Closed Bug 1617287 Opened 4 years ago Closed 4 years ago

Intermittent GECKO(3502) | SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/build/src/obj-firefox/dist/include/js/CompileOptions.h:257:47 in JS::OwningCompileOptions::element() const

Categories

(Core :: JavaScript: GC, defect, P5)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox75 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: mgaudet)

References

Details

(Keywords: intermittent-failure)

Attachments

(3 files)

Detailed Crash Information
21.43 KB, text/plain
Details
Bug 1617287 - Create ability to create a JSScript without a CompileOptions object r?caroline
47 bytes, text/x-phabricator-request
Details | Review
Bug 1617287 - Eliminate race on copying of element pointer when allocating an inner function JSScript r?jonco
47 bytes, text/x-phabricator-request
Details | Review

Filed by: csabou [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=289960051&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/EcGZBT4uROe4KTl8Hr_-Rw/runs/0/artifacts/public/logs/live_backing.log

[task 2020-02-21T22:06:35.318Z] 22:06:35     INFO - TEST-START | toolkit/components/extensions/test/mochitest/test_ext_storage_manager_capabilities.html
[task 2020-02-21T22:06:37.436Z] 22:06:37     INFO - GECKO(3502) | ==================
[task 2020-02-21T22:06:37.436Z] 22:06:37     INFO - GECKO(3502) | WARNING: ThreadSanitizer: data race (pid=3555)
[task 2020-02-21T22:06:37.436Z] 22:06:37     INFO - GECKO(3502) |   Read of size 8 at 0x7b4c0001e8d8 by thread T6:
[task 2020-02-21T22:06:37.436Z] 22:06:37     INFO - GECKO(3502) |     #0 JS::OwningCompileOptions::element() const /builds/worker/workspace/build/src/obj-firefox/dist/include/js/CompileOptions.h:257:47 (libxul.so+0x6550ea6)
[task 2020-02-21T22:06:37.436Z] 22:06:37     INFO - GECKO(3502) |     #1 CompileOptions /builds/worker/workspace/build/src/obj-firefox/dist/include/js/CompileOptions.h:308:23 (libxul.so+0x6b5c676)
[task 2020-02-21T22:06:37.436Z] 22:06:37     INFO - GECKO(3502) |     #2 js::frontend::BytecodeEmitter::emitFunction(js::frontend::FunctionNode*, bool, js::frontend::ListNode*) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:5533:24 (libxul.so+0x6b5c676)
[task 2020-02-21T22:06:37.437Z] 22:06:37     INFO - GECKO(3502) |     #3 js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:9793:12 (libxul.so+0x6b4e82e)
[task 2020-02-21T22:06:37.437Z] 22:06:37     INFO - GECKO(3502) |     #4 js::frontend::BytecodeEmitter::emitCalleeAndThis(js::frontend::ParseNode*, js::frontend::ParseNode*, js::frontend::CallOrNewEmitter&) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp (libxul.so+0x6b623d7)
[task 2020-02-21T22:06:37.437Z] 22:06:37     INFO - GECKO(3502) |     #5 js::frontend::BytecodeEmitter::emitCallOrNew(js::frontend::CallNode*, js::frontend::ValueUsage) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:7621:8 (libxul.so+0x6b63739)
[task 2020-02-21T22:06:37.437Z] 22:06:37     INFO - GECKO(3502) |     #6 js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:10151:12 (libxul.so+0x6b4e0a4)
[task 2020-02-21T22:06:37.438Z] 22:06:37     INFO - GECKO(3502) |     #7 js::frontend::BytecodeEmitter::emitExpressionStatement(js::frontend::UnaryNode*) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:6606:10 (libxul.so+0x6b603d2)
[task 2020-02-21T22:06:37.438Z] 22:06:37     INFO - GECKO(3502) |     #8 js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:9931:12 (libxul.so+0x6b4e24c)
[task 2020-02-21T22:06:37.439Z] 22:06:37     INFO - GECKO(3502) |     #9 emitStatementList /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:6550:10 (libxul.so+0x6b4e4c2)
[task 2020-02-21T22:06:37.439Z] 22:06:37     INFO - GECKO(3502) |     #10 js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote, bool) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:9922:12 (libxul.so+0x6b4e4c2)
[task 2020-02-21T22:06:37.439Z] 22:06:37     INFO - GECKO(3502) |     #11 js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) /builds/worker/workspace/build/src/js/src/frontend/BytecodeEmitter.cpp:2461:10 (libxul.so+0x6b51180)
[task 2020-02-21T22:06:37.439Z] 22:06:37     INFO - GECKO(3502) |     #12 js::frontend::ScriptCompiler<mozilla::Utf8Unit>::compileScript(js::frontend::CompilationInfo&, JS::Handle<JSObject*>, js::frontend::SharedContext*) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:516:21 (libxul.so+0x6b6f1dd)
[task 2020-02-21T22:06:37.440Z] 22:06:37     INFO - GECKO(3502) |     #13 CreateGlobalScript<mozilla::Utf8Unit> /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:204:17 (libxul.so+0x6b3eacf)
[task 2020-02-21T22:06:37.440Z] 22:06:37     INFO - GECKO(3502) |     #14 js::frontend::CompileGlobalScript(js::frontend::CompilationInfo&, js::frontend::GlobalSharedContext&, JS::SourceText<mozilla::Utf8Unit>&) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:223:10 (libxul.so+0x6b3eacf)
[task 2020-02-21T22:06:37.440Z] 22:06:37     INFO - GECKO(3502) |     #15 ScriptParseTask<mozilla::Utf8Unit>::parse(JSContext*) /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:608:7 (libxul.so+0x66367c1)
[task 2020-02-21T22:06:37.440Z] 22:06:37     INFO - GECKO(3502) |     #16 js::ParseTask::runTask() /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:561:3 (libxul.so+0x66254fe)
[task 2020-02-21T22:06:37.440Z] 22:06:37     INFO - GECKO(3502) |     #17 js::HelperThread::handleParseWorkload(js::AutoLockHelperThreadState&) /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:2377:11 (libxul.so+0x662f0d6)
[task 2020-02-21T22:06:37.441Z] 22:06:37     INFO - GECKO(3502) |     #18 js::HelperThread::threadLoop() /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:2667:5 (libxul.so+0x662ded7)
[task 2020-02-21T22:06:37.441Z] 22:06:37     INFO - GECKO(3502) |     #19 js::HelperThread::ThreadMain(void*) /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:2189:11 (libxul.so+0x6628fcd)
[task 2020-02-21T22:06:37.442Z] 22:06:37     INFO - GECKO(3502) |     #20 callMain<0> /builds/worker/workspace/build/src/js/src/threading/Thread.h:218:5 (libxul.so+0x6636dd0)
[task 2020-02-21T22:06:37.443Z] 22:06:37     INFO - GECKO(3502) |     #21 js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) /builds/worker/workspace/build/src/js/src/threading/Thread.h:207:11 (libxul.so+0x6636dd0)

This is an automated crash issue comment:

Summary: ThreadSanitizer: data race [@ JS::OwningCompileOptions::element] vs. [@ updateEdge<JSObject>]
Build version: autoland revision 1e64a6873ff1bf6dc89c8f107af8801a7ab3ffdf

It looks like a helper thread is parsing and using an element while the GC is writing to it.
Flags: needinfo?(jcoppeard)

This is complaining because off-thread parsing is copying a CompileOptions which contains a JSObject pointer while we're in the middle of a GC slice that is moving GC things. This happens in BytecodeEmitter::emitFunction here:

https://searchfox.org/mozilla-central/source/js/src/frontend/BytecodeEmitter.cpp#5534

I don't think we ever access this field of the CompileOptions though, only the flags. Maybe we could get away with copying less of this?

It is a little worrying that we carry around GC thing pointers in a structure that's used off the main thread. Bug 1501608 or bug 1582160 could fix this.

Flags: needinfo?(jcoppeard) → needinfo?(jdemooij)

Forwarding to Matt, he's been working in this area recently.

Flags: needinfo?(jdemooij) → needinfo?(mgaudet)
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED
Flags: needinfo?(mgaudet)
Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/17890b3ce43d
Create ability to create a JSScript without a CompileOptions object r=caroline
https://hg.mozilla.org/integration/autoland/rev/a3f7beb7db59
Eliminate race on copying of element pointer when allocating an inner function JSScript r=jonco

https://hg.mozilla.org/mozilla-central/rev/17890b3ce43d
https://hg.mozilla.org/mozilla-central/rev/a3f7beb7db59

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: