Closed Bug 1141583 Opened 9 years ago Closed 9 years ago

TSan: data race js/src/jit/CodeGenerator.cpp:1771 emitLambdaInit

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox39 --- fixed

People

(Reporter: froydnj, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tsan])

Attachments

(2 files, 1 obsolete file)

emit-lambda-init-race.txt
3.90 KB, text/plain
Details
Patch
3.51 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
The attached logfile shows a thread/data race detected by TSan (ThreadSanitizer).

* Specific information about this bug

I apologize for the lack of stack on the writing side of things; based on code inspection, I assume we must be writing here:

http://mxr.mozilla.org/mozilla-central/source/js/src/jit/MIR.h#7342
http://mxr.mozilla.org/mozilla-central/source/js/src/jit/MIR.h#7351

creating the LambdaFunctionInfo in MLambdaArrow's constructor via IonBuilder::jsop_lambda_arrow.  But beyond that...

I note in passing the comment in LambdaFunctionInfo:

    // The functions used in lambdas are the canonical original function in
    // the script, and are immutable except for delazification. Record this
    // information while still on the main thread to avoid races.

...is not enough to ensure that the code is race-free. :)

* General information about TSan, data races, etc.

Typically, races reported by TSan are not false positives, but it is possible that the race is benign. Even in this case though, we should try to come up with a fix unless this would cause unacceptable performance issues. Also note that seemingly benign races can possibly be harmful (also depending on the compiler and the architecture) [1][2].

If the bug cannot be fixed, then this bug should be used to either make a compile-time annotation for blacklisting or add an entry to the runtime blacklist.

[1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[2] _How to miscompile programs with "benign" data races_: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
Attached patch Patch (obsolete) — Splinter Review 
Can you see if this patch helps? fun->nargs() should be immutable, but it's an uint16_t so it's possible the flag bits (also an uint16_t) are modified.

This patch just adds nargs to LambdaFunctionInfo to avoid reading fun->nargs() offthread.
Attachment #8575358 - Flags: feedback?(nfroyd)
(In reply to Jan de Mooij [:jandem] from comment #1)
> Can you see if this patch helps? fun->nargs() should be immutable, but it's
> an uint16_t so it's possible the flag bits (also an uint16_t) are modified.
> 
> This patch just adds nargs to LambdaFunctionInfo to avoid reading
> fun->nargs() offthread.

My copy of CodeGenerator.cpp and the given line information says that the race comes from the access to flags:

http://hg.mozilla.org/mozilla-central/file/c42e7e3bb0a0/js/src/jit/CodeGenerator.cpp#l1771

Since the race access size is size 2 in both cases, I don't think we're doing anything fancy with nargs and flags being separate fields...
(In reply to Nathan Froyd [:froydnj] [:nfroyd] from comment #2)
> My copy of CodeGenerator.cpp and the given line information says that the
> race comes from the access to flags:

Hm then I don't understand this race. Is there any way you can get a stack trace for the write on the main thread?

IonBuilder constructs the MIR graph on the main thread. This includes filling LambdaFunctionInfo. Then this graph is compiled off-thread and that's where the read happens.

I doubt it's complaining about the initial LambdaFunctionInfo::flags write on the main thread and read of it off-thread, because that's what we do for basically all MIR instructions...
Comment on attachment 8575358 [details] [diff] [review]
Patch

Review of attachment 8575358 [details] [diff] [review]:
-----------------------------------------------------------------

I don't see the race after two runs with this patch applied, so I think it might have gone away...?

The line information thing still seems a little weird, though...
Attachment #8575358 - Flags: feedback?(nfroyd) → feedback+
Attached patch PatchSplinter Review 
Store nargs in LambdaFunctionInfo and remove an unused copy constructor.
Assignee: nobody → jdemooij
Attachment #8575358 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8578607 - Flags: review?(bhackett1024)
Attachment #8578607 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/cfe07d44b06b
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox39: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: