for (let i = 0; i < worker_count; ++i) {
workers[i].terminateAndWait();
}
})();
const notify_return_value = Atomics.notify(i32a, location, 2);
// No waiters got notified, since they got cleaned up before it.
assertEquals(0, notify_return_value);
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment