Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
1771353010:
Finish completeSweep before shutting down V8 (Closed)
|
Created:
4 years, 9 months ago by haraken Modified:
4 years, 9 months ago Reviewers:
sof CC:
chromium-reviews, oilpan-reviews, Mads Ager (chromium), blink-reviews-bindings_chromium.org, blink-reviews, kinuko+watch, kouhei+heap_chromium.org Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionFinish completeSweep before shutting down V8
If Oilpan runs completeSweep after shutting down V8, some destructor
may access V8 and cause crash. Oilpan should finish completeSweep before
shutting down V8.
BUG=593092
Committed: https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d
Cr-Commit-Position: refs/heads/master@{#380415}
Patch Set 1 #Patch Set 2 : #
Total comments: 3
Patch Set 3 : #
Total comments: 2
Patch Set 4 : #
Total comments: 1
Patch Set 5 : #Patch Set 6 : #Patch Set 7 : #Patch Set 8 : #
Total comments: 3
Messages
Total messages: 29 (8 generated)
haraken@chromium.org changed reviewers: + sigbjornf@opera.com
PTAL https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/platform/heap/ThreadState.cpp (right): https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/platform/heap/ThreadState.cpp:219: completeSweep(); Another option is just to remove completeSweep(). There is no reason we have to complete sweeping before shutting down the main thread. However, I prefer completing sweeping just in case. In production, blink::shutdown would rarely be called because the renderer is killed immediately in common cases. So having completeSweep() in the shutdown sequence won't matter for real-world performance. https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/platform/heap/ThreadState.cpp:219: completeSweep(); Maybe we should add enterGCForbidenScope() before finishing stopMainThread() to make sure that no GC happens before detaching the main thread. (I don't have a strong opinion.) https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... File third_party/WebKit/Source/platform/heap/ThreadState.h (left): https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... third_party/WebKit/Source/platform/heap/ThreadState.h:433: void unregisterTraceDOMWrappers() Previously I mentioned that we need to clear m_traceDOMWrappers before detaching the main thread, but I was wrong. I don't think we need it because Oilpan's GC should not happen after stopMainThread is called.
On 2016/03/10 05:42:23, haraken wrote: > PTAL > > https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... > File third_party/WebKit/Source/platform/heap/ThreadState.cpp (right): > > https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... > third_party/WebKit/Source/platform/heap/ThreadState.cpp:219: completeSweep(); > > Another option is just to remove completeSweep(). There is no reason we have to > complete sweeping before shutting down the main thread. However, I prefer > completing sweeping just in case. > > In production, blink::shutdown would rarely be called because the renderer is > killed immediately in common cases. So having completeSweep() in the shutdown > sequence won't matter for real-world performance. > > https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... > third_party/WebKit/Source/platform/heap/ThreadState.cpp:219: completeSweep(); > > Maybe we should add enterGCForbidenScope() before finishing stopMainThread() to > make sure that no GC happens before detaching the main thread. (I don't have a > strong opinion.) > > https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... > File third_party/WebKit/Source/platform/heap/ThreadState.h (left): > > https://codereview.chromium.org/1771353010/diff/20001/third_party/WebKit/Sour... > third_party/WebKit/Source/platform/heap/ThreadState.h:433: void > unregisterTraceDOMWrappers() > > Previously I mentioned that we need to clear m_traceDOMWrappers before detaching > the main thread, but I was wrong. I don't think we need it because Oilpan's GC > should not happen after stopMainThread is called. (This fix is rather urgent.)
bots are red; will take a close look at the CL at the other side of the morning commute.
On 2016/03/10 06:33:21, sof wrote: > bots are red; will take a close look at the CL at the other side of the morning > commute. ah, I need to remove ASSERT(!state->m_isolate).
lgtm. I suspect this will take care of issue 592880 also.
The CQ bit was checked by haraken@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1771353010/40001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1771353010/40001
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: cast_shell_linux on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
https://codereview.chromium.org/1771353010/diff/40001/third_party/WebKit/Sour... File third_party/WebKit/Source/platform/heap/ThreadState.cpp (right): https://codereview.chromium.org/1771353010/diff/40001/third_party/WebKit/Sour... third_party/WebKit/Source/platform/heap/ThreadState.cpp:233: SafePointAwareMutexLocker locker(threadAttachMutex(), BlinkGC::NoHeapPointersOnStack); Ah, now I remember why I had to clear state->m_isolate before detaching the main thread. 1) V8 is shut down. 2) ThreadState::detachMainThread() is called. 3) SafePointAwareMutexLocker triggers a GC. 4) The GC tries to iterate V8 wrappers. V8 is already gone. #0 0x000004714f2b base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7fcaeee9dcb0 <unknown> #2 0x00000293f208 v8::internal::GlobalHandles::IterateAllRootsWithClassIds() #3 0x0000026f6746 v8::Isolate::VisitHandlesWithClassIds() #4 0x000002cdda0f blink::V8GCController::traceDOMWrappers() #5 0x000002c70b73 blink::ThreadState::visitPersistents() #6 0x000002c70941 blink::ThreadState::visitPersistentRoots() #7 0x000002c663cf blink::Heap::collectGarbage() #8 0x000002c672e1 blink::Heap::collectAllGarbage() #9 0x000002c765b6 blink::ThreadState::enterSafePoint() #10 0x000002c7014a blink::SafePointAwareMutexLocker::SafePointAwareMutexLocker() #11 0x000002c6ffd0 blink::ThreadState::detachMainThread() #12 0x000002c8f1f7 blink::shutdownWithoutV8() #13 0x00000144ca68 content::TestBlinkWebUnitTestSupport::~TestBlinkWebUnitTestSupport() #14 0x00000144cb49 content::TestBlinkWebUnitTestSupport::~TestBlinkWebUnitTestSupport() #15 0x000001448b6b content::UnitTestTestSuite::~UnitTestTestSuite() Clearing m_isolate is helpful to prevent the Oilpan's GC from iterating V8 wrappers, but it's not a right solution because it's already problematic that a GC is triggered after V8 is shut down. As described in this bug, some destructor invoked in the GC may access V8 and cause crashes. My proposal is 1) change the SafePointMutexLocker to MutexLocker or 2) just remove the SafePointMutexLocker. It is already guaranteed that the main thread is the last thread that gets detached. So we don't need to grab the mutex here. What do you think?
https://codereview.chromium.org/1771353010/diff/40001/third_party/WebKit/Sour... File third_party/WebKit/Source/platform/heap/ThreadState.cpp (right): https://codereview.chromium.org/1771353010/diff/40001/third_party/WebKit/Sour... third_party/WebKit/Source/platform/heap/ThreadState.cpp:233: SafePointAwareMutexLocker locker(threadAttachMutex(), BlinkGC::NoHeapPointersOnStack); On 2016/03/10 07:28:53, haraken wrote: > Ah, now I remember why I had to clear state->m_isolate before detaching the main > thread. > > 1) V8 is shut down. > 2) ThreadState::detachMainThread() is called. > 3) SafePointAwareMutexLocker triggers a GC. > 4) The GC tries to iterate V8 wrappers. V8 is already gone. > > #0 0x000004714f2b base::debug::(anonymous namespace)::StackDumpSignalHandler() > #1 0x7fcaeee9dcb0 <unknown> > #2 0x00000293f208 v8::internal::GlobalHandles::IterateAllRootsWithClassIds() > #3 0x0000026f6746 v8::Isolate::VisitHandlesWithClassIds() > #4 0x000002cdda0f blink::V8GCController::traceDOMWrappers() > #5 0x000002c70b73 blink::ThreadState::visitPersistents() > #6 0x000002c70941 blink::ThreadState::visitPersistentRoots() > #7 0x000002c663cf blink::Heap::collectGarbage() > #8 0x000002c672e1 blink::Heap::collectAllGarbage() > #9 0x000002c765b6 blink::ThreadState::enterSafePoint() > #10 0x000002c7014a blink::SafePointAwareMutexLocker::SafePointAwareMutexLocker() > #11 0x000002c6ffd0 blink::ThreadState::detachMainThread() > #12 0x000002c8f1f7 blink::shutdownWithoutV8() > #13 0x00000144ca68 > content::TestBlinkWebUnitTestSupport::~TestBlinkWebUnitTestSupport() > #14 0x00000144cb49 > content::TestBlinkWebUnitTestSupport::~TestBlinkWebUnitTestSupport() > #15 0x000001448b6b content::UnitTestTestSuite::~UnitTestTestSuite() > > Clearing m_isolate is helpful to prevent the Oilpan's GC from iterating V8 > wrappers, but it's not a right solution because it's already problematic that a > GC is triggered after V8 is shut down. As described in this bug, some destructor > invoked in the GC may access V8 and cause crashes. > > My proposal is 1) change the SafePointMutexLocker to MutexLocker or 2) just > remove the SafePointMutexLocker. It is already guaranteed that the main thread > is the last thread that gets detached. So we don't need to grab the mutex here. > > What do you think? If you add an assert or two to capture those assumptions in detachMainThread(), that approach sounds fine to me.
On 2016/03/10 07:35:41, sof wrote: > https://codereview.chromium.org/1771353010/diff/40001/third_party/WebKit/Sour... > File third_party/WebKit/Source/platform/heap/ThreadState.cpp (right): > > https://codereview.chromium.org/1771353010/diff/40001/third_party/WebKit/Sour... > third_party/WebKit/Source/platform/heap/ThreadState.cpp:233: > SafePointAwareMutexLocker locker(threadAttachMutex(), > BlinkGC::NoHeapPointersOnStack); > On 2016/03/10 07:28:53, haraken wrote: > > Ah, now I remember why I had to clear state->m_isolate before detaching the > main > > thread. > > > > 1) V8 is shut down. > > 2) ThreadState::detachMainThread() is called. > > 3) SafePointAwareMutexLocker triggers a GC. > > 4) The GC tries to iterate V8 wrappers. V8 is already gone. > > > > #0 0x000004714f2b base::debug::(anonymous namespace)::StackDumpSignalHandler() > > #1 0x7fcaeee9dcb0 <unknown> > > #2 0x00000293f208 v8::internal::GlobalHandles::IterateAllRootsWithClassIds() > > #3 0x0000026f6746 v8::Isolate::VisitHandlesWithClassIds() > > #4 0x000002cdda0f blink::V8GCController::traceDOMWrappers() > > #5 0x000002c70b73 blink::ThreadState::visitPersistents() > > #6 0x000002c70941 blink::ThreadState::visitPersistentRoots() > > #7 0x000002c663cf blink::Heap::collectGarbage() > > #8 0x000002c672e1 blink::Heap::collectAllGarbage() > > #9 0x000002c765b6 blink::ThreadState::enterSafePoint() > > #10 0x000002c7014a > blink::SafePointAwareMutexLocker::SafePointAwareMutexLocker() > > #11 0x000002c6ffd0 blink::ThreadState::detachMainThread() > > #12 0x000002c8f1f7 blink::shutdownWithoutV8() > > #13 0x00000144ca68 > > content::TestBlinkWebUnitTestSupport::~TestBlinkWebUnitTestSupport() > > #14 0x00000144cb49 > > content::TestBlinkWebUnitTestSupport::~TestBlinkWebUnitTestSupport() > > #15 0x000001448b6b content::UnitTestTestSuite::~UnitTestTestSuite() > > > > Clearing m_isolate is helpful to prevent the Oilpan's GC from iterating V8 > > wrappers, but it's not a right solution because it's already problematic that > a > > GC is triggered after V8 is shut down. As described in this bug, some > destructor > > invoked in the GC may access V8 and cause crashes. > > > > My proposal is 1) change the SafePointMutexLocker to MutexLocker or 2) just > > remove the SafePointMutexLocker. It is already guaranteed that the main thread > > is the last thread that gets detached. So we don't need to grab the mutex > here. > > > > What do you think? > > If you add an assert or two to capture those assumptions in detachMainThread(), > that approach sounds fine to me. PTAL
lgtm https://codereview.chromium.org/1771353010/diff/60001/third_party/WebKit/Sour... File third_party/WebKit/Source/platform/heap/ThreadState.cpp (right): https://codereview.chromium.org/1771353010/diff/60001/third_party/WebKit/Sour... third_party/WebKit/Source/platform/heap/ThreadState.cpp:237: ASSERT(!state->isSweepingInProgress()); nit: add ASSERT(state->isGCForbidden());
> https://codereview.chromium.org/1771353010/diff/60001/third_party/WebKit/Sour... > File third_party/WebKit/Source/platform/heap/ThreadState.cpp (right): > > https://codereview.chromium.org/1771353010/diff/60001/third_party/WebKit/Sour... > third_party/WebKit/Source/platform/heap/ThreadState.cpp:237: > ASSERT(!state->isSweepingInProgress()); > nit: add ASSERT(state->isGCForbidden()); Done.
The CQ bit was checked by haraken@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from sigbjornf@opera.com Link to the patchset: https://codereview.chromium.org/1771353010/#ps80001 (title: " ")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1771353010/80001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1771353010/80001
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: cast_shell_linux on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)
shutdown untidiness in a HeapTest unit test.
https://codereview.chromium.org/1771353010/diff/140001/third_party/WebKit/Sou... File third_party/WebKit/Source/platform/heap/HeapTest.cpp (left): https://codereview.chromium.org/1771353010/diff/140001/third_party/WebKit/Sou... third_party/WebKit/Source/platform/heap/HeapTest.cpp:5754: class CrossThreadPersistentOnMainThreadTester { Would it make sense to remove this test? https://codereview.chromium.org/1771353010/diff/140001/third_party/WebKit/Sou... third_party/WebKit/Source/platform/heap/HeapTest.cpp:5766: ThreadState::detachMainThread(); It's not allowed to detach the main thread before detaching other threads. https://codereview.chromium.org/1771353010/diff/140001/third_party/WebKit/Sou... third_party/WebKit/Source/platform/heap/HeapTest.cpp:5780: // Do this to verify that CrossThreadPersistent<>s referring to objects The CrossThreadPersistent is not pointing to an object on the main thread (it's pointing to the object on the worker thread)...
Looks like the tests pass. PTAL.
lgtm sorry, forgot to follow up on HeapTest question, but agreeing that the test in question was no longer testing a valid condition.
The CQ bit was checked by haraken@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1771353010/140001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1771353010/140001
Message was sent while issue was closed.
Committed patchset #8 (id:140001)
Message was sent while issue was closed.
Description was changed from ========== Finish completeSweep before shutting down V8 If Oilpan runs completeSweep after shutting down V8, some destructor may access V8 and cause crash. Oilpan should finish completeSweep before shutting down V8. BUG=593092 ========== to ========== Finish completeSweep before shutting down V8 If Oilpan runs completeSweep after shutting down V8, some destructor may access V8 and cause crash. Oilpan should finish completeSweep before shutting down V8. BUG=593092 Committed: https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d Cr-Commit-Position: refs/heads/master@{#380415} ==========
Message was sent while issue was closed.
Patchset 8 (id:??) landed as https://crrev.com/29a57aad9a5cd9388811408f1a457493d6f9671d Cr-Commit-Position: refs/heads/master@{#380415} |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
