Closed Bug 1805457 Opened 1 year ago Closed 1 year ago

ThreadSanitizer: data race /builds/worker/checkouts/gecko/js/src/gc/Compacting.cpp:445:14 in onEdge<JSObject>

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox110 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: jonco)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Bug 1805457 - Add TraceInstanceEdge to trace edges from GC things to wasm::Instances r?sfink
48 bytes, text/x-phabricator-request
Details | Review

Filed by: jcoppeard [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=399099761&repo=try
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/ZUuY22JWTci9hu_prlPsfA/runs/0/artifacts/public/logs/live_backing.log

As reported by RyanVM when running mochitest-devtools tests under TSAN.

https://treeherder.mozilla.org/logviewer?job_id=399099761&repo=try&lineNumber=4463-4693
Group: core-security → javascript-core-security
Group: javascript-core-security
Blocks: tsan

Previously this traced wasm::Instance's object_ edge when it needed to trace
the WasmInstanceObject. That was kind of wrong but it worked except for the
fact that it meant that this edge could be traced from different threads at the
same time during compacting (and probably in parallel marking too).

It's clearer to get the object and trace that if that is what is required.

I removed the comment from Instance::tracePrivate because it makes it sound
like you can get away without tracing every edge if there's some justification.
This is potentially confusing. All edges must be traced.

Assignee: nobody → jcoppeard
Status: NEW → ASSIGNED
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3bea0e8a2bc0
Don't trace Wasm instance's object_ edge more than once r=sfink

https://hg.mozilla.org/mozilla-central/rev/3bea0e8a2bc0

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox110: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch

This failure is still showing up when running TSAN tests on try.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Severity: -- → S3
Priority: -- → P1
Backout by sstanca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9838c03ad213
Backed out changeset 3bea0e8a2bc0 as requested by jonco. CLOSED TREE
Target Milestone: 110 Branch → ---

The previous attempt was still a data race because it read the object pointer
out of the Instance during compacting when it could be being updated on a
separate thread.

This skips tracing these edges in compacting and makes it clear that this is
unnecessary for edges to non-GC-thing Instance objects.

Attachment #9308204 - Attachment is obsolete: true
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d0a3f49a57f4
Add TraceInstanceEdge to trace edges from GC things to wasm::Instances r=sfink

https://hg.mozilla.org/mozilla-central/rev/d0a3f49a57f4

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
status-firefox110: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: