Closed Bug 1342473 Opened 7 years ago Closed 6 years ago

PersistentRooted races on runtime with shell workers

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sfink, Unassigned)

References

Details

(Keywords: triage-deferred)

Attachments

(1 file)

tsan.txt
39.39 KB, text/plain
Details 
JS::AddPersistentRoot(JS::RootingContext* cx, RootKind kind, PersistentRooted<void*>* root)
{
    static_cast<JSContext*>(cx)->runtime()->heapRoots.ref()[kind].insertBack(root);
}

This races, since it looks like we run shell workers concurrently.
Attached file tsan.txt 

    
  
Blocks: 1291954

    
    

    
  
(In reply to Steve Fink [:sfink] [:s:] from comment #0)
According to the log, the race is between two cooperatively scheduled worker threads.

JSRuntime::heapRoots is wrapped in js::ActiveThreadData<> which assert CurrentThreadCanAccessRuntime() on access, so adding to a this list is checked to be safe.  However the linked list element's destructor removes the element from the list without performing this check.

I'm not sure how cooperative scheduling of threads works.  But to start with we should audit any code that uses a protected linked list like this and assert that we can access the list in the element object's destructor.
Keywords: triage-deferred
Priority: -- → P3

    
    

    
  
Cooperative scheduling was removed + we no longer see this in automation.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: