Closed Bug 1192031 Opened 6 years ago Closed 4 years ago

TSan: data race js/src/vm/Shape.h:868 incrementNumLinearSearches (Shape::slotInfo)

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

x86_64
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 1458008

People

(Reporter: froydnj, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tsan])

Attachments

(1 file)

Attached file TSan stack trace
The attached logfile shows a thread/data race detected by TSan (ThreadSanitizer).

* Specific information about this bug

This looks like a pretty straightforward race on Shape::slotInfo: it's touched on the main thread for execution, and it's read out in Object::numFixedSlots on a JIT thread for...code generation decisions, I suppose.

* General information about TSan, data races, etc.

Typically, races reported by TSan are not false positives, but it is possible that the race is benign. Even in this case though, we should try to come up with a fix unless this would cause unacceptable performance issues. Also note that seemingly benign races can possibly be harmful (also depending on the compiler and the architecture) [1][2].

If the bug cannot be fixed, then this bug should be used to either make a compile-time annotation for blacklisting or add an entry to the runtime blacklist.

[1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
[2] _How to miscompile programs with "benign" data races_: https://www.usenix.org/legacy/events/hotpar11/tech/final_files/Boehm.pdf
Looks like another bitfield race between incrementing the linear searches count and reading the number of fixed slots.  This potentially affects every use of a template object in Ion AFAICS.
Priority: -- → P3
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1458008
You need to log in before you can comment on or make changes to this bug.