Closed
Bug 1353902
Opened 8 years ago
Closed 7 years ago
TSan: data race on setBasePropertyCount
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1458173
People
(Reporter: sfink, Unassigned)
Details
(Keywords: triage-deferred)
tsan is reporting a race between a read on the ion compile thread and a write from the main thread when calling setBasePropertyCount. I am wondering if this might be implicated in bug 1353242.
==================
WARNING: ThreadSanitizer: data race (pid=7214)
Read of size 4 at 0x7fffaf27fd48 by thread T7:
#0 addendumKind js/src/vm/ObjectGroup.h:179:15 (js+0x0000009209e3)
#1 maybeTypeDescr js/src/vm/ObjectGroup.h:259 (js+0x0000009209e3)
#2 typeDescr js/src/vm/ObjectGroup.h:266 (js+0x0000009209e3)
#3 typeDescr js/src/builtin/TypedObject.h:553 (js+0x0000009209e3)
#4 size js/src/builtin/TypedObject.h:566 (js+0x0000009209e3)
#5 js::jit::MacroAssembler::initGCThing(js::jit::Register, js::jit::Register, JSObject*, bool, bool) js/src/jit/MacroAssembler.cpp:1269 (js+0x0000009209e3)
#6 js::jit::MacroAssembler::createGCObject(js::jit::Register, js::jit::Register, JSObject*, js::gc::InitialHeap, js::jit::Label*, bool, bool) js/src/jit/MacroAssembler.cpp:932:5 (js+0x00000092066f)
#7 js::jit::CodeGenerator::visitSimdBox(js::jit::LSimdBox*) js/src/jit/CodeGenerator.cpp:5897:5 (js+0x0000007127f6)
#8 js::jit::LSimdBox::accept(js::jit::LElementVisitor*) js/src/jit/shared/LIR-shared.h:161:5 (js+0x00000091a809)
#9 js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:5356:13 (js+0x00000070f8ee)
#10 js::jit::CodeGenerator::generate() js/src/jit/CodeGenerator.cpp:9607:10 (js+0x000000729603)
#11 js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) js/src/jit/Ion.cpp:2039:10 (js+0x000000775520)
#12 js::jit::CompileBackEnd(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:2061:12 (js+0x00000077559a)
#13 js::HelperThread::handleIonWorkload(js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:1561:39 (js+0x000000d2cedc)
#14 js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp:1933:13 (js+0x000000d2be05)
#15 js::HelperThread::ThreadMain(void*) js/src/vm/HelperThreads.cpp:1458:5 (js+0x000000d28afa)
#16 callMain<0> js/src/threading/Thread.h:234:5 (js+0x000000d5843d)
#17 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) js/src/threading/Thread.h:227 (js+0x000000d5843d)
Previous write of size 4 at 0x7fffaf27fd48 by main thread:
#0 setBasePropertyCount js/src/vm/TypeInference-inl.h:1066:12 (js+0x000000e57a86)
#1 js::ObjectGroup::getProperty(JSContext*, JSObject*, jsid) js/src/vm/TypeInference-inl.h:1098 (js+0x000000e57a86)
#2 js::HeapTypeSetKey::instantiate(JSContext*) js/src/vm/TypeInference.cpp:1362:19 (js+0x000000e05cf6)
#3 (anonymous namespace)::CompilerConstraintInstance<(anonymous namespace)::ConstraintDataFreezeObjectFlags>::generateTypeConstraint(JSContext*, js::RecompileInfo) js/src/vm/TypeInference.cpp:1245:10 (js+0x000000e43792)
#4 js::FinishCompilation(JSContext*, JS::Handle<JSScript*>, js::CompilerConstraintList*, js::RecompileInfo*, bool*) js/src/vm/TypeInference.cpp:1464:14 (js+0x000000e0609d)
#5 js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) js/src/jit/CodeGenerator.cpp:9733:10 (js+0x00000072a0f8)
#6 LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) js/src/jit/Ion.cpp:519:10 (js+0x0000007cd439)
#7 LinkBackgroundCodeGen js/src/jit/Ion.cpp:539:12 (js+0x000000765056)
#8 js::jit::LinkIonScript(JSContext*, JS::Handle<JSScript*>) js/src/jit/Ion.cpp:561 (js+0x000000765056)
#9 js::jit::LazyLinkTopActivation() js/src/jit/Ion.cpp:587:5 (js+0x0000007652b2)
#10 <null> <null> (0x7fffb409384b)
#11 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) js/src/jit/BaselineJIT.cpp:198:28 (js+0x0000006a76f6)
#12 js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:399:41 (js+0x0000005989de)
#13 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:690:15 (js+0x0000005b03a9)
#14 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:722:12 (js+0x0000005b05f5)
#15 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) js/src/jsapi.cpp:4476:12 (js+0x000000ace857)
#16 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/jsapi.cpp:4509:12 (js+0x000000ace901)
#17 RunFile js/src/shell/js.cpp:680:14 (js+0x0000004fb117)
#18 Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp:1126 (js+0x0000004fb117)
#19 ProcessArgs js/src/shell/js.cpp:7594:18 (js+0x0000004e0947)
#20 Shell js/src/shell/js.cpp:7983 (js+0x0000004e0947)
#21 main js/src/shell/js.cpp:8368 (js+0x0000004e0947)
Thread T7 'JS Helper' (tid=7233, running) created by main thread at:
#0 pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:954:3 (js+0x00000044db21)
#1 js::Thread::create(void* (*)(void*), void*) js/src/threading/posix/Thread.cpp:104:7 (js+0x000000597544)
#2 bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) js/src/threading/Thread.h:117:12 (js+0x000000d45a03)
#3 js::GlobalHelperThreadState::ensureInitialized() js/src/vm/HelperThreads.cpp:743:14 (js+0x000000d25a7f)
#4 js::EnsureHelperThreadsInitialized() js/src/vm/HelperThreads.cpp:67:12 (js+0x000000d25806)
#5 JSRuntime::init(JSContext*, unsigned int, unsigned int) js/src/vm/Runtime.cpp:193:34 (js+0x000000d7b85f)
#6 js::NewContext(unsigned int, unsigned int, JSRuntime*) js/src/jscntxt.cpp:160:10 (js+0x000000ab6277)
#7 JS_NewContext(unsigned int, unsigned int, JSRuntime*) js/src/jsapi.cpp:474:12 (js+0x000000ab61ba)
#8 main js/src/shell/js.cpp:8308:21 (js+0x0000004de11d)
SUMMARY: ThreadSanitizer: data race js/src/vm/ObjectGroup.h:179:15 in addendumKind
==================
ThreadSanitizer: reported 1 warnings
Reporter | ||
Comment 1•8 years ago
|
||
jandem, I'm not sure how it could cause things like bug 1353242, but it seems like we ought to fix this anyway and *maybe* it's related in some way that I can't figure out?
Flags: needinfo?(jdemooij)
Reporter | ||
Comment 2•8 years ago
|
||
Related races (I can give full reports for these if desired):
vm/Shape.h:846 in inDictionary
vm/Shape.h:919:16 in maybeSlot
vm/Shape.h:919 in slotSpan
vm/Shape.h:1038 in isBigEnoughForAShapeTable
vm/Shape.h:886 in setSlotWithType
vm/Shape.h:886:15 in setOverwritten
all of these involve CompileBackEnd
Updated•7 years ago
|
Keywords: triage-deferred
Priority: -- → P3
Comment 3•7 years ago
|
||
All of these fixed by bug 1458173 and/or bug 1458456.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•