Closed Bug 1353902 Opened 8 years ago Closed 7 years ago

TSan: data race on setBasePropertyCount

Categories

(Core :: JavaScript Engine, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1458173

People

(Reporter: sfink, Unassigned)

Details

(Keywords: triage-deferred)

tsan is reporting a race between a read on the ion compile thread and a write from the main thread when calling setBasePropertyCount. I am wondering if this might be implicated in bug 1353242. ================== WARNING: ThreadSanitizer: data race (pid=7214) Read of size 4 at 0x7fffaf27fd48 by thread T7: #0 addendumKind js/src/vm/ObjectGroup.h:179:15 (js+0x0000009209e3) #1 maybeTypeDescr js/src/vm/ObjectGroup.h:259 (js+0x0000009209e3) #2 typeDescr js/src/vm/ObjectGroup.h:266 (js+0x0000009209e3) #3 typeDescr js/src/builtin/TypedObject.h:553 (js+0x0000009209e3) #4 size js/src/builtin/TypedObject.h:566 (js+0x0000009209e3) #5 js::jit::MacroAssembler::initGCThing(js::jit::Register, js::jit::Register, JSObject*, bool, bool) js/src/jit/MacroAssembler.cpp:1269 (js+0x0000009209e3) #6 js::jit::MacroAssembler::createGCObject(js::jit::Register, js::jit::Register, JSObject*, js::gc::InitialHeap, js::jit::Label*, bool, bool) js/src/jit/MacroAssembler.cpp:932:5 (js+0x00000092066f) #7 js::jit::CodeGenerator::visitSimdBox(js::jit::LSimdBox*) js/src/jit/CodeGenerator.cpp:5897:5 (js+0x0000007127f6) #8 js::jit::LSimdBox::accept(js::jit::LElementVisitor*) js/src/jit/shared/LIR-shared.h:161:5 (js+0x00000091a809) #9 js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp:5356:13 (js+0x00000070f8ee) #10 js::jit::CodeGenerator::generate() js/src/jit/CodeGenerator.cpp:9607:10 (js+0x000000729603) #11 js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) js/src/jit/Ion.cpp:2039:10 (js+0x000000775520) #12 js::jit::CompileBackEnd(js::jit::MIRGenerator*) js/src/jit/Ion.cpp:2061:12 (js+0x00000077559a) #13 js::HelperThread::handleIonWorkload(js::AutoLockHelperThreadState&) js/src/vm/HelperThreads.cpp:1561:39 (js+0x000000d2cedc) #14 js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp:1933:13 (js+0x000000d2be05) #15 js::HelperThread::ThreadMain(void*) js/src/vm/HelperThreads.cpp:1458:5 (js+0x000000d28afa) #16 callMain<0> js/src/threading/Thread.h:234:5 (js+0x000000d5843d) #17 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) js/src/threading/Thread.h:227 (js+0x000000d5843d) Previous write of size 4 at 0x7fffaf27fd48 by main thread: #0 setBasePropertyCount js/src/vm/TypeInference-inl.h:1066:12 (js+0x000000e57a86) #1 js::ObjectGroup::getProperty(JSContext*, JSObject*, jsid) js/src/vm/TypeInference-inl.h:1098 (js+0x000000e57a86) #2 js::HeapTypeSetKey::instantiate(JSContext*) js/src/vm/TypeInference.cpp:1362:19 (js+0x000000e05cf6) #3 (anonymous namespace)::CompilerConstraintInstance<(anonymous namespace)::ConstraintDataFreezeObjectFlags>::generateTypeConstraint(JSContext*, js::RecompileInfo) js/src/vm/TypeInference.cpp:1245:10 (js+0x000000e43792) #4 js::FinishCompilation(JSContext*, JS::Handle<JSScript*>, js::CompilerConstraintList*, js::RecompileInfo*, bool*) js/src/vm/TypeInference.cpp:1464:14 (js+0x000000e0609d) #5 js::jit::CodeGenerator::link(JSContext*, js::CompilerConstraintList*) js/src/jit/CodeGenerator.cpp:9733:10 (js+0x00000072a0f8) #6 LinkCodeGen(JSContext*, js::jit::IonBuilder*, js::jit::CodeGenerator*) js/src/jit/Ion.cpp:519:10 (js+0x0000007cd439) #7 LinkBackgroundCodeGen js/src/jit/Ion.cpp:539:12 (js+0x000000765056) #8 js::jit::LinkIonScript(JSContext*, JS::Handle<JSScript*>) js/src/jit/Ion.cpp:561 (js+0x000000765056) #9 js::jit::LazyLinkTopActivation() js/src/jit/Ion.cpp:587:5 (js+0x0000007652b2) #10 <null> <null> (0x7fffb409384b) #11 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) js/src/jit/BaselineJIT.cpp:198:28 (js+0x0000006a76f6) #12 js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:399:41 (js+0x0000005989de) #13 js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:690:15 (js+0x0000005b03a9) #14 js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:722:12 (js+0x0000005b05f5) #15 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) js/src/jsapi.cpp:4476:12 (js+0x000000ace857) #16 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/jsapi.cpp:4509:12 (js+0x000000ace901) #17 RunFile js/src/shell/js.cpp:680:14 (js+0x0000004fb117) #18 Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp:1126 (js+0x0000004fb117) #19 ProcessArgs js/src/shell/js.cpp:7594:18 (js+0x0000004e0947) #20 Shell js/src/shell/js.cpp:7983 (js+0x0000004e0947) #21 main js/src/shell/js.cpp:8368 (js+0x0000004e0947) Thread T7 'JS Helper' (tid=7233, running) created by main thread at: #0 pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:954:3 (js+0x00000044db21) #1 js::Thread::create(void* (*)(void*), void*) js/src/threading/posix/Thread.cpp:104:7 (js+0x000000597544) #2 bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) js/src/threading/Thread.h:117:12 (js+0x000000d45a03) #3 js::GlobalHelperThreadState::ensureInitialized() js/src/vm/HelperThreads.cpp:743:14 (js+0x000000d25a7f) #4 js::EnsureHelperThreadsInitialized() js/src/vm/HelperThreads.cpp:67:12 (js+0x000000d25806) #5 JSRuntime::init(JSContext*, unsigned int, unsigned int) js/src/vm/Runtime.cpp:193:34 (js+0x000000d7b85f) #6 js::NewContext(unsigned int, unsigned int, JSRuntime*) js/src/jscntxt.cpp:160:10 (js+0x000000ab6277) #7 JS_NewContext(unsigned int, unsigned int, JSRuntime*) js/src/jsapi.cpp:474:12 (js+0x000000ab61ba) #8 main js/src/shell/js.cpp:8308:21 (js+0x0000004de11d) SUMMARY: ThreadSanitizer: data race js/src/vm/ObjectGroup.h:179:15 in addendumKind ================== ThreadSanitizer: reported 1 warnings
jandem, I'm not sure how it could cause things like bug 1353242, but it seems like we ought to fix this anyway and *maybe* it's related in some way that I can't figure out?
Flags: needinfo?(jdemooij)
Related races (I can give full reports for these if desired): vm/Shape.h:846 in inDictionary vm/Shape.h:919:16 in maybeSlot vm/Shape.h:919 in slotSpan vm/Shape.h:1038 in isBigEnoughForAShapeTable vm/Shape.h:886 in setSlotWithType vm/Shape.h:886:15 in setOverwritten all of these involve CompileBackEnd
Keywords: triage-deferred
Priority: -- → P3
All of these fixed by bug 1458173 and/or bug 1458456.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.