
232 lines
6.4 KiB
Raw Permalink Normal View History

Source/JavaScriptCore: Repeatedly creating and destroying workers that enqueue DFG plans can outpace the DFG worklist, which then causes VM shutdown to stall, which then causes memory growth https://bugs.webkit.org/show_bug.cgi?id=159754 Reviewed by Geoffrey Garen. If you create and destroy workers at a high rate and those workers enqueue some DFG plans that are still not compiled at the time that the worker is closed, then the closed workers end up stalling in VM::~VM waiting for the DFG worklist thread to finish those plans. Since we don't actually cancel the plans, it's easy to create a situation where the workers outpace the DFG worklist, especially if you create many workers at a time and each one finishes just after enqueueing those plans. The solution is to allow VM::~VM to remove plans from the DFG worklist that are related to that VM but aren't currently being worked on. That turns out to be an easy change. I have a test that repros this, but it's quite long-running. I call it workers/bomb.html. We may want to exclude it from test runs because of how long it takes. * dfg/DFGWorklist.cpp: (JSC::DFG::Worklist::removeDeadPlans): (JSC::DFG::Worklist::removeNonCompilingPlansForVM): (JSC::DFG::Worklist::queueLength): (JSC::DFG::Worklist::runThread): * dfg/DFGWorklist.h: * runtime/VM.cpp: (JSC::VM::~VM): LayoutTests: Repeatedly creating and destroying workers that enqueue DFG plans can outpace the DFG worklist, which then causes VM shutdown to stall, which then causes a memory growth https://bugs.webkit.org/show_bug.cgi?id=159754 Reviewed by Geoffrey Garen. Adds two tests that create a lot of workers that do sophisticated things. These are long-running tests so we may want to skip them. It's OK if we end up only running them manually occasionally. * workers: Added. * workers/bomb.html: Added. * workers/bomb-expected.txt: Added. * workers/bomb-with-v8.html: Added. * workers/tests: Added. * workers/tests/3d-cube.js: Added. * workers/tests/3d-morph.js: Added. * workers/tests/3d-raytrace.js: Added. * workers/tests/access-binary-trees.js: Added. * workers/tests/access-fannkuch.js: Added. * workers/tests/access-nbody.js: Added. * workers/tests/access-nsieve.js: Added. * workers/tests/bitops-3bit-bits-in-byte.js: Added. * workers/tests/bitops-bits-in-byte.js: Added. * workers/tests/bitops-bitwise-and.js: Added. * workers/tests/bitops-nsieve-bits.js: Added. * workers/tests/controlflow-recursive.js: Added. * workers/tests/crypto-aes.js: Added. * workers/tests/crypto-md5.js: Added. * workers/tests/crypto-sha1.js: Added. * workers/tests/date-format-tofte.js: Added. * workers/tests/date-format-xparb.js: Added. * workers/tests/math-cordic.js: Added. * workers/tests/math-partial-sums.js: Added. * workers/tests/math-spectral-norm.js: Added. * workers/tests/regexp-dna.js: Added. * workers/tests/string-base64.js: Added. * workers/tests/string-fasta.js: Added. * workers/tests/string-tagcloud.js: Added. * workers/tests/string-unpack-code.js: Added. * workers/tests/string-validate-input.js: Added. * workers/tests/v8-crypto.js: Added. * workers/tests/v8-deltablue.js: Added. * workers/tests/v8-earley-boyer.js: Added. * workers/tests/v8-raytrace.js: Added. * workers/tests/v8-regexp.js: Added. * workers/tests/v8-richards.js: Added. * workers/tests/v8-splay.js: Added. Canonical link: https://commits.webkit.org/178055@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@203370 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2016-07-18 20:31:20 +00:00
* A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
* in FIPS PUB 180-1
* Version 2.1a Copyright Paul Johnston 2000 - 2002.
* Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
* Distributed under the BSD License
* See http://pajhome.org.uk/crypt/md5 for details.
* Configurable variables. You may need to tweak these to be compatible with
* the server-side, but the defaults work in most cases.
var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */
var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */
* These are the functions you'll usually want to call
* They take string arguments and return either hex or base-64 encoded strings
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
* Perform a simple self-test to see if the VM is working
function sha1_vm_test()
return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d";
* Calculate the SHA-1 of an array of big-endian words, and a bit length
function core_sha1(x, len)
/* append padding */
x[len >> 5] |= 0x80 << (24 - len % 32);
x[((len + 64 >> 9) << 4) + 15] = len;
var w = Array(80);
var a = 1732584193;
var b = -271733879;
var c = -1732584194;
var d = 271733878;
var e = -1009589776;
for(var i = 0; i < x.length; i += 16)
var olda = a;
var oldb = b;
var oldc = c;
var oldd = d;
var olde = e;
for(var j = 0; j < 80; j++)
if(j < 16) w[j] = x[i + j];
else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)),
safe_add(safe_add(e, w[j]), sha1_kt(j)));
e = d;
d = c;
c = rol(b, 30);
b = a;
a = t;
a = safe_add(a, olda);
b = safe_add(b, oldb);
c = safe_add(c, oldc);
d = safe_add(d, oldd);
e = safe_add(e, olde);
return Array(a, b, c, d, e);
* Perform the appropriate triplet combination function for the current
* iteration
function sha1_ft(t, b, c, d)
if(t < 20) return (b & c) | ((~b) & d);
if(t < 40) return b ^ c ^ d;
if(t < 60) return (b & c) | (b & d) | (c & d);
return b ^ c ^ d;
* Determine the appropriate additive constant for the current iteration
function sha1_kt(t)
return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 :
(t < 60) ? -1894007588 : -899497514;
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
var ipad = Array(16), opad = Array(16);
for(var i = 0; i < 16; i++)
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz);
return core_sha1(opad.concat(hash), 512 + 160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
* to work around bugs in some JS interpreters.
function safe_add(x, y)
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
* Bitwise rotate a 32-bit number to the left.
function rol(num, cnt)
return (num << cnt) | (num >>> (32 - cnt));
* Convert an 8-bit or 16-bit string to an array of big-endian words
* In 8-bit function, characters >255 have their hi-byte silently ignored.
function str2binb(str)
var bin = Array();
var mask = (1 << chrsz) - 1;
for(var i = 0; i < str.length * chrsz; i += chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32);
return bin;
* Convert an array of big-endian words to a string
function binb2str(bin)
var str = "";
var mask = (1 << chrsz) - 1;
for(var i = 0; i < bin.length * 32; i += chrsz)
str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask);
return str;
* Convert an array of big-endian words to a hex string.
function binb2hex(binarray)
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
var str = "";
for(var i = 0; i < binarray.length * 4; i++)
str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) +
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
return str;
* Convert an array of big-endian words to a base-64 string
function binb2b64(binarray)
var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var str = "";
for(var i = 0; i < binarray.length * 4; i += 3)
var triplet = (((binarray[i >> 2] >> 8 * (3 - i %4)) & 0xFF) << 16)
| (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 )
| ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF);
for(var j = 0; j < 4; j++)
if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;
else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);
return str;
var plainText = "Two households, both alike in dignity,\n\
In fair Verona, where we lay our scene,\n\
From ancient grudge break to new mutiny,\n\
Where civil blood makes civil hands unclean.\n\
From forth the fatal loins of these two foes\n\
A pair of star-cross'd lovers take their life;\n\
Whole misadventured piteous overthrows\n\
Do with their death bury their parents' strife.\n\
The fearful passage of their death-mark'd love,\n\
And the continuance of their parents' rage,\n\
Which, but their children's end, nought could remove,\n\
Is now the two hours' traffic of our stage;\n\
The which if you with patient ears attend,\n\
What here shall miss, our toil shall strive to mend.";
for (var i = 0; i <4; i++) {
plainText += plainText;
var sha1Output = hex_sha1(plainText);
var expected = "2524d264def74cce2498bf112bedf00e6c0b796d";
if (sha1Output != expected)
throw "ERROR: bad result: expected " + expected + " but got " + sha1Output;