Closed
Bug 1342473
Opened 7 years ago
Closed 6 years ago
PersistentRooted races on runtime with shell workers
Categories
(Core :: JavaScript: GC, defect, P3)
Core
JavaScript: GC
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: sfink, Unassigned)
References
Details
(Keywords: triage-deferred)
Attachments
(1 file)
39.39 KB,
text/plain
|
Details |
JS::AddPersistentRoot(JS::RootingContext* cx, RootKind kind, PersistentRooted<void*>* root) { static_cast<JSContext*>(cx)->runtime()->heapRoots.ref()[kind].insertBack(root); } This races, since it looks like we run shell workers concurrently.
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
(In reply to Steve Fink [:sfink] [:s:] from comment #0) According to the log, the race is between two cooperatively scheduled worker threads. JSRuntime::heapRoots is wrapped in js::ActiveThreadData<> which assert CurrentThreadCanAccessRuntime() on access, so adding to a this list is checked to be safe. However the linked list element's destructor removes the element from the list without performing this check. I'm not sure how cooperative scheduling of threads works. But to start with we should audit any code that uses a protected linked list like this and assert that we can access the list in the element object's destructor.
Updated•7 years ago
|
Keywords: triage-deferred
Priority: -- → P3
Comment 3•6 years ago
|
||
Cooperative scheduling was removed + we no longer see this in automation.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•