Closed
Bug 1506798
Opened 6 years ago
Closed 6 years ago
Possible data race in MovingTracer::updateEdge
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: ytausky, Assigned: jonco)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-race, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main65+])
Attachments
(1 file)
|
1.95 KB,
patch
|
pbone
:
review+
|
Details | Diff | Splinter Review |
I'm running TSan on some WPT tests and getting the following report (among others): 0:47.66 pid:2903 ================== 0:47.66 pid:2903 WARNING: ThreadSanitizer: data race (pid=3108) 0:47.66 pid:2903 Read of size 8 at 0x7f3c68fa34e0 by main thread: 0:47.66 pid:2903 #0 js::gc::Cell::isForwarded() const /home/ytausky/dev/mozilla-central/js/src/gc/Cell.h:106:31 (libxul.so+0x7b7240a) 0:47.66 pid:2903 #1 bool js::gc::IsForwarded<js::Scope>(js::Scope const*) /home/ytausky/dev/mozilla-central/js/src/gc/Marking-inl.h:48 (libxul.so+0x7b7240a) 0:47.66 pid:2903 #2 void js::gc::MovingTracer::updateEdge<js::Scope>(js::Scope**) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2628 (libxul.so+0x7b7240a) 0:47.66 pid:2903 #3 js::gc::MovingTracer::onScopeEdge(js::Scope**) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2639 (libxul.so+0x7b7240a) 0:47.66 pid:2903 #4 JS::CallbackTracer::dispatchToOnEdge(js::Scope**) /home/ytausky/dev/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/js/TracingAPI.h:258:49 (libxul.so+0x7bf38ad) 0:47.66 pid:2903 #5 js::Scope* DoCallback<js::Scope*>(JS::CallbackTracer*, js::Scope**, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Tracer.cpp:51 (libxul.so+0x7bf38ad) 0:47.66 pid:2903 #6 void js::gc::TraceEdgeInternal<js::Scope*>(JSTracer*, js::Scope**, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Marking.cpp:568:5 (libxul.so+0x7bc1b69) 0:47.66 pid:2903 #7 void js::gc::TraceRangeInternal<js::Scope*>(JSTracer*, unsigned long, js::Scope**, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Marking.cpp:593:13 (libxul.so+0x7bc1f1c) 0:47.66 pid:2903 #8 void js::TraceRange<js::Scope*>(JSTracer*, unsigned long, js::WriteBarrieredBase<js::Scope*>*, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Tracer.h:207:5 (libxul.so+0x76c66b6) 0:47.66 pid:2903 #9 js::PrivateScriptData::traceChildren(JSTracer*) /home/ytausky/dev/mozilla-central/js/src/vm/JSScript.cpp:3227 (libxul.so+0x76c66b6) 0:47.66 pid:2903 #10 JSScript::traceChildren(JSTracer*) /home/ytausky/dev/mozilla-central/js/src/vm/JSScript.cpp:4513:16 (libxul.so+0x76d04b6) 0:47.66 pid:2903 #11 void UpdateCellPointers<JSScript>(js::gc::MovingTracer*, JSScript*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2701:11 (libxul.so+0x7b73493) 0:47.66 pid:2903 #12 void UpdateArenaPointersTyped<JSScript>(js::gc::MovingTracer*, js::gc::Arena*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2709 (libxul.so+0x7b73493) 0:47.66 pid:2903 #13 UpdateArenaPointers(js::gc::MovingTracer*, js::gc::Arena*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2726 (libxul.so+0x7b73493) 0:47.66 pid:2903 #14 js::gc::UpdatePointersTask::updateArenas() /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2851 (libxul.so+0x7b73493) 0:47.66 pid:2903 #15 js::gc::UpdatePointersTask::run() /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2862:9 (libxul.so+0x7bce7e7) 0:47.66 pid:2903 #16 js::GCParallelTaskHelper<js::gc::UpdatePointersTask>::runTaskTyped(js::GCParallelTask*) /home/ytausky/dev/mozilla-central/js/src/gc/GCParallelTask.h:153 (libxul.so+0x7bce7e7) 0:47.66 pid:2903 #17 js::GCParallelTask::runTask() /home/ytausky/dev/mozilla-central/js/src/gc/GCParallelTask.h:130:9 (libxul.so+0x7641d12) 0:47.66 pid:2903 #18 js::GCParallelTask::runFromMainThread(JSRuntime*) /home/ytausky/dev/mozilla-central/js/src/vm/HelperThreads.cpp:1681 (libxul.so+0x7641d12) 0:47.66 pid:2903 #19 js::gc::GCRuntime::updateCellPointers(JS::Zone*, mozilla::EnumSet<js::gc::AllocKind, unsigned int>, unsigned long) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2955:13 (libxul.so+0x7b748db) 0:47.66 pid:2903 #20 js::gc::GCRuntime::updateAllCellPointers(js::gc::MovingTracer*, JS::Zone*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:3035:5 (libxul.so+0x7b7516a) 0:47.66 pid:2903 #21 js::gc::GCRuntime::updateZonePointersToRelocatedCells(JS::Zone*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:3075 (libxul.so+0x7b7516a) 0:47.66 pid:2903 #22 js::gc::GCRuntime::compactPhase(JS::gcreason::Reason, js::SliceBudget&, js::gc::AutoGCSession&) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:7120:13 (libxul.so+0x7b8e642) 0:47.66 pid:2903 #23 js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::gcreason::Reason, js::gc::AutoGCSession&) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:7639:17 (libxul.so+0x7b914f4) 0:47.66 pid:2903 #24 js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:7943:14 (libxul.so+0x7b92888) 0:47.66 pid:2903 #25 js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:8124:41 (libxul.so+0x7b944b7) 0:47.66 pid:2903 #26 js::gc::GCRuntime::gcSlice(JS::gcreason::Reason, long) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:8226:5 (libxul.so+0x7b9928c) 0:47.66 pid:2903 #27 JS::IncrementalGCSlice(JSContext*, JS::gcreason::Reason, long) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:9120 (libxul.so+0x7b9928c) 0:47.66 pid:2903 #28 nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /home/ytausky/dev/mozilla-central/dom/base/nsJSEnvironment.cpp:1214:5 (libxul.so+0x3082bc1) 0:47.66 pid:2903 #29 InterSliceGCRunnerFired(mozilla::TimeStamp, void*) /home/ytausky/dev/mozilla-central/dom/base/nsJSEnvironment.cpp:1855:3 (libxul.so+0x3088627) 0:47.66 pid:2903 #30 DOMGCSliceCallback(JSContext*, JS::GCProgress, JS::GCDescription const&)::$_15::operator()(mozilla::TimeStamp) const /home/ytausky/dev/mozilla-central/dom/base/nsJSEnvironment.cpp:2408:20 (libxul.so+0x30953e3) 0:47.66 pid:2903 #31 std::_Function_handler<bool (mozilla::TimeStamp), DOMGCSliceCallback(JSContext*, JS::GCProgress, JS::GCDescription const&)::$_15>::_M_invoke(std::_Any_data const&, mozilla::TimeStamp&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:301 (libxul.so+0x30953e3) 0:47.66 pid:2903 #32 std::function<bool (mozilla::TimeStamp)>::operator()(mozilla::TimeStamp) const /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/std_function.h:706:14 (libxul.so+0x147068f) 0:47.66 pid:2903 #33 mozilla::IdleTaskRunner::Run() /home/ytausky/dev/mozilla-central/xpcom/threads/IdleTaskRunner.cpp:63 (libxul.so+0x147068f) 0:47.66 pid:2903 #34 nsThread::ProcessNextEvent(bool, bool*) /home/ytausky/dev/mozilla-central/xpcom/threads/nsThread.cpp:1246:14 (libxul.so+0x14935d9) 0:47.66 pid:2903 #35 NS_ProcessNextEvent(nsIThread*, bool) /home/ytausky/dev/mozilla-central/xpcom/threads/nsThreadUtils.cpp:530:10 (libxul.so+0x1496575) 0:47.66 pid:2903 #36 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/ytausky/dev/mozilla-central/ipc/glue/MessagePump.cpp:97:21 (libxul.so+0x1da9dce) 0:47.66 pid:2903 #37 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /home/ytausky/dev/mozilla-central/ipc/glue/MessagePump.cpp:301:30 (libxul.so+0x1daa7eb) 0:47.66 pid:2903 #38 MessageLoop::RunInternal() /home/ytausky/dev/mozilla-central/ipc/chromium/src/base/message_loop.cc:325:10 (libxul.so+0x1cfc27f) 0:47.66 pid:2903 #39 MessageLoop::RunHandler() /home/ytausky/dev/mozilla-central/ipc/chromium/src/base/message_loop.cc:318 (libxul.so+0x1cfc27f) 0:47.66 pid:2903 #40 MessageLoop::Run() /home/ytausky/dev/mozilla-central/ipc/chromium/src/base/message_loop.cc:298 (libxul.so+0x1cfc27f) 0:47.66 pid:2903 #41 nsBaseAppShell::Run() /home/ytausky/dev/mozilla-central/widget/nsBaseAppShell.cpp:158:27 (libxul.so+0x5124165) 0:47.66 pid:2903 #42 XRE_RunAppShell() /home/ytausky/dev/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:954:22 (libxul.so+0x731429c) 0:47.66 pid:2903 #43 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /home/ytausky/dev/mozilla-central/ipc/glue/MessagePump.cpp:269:9 (libxul.so+0x1daa79d) 0:47.66 pid:2903 #44 MessageLoop::RunInternal() /home/ytausky/dev/mozilla-central/ipc/chromium/src/base/message_loop.cc:325:10 (libxul.so+0x1cfc27f) 0:47.66 pid:2903 #45 MessageLoop::RunHandler() /home/ytausky/dev/mozilla-central/ipc/chromium/src/base/message_loop.cc:318 (libxul.so+0x1cfc27f) 0:47.66 pid:2903 #46 MessageLoop::Run() /home/ytausky/dev/mozilla-central/ipc/chromium/src/base/message_loop.cc:298 (libxul.so+0x1cfc27f) 0:47.66 pid:2903 #47 XRE_InitChildProcess(int, char**, XREChildData const*) /home/ytausky/dev/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:780:34 (libxul.so+0x7313e55) 0:47.66 pid:2903 #48 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /home/ytausky/dev/mozilla-central/toolkit/xre/Bootstrap.cpp:69:12 (libxul.so+0x731f737) 0:47.66 pid:2903 #49 content_process_main(mozilla::Bootstrap*, int, char**) /home/ytausky/dev/mozilla-central/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 (firefox+0xc3d71) 0:47.66 pid:2903 #50 main /home/ytausky/dev/mozilla-central/browser/app/nsBrowserApp.cpp:287 (firefox+0xc3d71) 0:47.66 pid:2903 Previous write of size 8 at 0x7f3c68fa34e0 by thread T6: 0:47.66 pid:2903 #0 void js::gc::MovingTracer::updateEdge<js::Scope>(js::Scope**) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2629:17 (libxul.so+0x7b7241e) 0:47.66 pid:2903 #1 js::gc::MovingTracer::onScopeEdge(js::Scope**) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2639 (libxul.so+0x7b7241e) 0:47.67 pid:2903 #2 JS::CallbackTracer::dispatchToOnEdge(js::Scope**) /home/ytausky/dev/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/js/TracingAPI.h:258:49 (libxul.so+0x7bf38ad) 0:47.67 pid:2903 #3 js::Scope* DoCallback<js::Scope*>(JS::CallbackTracer*, js::Scope**, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Tracer.cpp:51 (libxul.so+0x7bf38ad) 0:47.67 pid:2903 #4 void js::gc::TraceEdgeInternal<js::Scope*>(JSTracer*, js::Scope**, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Marking.cpp:568:5 (libxul.so+0x7bc1b69) 0:47.67 pid:2903 #5 void js::TraceEdge<js::Scope*>(JSTracer*, js::WriteBarrieredBase<js::Scope*>*, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Tracer.h:109:5 (libxul.so+0x7b9ec4f) 0:47.67 pid:2903 #6 void js::TraceNullableEdge<js::Scope*>(JSTracer*, js::WriteBarrieredBase<js::Scope*>*, char const*) /home/ytausky/dev/mozilla-central/js/src/gc/Tracer.h:127 (libxul.so+0x7b9ec4f) 0:47.67 pid:2903 #7 js::Scope::traceChildren(JSTracer*) /home/ytausky/dev/mozilla-central/js/src/gc/Marking.cpp:1297 (libxul.so+0x7b9ec4f) 0:47.67 pid:2903 #8 void UpdateCellPointers<js::Scope>(js::gc::MovingTracer*, js::Scope*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2701:11 (libxul.so+0x7b73573) 0:47.67 pid:2903 #9 void UpdateArenaPointersTyped<js::Scope>(js::gc::MovingTracer*, js::gc::Arena*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2709 (libxul.so+0x7b73573) 0:47.67 pid:2903 #10 UpdateArenaPointers(js::gc::MovingTracer*, js::gc::Arena*) /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2726 (libxul.so+0x7b73573) 0:47.67 pid:2903 #11 js::gc::UpdatePointersTask::updateArenas() /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2851 (libxul.so+0x7b73573) 0:47.67 pid:2903 #12 js::gc::UpdatePointersTask::run() /home/ytausky/dev/mozilla-central/js/src/gc/GC.cpp:2862:9 (libxul.so+0x7bce7e7) 0:47.67 pid:2903 #13 js::GCParallelTaskHelper<js::gc::UpdatePointersTask>::runTaskTyped(js::GCParallelTask*) /home/ytausky/dev/mozilla-central/js/src/gc/GCParallelTask.h:153 (libxul.so+0x7bce7e7) 0:47.67 pid:2903 #14 js::GCParallelTask::runFromHelperThread(js::AutoLockHelperThreadState&) /home/ytausky/dev/mozilla-central/js/src/gc/GCParallelTask.h:130:9 (libxul.so+0x764207d) 0:47.67 pid:2903 #15 js::HelperThread::handleGCParallelWorkload(js::AutoLockHelperThreadState&) /home/ytausky/dev/mozilla-central/js/src/vm/HelperThreads.cpp:1721 (libxul.so+0x764207d) 0:47.67 pid:2903 #16 js::HelperThread::threadLoop() /home/ytausky/dev/mozilla-central/js/src/vm/HelperThreads.cpp:2578:9 (libxul.so+0x76439b0) 0:47.67 pid:2903 #17 js::HelperThread::ThreadMain(void*) /home/ytausky/dev/mozilla-central/js/src/vm/HelperThreads.cpp:2024:38 (libxul.so+0x763f385) 0:47.67 pid:2903 #18 void js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0ul>(std::integer_sequence<unsigned long, 0ul>) /home/ytausky/dev/mozilla-central/js/src/threading/Thread.h:243:5 (libxul.so+0x764cf3d) 0:47.67 pid:2903 #19 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) /home/ytausky/dev/mozilla-central/js/src/threading/Thread.h:236 (libxul.so+0x764cf3d) 0:47.67 pid:2903 Thread T6 'JS Helper' (tid=3116, running) created by main thread at: 0:47.67 pid:2903 #0 pthread_create <null> (firefox+0x2f296) 0:47.67 pid:2903 #1 js::Thread::create(void* (*)(void*), void*) /home/ytausky/dev/mozilla-central/js/src/threading/posix/Thread.cpp:115:7 (libxul.so+0x7a0efa5) 0:47.67 pid:2903 #2 bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) /home/ytausky/dev/mozilla-central/js/src/threading/Thread.h:125:12 (libxul.so+0x7639ccc) 0:47.67 pid:2903 #3 js::GlobalHelperThreadState::ensureInitialized() /home/ytausky/dev/mozilla-central/js/src/vm/HelperThreads.cpp:1049 (libxul.so+0x7639ccc) 0:47.67 pid:2903 #4 js::EnsureHelperThreadsInitialized() /home/ytausky/dev/mozilla-central/js/src/vm/HelperThreads.cpp:83:32 (libxul.so+0x76399b6) 0:47.67 pid:2903 #5 JSRuntime::init(JSContext*, unsigned int, unsigned int) /home/ytausky/dev/mozilla-central/js/src/vm/Runtime.cpp:208:34 (libxul.so+0x7738b9f) 0:47.67 pid:2903 #6 js::NewContext(unsigned int, unsigned int, JSRuntime*) /home/ytausky/dev/mozilla-central/js/src/vm/JSContext.cpp:167:19 (libxul.so+0x7664bbf) 0:47.67 pid:2903 #7 JS_NewContext(unsigned int, unsigned int, JSRuntime*) /home/ytausky/dev/mozilla-central/js/src/jsapi.cpp:484:12 (libxul.so+0x7979dd9) 0:47.67 pid:2903 #8 mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int, unsigned int) /home/ytausky/dev/mozilla-central/xpcom/base/CycleCollectedJSContext.cpp:153:16 (libxul.so+0x13a1d62) 0:47.67 pid:2903 #9 XPCJSContext::Initialize(XPCJSContext*) /home/ytausky/dev/mozilla-central/js/xpconnect/src/XPCJSContext.cpp:1053:39 (libxul.so+0x23df191) 0:47.67 pid:2903 #10 XPCJSContext::NewXPCJSContext(XPCJSContext*) /home/ytausky/dev/mozilla-central/js/xpconnect/src/XPCJSContext.cpp:1247:25 (libxul.so+0x23df5e2) 0:47.67 pid:2903 #11 nsXPConnect::nsXPConnect() /home/ytausky/dev/mozilla-central/js/xpconnect/src/nsXPConnect.cpp:76:27 (libxul.so+0x2421b54) 0:47.67 pid:2903 #12 nsXPConnect::InitStatics() /home/ytausky/dev/mozilla-central/js/xpconnect/src/nsXPConnect.cpp:131 (libxul.so+0x2421b54) 0:47.67 pid:2903 #13 xpcModuleCtor() /home/ytausky/dev/mozilla-central/js/xpconnect/src/XPCModule.cpp:13:5 (libxul.so+0x23f3d61) 0:47.67 pid:2903 #14 nsLayoutModuleInitialize() /home/ytausky/dev/mozilla-central/layout/build/nsLayoutModule.cpp:237:7 (libxul.so+0x58a922f) 0:47.67 pid:2903 #15 nsComponentManagerImpl::Init() /home/ytausky/dev/mozilla-central/xpcom/components/nsComponentManager.cpp:360:3 (libxul.so+0x1467b82) 0:47.67 pid:2903 #16 NS_InitXPCOM2 /home/ytausky/dev/mozilla-central/xpcom/build/XPCOMInit.cpp:694:51 (libxul.so+0x14c586b) 0:47.67 pid:2903 #17 XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /home/ytausky/dev/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:195:8 (libxul.so+0x73135e3) 0:47.67 pid:2903 #18 mozilla::ipc::ScopedXREEmbed::Start() /home/ytausky/dev/mozilla-central/ipc/glue/ScopedXREEmbed.cpp (libxul.so+0x1dafc91) 0:47.67 pid:2903 #19 mozilla::dom::ContentProcess::Init(int, char**) /home/ytausky/dev/mozilla-central/dom/ipc/ContentProcess.cpp:297:13 (libxul.so+0x4d6c79e) 0:47.67 pid:2903 #20 XRE_InitChildProcess(int, char**, XREChildData const*) /home/ytausky/dev/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:754:21 (libxul.so+0x7313e36) 0:47.67 pid:2903 #21 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /home/ytausky/dev/mozilla-central/toolkit/xre/Bootstrap.cpp:69:12 (libxul.so+0x731f737) 0:47.67 pid:2903 #22 content_process_main(mozilla::Bootstrap*, int, char**) /home/ytausky/dev/mozilla-central/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 (firefox+0xc3d71) 0:47.67 pid:2903 #23 main /home/ytausky/dev/mozilla-central/browser/app/nsBrowserApp.cpp:287 (firefox+0xc3d71) 0:47.67 pid:2903 SUMMARY: ThreadSanitizer: data race /home/ytausky/dev/mozilla-central/js/src/gc/Cell.h:106:31 in js::gc::Cell::isForwarded() const 0:47.67 pid:2903 ================== From a cursory look I don't see any obvious synchronization going on, so I can't really tell whether this is a false positive or not.
|
||
Updated•6 years ago
|
Group: core-security → javascript-core-security
|
||
Comment 1•6 years ago
|
||
Have we seen any heap curruption related to compacting? Would we know if the curruption isn't found until tracing the heap/mutator execution well after the compaction occured?
Flags: needinfo?(sphink)
Flags: needinfo?(jcoppeard)
|
Assignee | |
Comment 2•6 years ago
|
||
(In reply to Paul Bone [:pbone] from comment #1) > Have we seen any heap curruption related to compacting? Would we know if > the curruption isn't found until tracing the heap/mutator execution well > after the compaction occured? We wouldn't necessarily know, so it's possible that this may be the cause of crashes. However I think this race is benign. The issue here is that a Scope is having its first field updated by one thread while another is testing whether the object is forwarded (i.e. is the original version of an object that has been moved). If the object is being updated then it is not forwarded and the outcome of this test will be the same whether the update happens before or after the test. This is still worth fixing so we can get things clean with TSAN.
Flags: needinfo?(jcoppeard)
|
Reporter | |
Comment 3•6 years ago
|
||
It's undefined behavior and thus subject to any code transformation a compiler might come up with at any time. I wouldn't call it benign...
|
|
Assignee | |
Comment 4•6 years ago
|
||
(In reply to Yaron Tausky [:ytausky] from comment #3) Ah yes, you're right. What I should have said was: I don't think this is causing problems right now.
|
|
Assignee | |
Comment 5•6 years ago
|
||
Update Scope objects in a separate phase to JSScript objects, so that calls to IsForwarded(scope) when tracing a JSScript don't race with updates to Scope objects on another thread. The order of operations doesn't matter; the IsForwarded() call always returns false in this case where the scope is being updated on another thread because we don't update objects for which IsForwarded() returns true.
Assignee: nobody → jcoppeard
Attachment #9025054 -
Flags: review?(pbone)
|
||
Updated•6 years ago
|
Keywords: csectype-race,
sec-moderate
|
|
||
Updated•6 years ago
|
Flags: needinfo?(sphink)
|
|
||
Comment 6•6 years ago
|
||
Comment on attachment 9025054 [details] [diff] [review] bug1506798-scope-update Review of attachment 9025054 [details] [diff] [review]: ----------------------------------------------------------------- LGTM, glad this was straightforward.
Attachment #9025054 -
Flags: review?(pbone) → review+
|
||
Comment 7•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/764c5b94a3950791427e782e59e3e826921cffac https://hg.mozilla.org/mozilla-central/rev/764c5b94a395
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
|
||
Comment 8•6 years ago
|
||
Given comments 2 & 4, is this worth backporting to Beta/ESR60 or can it ride the trains?
status-firefox63:
--- → wontfix
status-firefox64:
--- → affected
status-firefox-esr60:
--- → affected
|
|
||
Updated•6 years ago
|
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 9•6 years ago
|
||
I think this can ride unless we have any any evidence that this is causing crashes.
Flags: needinfo?(jcoppeard)
|
|
||
Updated•6 years ago
|
|
||
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•5 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65+]
|
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•