Closed Bug 1128452 Opened 10 years ago Closed 10 years ago

Assertion failure: !mEntered, at dist/include/mozilla/ReentrancyGuard.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox38 --- fixed

People

(Reporter: gkw, Assigned: lth)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

stack
4.03 KB, text/plain
Details
Reintroduce the lock in the ARM simulator
12.26 KB, patch
jandem
: review+
Details | Diff | Splinter Review
./js-dbg-opt-32-dm-nsprBuild-armSim-linux-940118b1adcd --fuzzing-safe --arm-sim-icache-checks --ion-eager 17.js assert js debug 32-bit ARM-simulator shell on m-c rev 940118b1adcd at Assertion failure: !mEntered, at dist/include/mozilla/ReentrancyGuard.h (17.js is an empty file) Debug configuration options: CXX="g++ -m32 -msse2 -mfpmath=sse" CC="gcc -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/gkwong/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests === autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/b0e9b9113cb0 user: Lars T Hansen date: Fri Jan 30 09:15:16 2015 +0100 summary: Bug 1125837 - smush SimulatorRuntime into Simulator. r=jandem Lars, is bug 1125837 a likely regressor? This blocks fuzzing 32-bit ARM simulator builds.
Flags: needinfo?(lhansen)
Attached file stack
(gdb) bt 5 #0 0x08599d6d in ReentrancyGuard<js::detail::HashTable<js::HashMapEntry<void*, js::jit::CachePage*>, js::HashMap<void*, js::jit::CachePage*, js::jit::Simulator::ICacheHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy> > (_notifier=..., aObj=..., this=<optimized out>) at ../../dist/include/mozilla/ReentrancyGuard.h:39 #1 add<js::HashMapEntry<void*, js::jit::CachePage*> > (u=<optimized out>, p=..., this=<optimized out>) at ../../dist/include/js/HashTable.h:1569 #2 add<void*&, js::jit::CachePage*&> (k=<optimized out>, v=<optimized out>, p=..., this=<optimized out>) at ../../dist/include/js/HashTable.h:140 #3 js::jit::GetCachePage (i_cache=..., page=0xf4e0d000) at /home/gkwong/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:934 #4 0x08599eb2 in js::jit::FlushOnePage (i_cache=..., start=-186592412, size=4) at /home/gkwong/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:950 (More stack frames follow...) (gdb)
This can be intermittent, but is fairly reliable. It seems to go away with either --no-threads or --ion-offthread-compile=off.
This is almost certainly a missing lock in access to the icache hash table. I removed a lock (AutoLockSimulatorRuntime, or something like that) when I refactored the simulator on the assumption that it was guarding against concurrent access to the runtyme by multiple executor threads, a case that disappeared with PJS. But it appears it was also guarding against concurrent access by the off-thread compiler. The lock probably needs to protect more than the icache: it probably needs to protect the redirect list too. (For the redirect list the race is relatively benign - we'll just have duplicates in the list, I don't think anything worse will happen. But it should still be fixed.)
Flags: needinfo?(lhansen)
Assignee: nobody → lhansen
Indeed I can observe in gdb that Redirection::Get is reached from HelperThread::handleIonWorkload on a background thread as well as from Simulator::RedirectNativeFunction on the main thread. So variables accessed by the Redirection functionality definitely need to be in a critical section.
A little more elaborate than strictly needed: I renamed some functions to make it clear that they are running within the critical section.
Attachment #8557905 - Flags: review?(jdemooij)
A similar patch is needed for MIPS but I'll create a separate bug for that.
Comment on attachment 8557905 [details] [diff] [review] Reintroduce the lock in the ARM simulator Review of attachment 8557905 [details] [diff] [review]: ----------------------------------------------------------------- Looks good, sorry for the delay.
Attachment #8557905 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/b0d8fe7e8ceb
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox38: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: