Closed Bug 1128452 Opened 9 years ago Closed 9 years ago

Assertion failure: !mEntered, at dist/include/mozilla/ReentrancyGuard.h

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox38 --- fixed

People

(Reporter: gkw, Assigned: lth)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

stack
4.03 KB, text/plain
Details
Reintroduce the lock in the ARM simulator
12.26 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
./js-dbg-opt-32-dm-nsprBuild-armSim-linux-940118b1adcd --fuzzing-safe --arm-sim-icache-checks --ion-eager 17.js

assert js debug 32-bit ARM-simulator shell on m-c rev 940118b1adcd at Assertion failure: !mEntered, at dist/include/mozilla/ReentrancyGuard.h

(17.js is an empty file)

Debug configuration options:

CXX="g++ -m32 -msse2 -mfpmath=sse" CC="gcc -m32 -msse2 -mfpmath=sse" AR=ar PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig sh /home/gkwong/trees/mozilla-central/js/src/configure --target=i686-pc-linux --enable-arm-simulator --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

===

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b0e9b9113cb0
user:        Lars T Hansen
date:        Fri Jan 30 09:15:16 2015 +0100
summary:     Bug 1125837 - smush SimulatorRuntime into Simulator.  r=jandem

Lars, is bug 1125837 a likely regressor? This blocks fuzzing 32-bit ARM simulator builds.
Flags: needinfo?(lhansen)
Attached file stack 
(gdb) bt 5
#0  0x08599d6d in ReentrancyGuard<js::detail::HashTable<js::HashMapEntry<void*, js::jit::CachePage*>, js::HashMap<void*, js::jit::CachePage*, js::jit::Simulator::ICacheHasher, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy> > (_notifier=..., aObj=..., this=<optimized out>) at ../../dist/include/mozilla/ReentrancyGuard.h:39
#1  add<js::HashMapEntry<void*, js::jit::CachePage*> > (u=<optimized out>, p=..., this=<optimized out>) at ../../dist/include/js/HashTable.h:1569
#2  add<void*&, js::jit::CachePage*&> (k=<optimized out>, v=<optimized out>, p=..., this=<optimized out>) at ../../dist/include/js/HashTable.h:140
#3  js::jit::GetCachePage (i_cache=..., page=0xf4e0d000) at /home/gkwong/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:934
#4  0x08599eb2 in js::jit::FlushOnePage (i_cache=..., start=-186592412, size=4) at /home/gkwong/trees/mozilla-central/js/src/jit/arm/Simulator-arm.cpp:950
(More stack frames follow...)
(gdb)
This can be intermittent, but is fairly reliable. It seems to go away with either --no-threads or --ion-offthread-compile=off.
This is almost certainly a missing lock in access to the icache hash table.  I removed a lock (AutoLockSimulatorRuntime, or something like that) when I refactored the simulator on the assumption that it was guarding against concurrent access to the runtyme by multiple executor threads, a case that disappeared with PJS.  But it appears it was also guarding against concurrent access by the off-thread compiler.  The lock probably needs to protect more than the icache: it probably needs to protect the redirect list too.  (For the redirect list the race is relatively benign - we'll just have duplicates in the list, I don't think anything worse will happen.  But it should still be fixed.)
Flags: needinfo?(lhansen)
Assignee: nobody → lhansen
Indeed I can observe in gdb that Redirection::Get is reached from HelperThread::handleIonWorkload on a background thread as well as from Simulator::RedirectNativeFunction on the main thread.  So variables accessed by the Redirection functionality definitely need to be in a critical section.
A little more elaborate than strictly needed: I renamed some functions to make it clear that they are running within the critical section.
Attachment #8557905 - Flags: review?(jdemooij)
A similar patch is needed for MIPS but I'll create a separate bug for that.
Comment on attachment 8557905 [details] [diff] [review]
Reintroduce the lock in the ARM simulator

Review of attachment 8557905 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good, sorry for the delay.
Attachment #8557905 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/b0d8fe7e8ceb
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox38: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: