Closed
Bug 1835710
Opened 6 months ago
Closed 6 months ago
IsNurseryAllocEnabled is not thread safe.
Categories
(Core :: JavaScript: GC, defect, P2)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
116 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox113 | --- | unaffected |
| firefox114 | --- | wontfix |
| firefox115 | --- | fixed |
| firefox116 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: jonco)
References
(Blocks 3 open bugs, Regression)
Details
(4 keywords, Whiteboard: [adv-main115+r])
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-beta+
|
Details | Review |
Filed by: nbeleuzu [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=417424199&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/I1SEXjJVRP2UC2ZJph5XqA/runs/0/artifacts/public/logs/live_backing.log
[task 2023-05-29T20:47:48.265Z] ==================
[task 2023-05-29T20:47:48.266Z] WARNING: ThreadSanitizer: data race (pid=17916)
[task 2023-05-29T20:47:48.266Z] Write of size 1 at 0x7b7c00002392 by main thread:
[task 2023-05-29T20:47:48.266Z] #0 operator=<bool> /builds/worker/checkouts/gecko/js/src/threading/ProtectedData.h:104:17 (js+0xac3fb5) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #1 JS::Zone::updateNurseryAllocFlags(js::Nursery const&) /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:36:24 (js+0xac3fb5)
[task 2023-05-29T20:47:48.266Z] #2 updateAllocFlagsForZone /builds/worker/checkouts/gecko/js/src/gc/Nursery.cpp:422:9 (js+0xb21be6) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #3 updateAllZoneAllocFlags /builds/worker/checkouts/gecko/js/src/gc/Nursery.cpp:413:5 (js+0xb21be6)
[task 2023-05-29T20:47:48.266Z] #4 js::Nursery::disable() /builds/worker/checkouts/gecko/js/src/gc/Nursery.cpp:384:3 (js+0xb21be6)
[task 2023-05-29T20:47:48.266Z] #5 js::Nursery::collect(JS::GCOptions, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/Nursery.cpp:1207:5 (js+0xb266de) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #6 js::gc::GCRuntime::collectNursery(JS::GCOptions, JS::GCReason, js::gcstats::PhaseKind) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4600:13 (js+0xae819f) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #7 collectNurseryFromMajorGC /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3748:3 (js+0xae776b) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #8 js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, bool) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:3586:9 (js+0xae776b)
[task 2023-05-29T20:47:48.266Z] #9 js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4174:3 (js+0xae9cfb) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #10 js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4362:9 (js+0xaeaba6) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #11 js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4439:3 (js+0xac53ae) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #12 JS::NonIncrementalGC(JSContext*, JS::GCOptions, JS::GCReason) /builds/worker/checkouts/gecko/js/src/gc/GCAPI.cpp:298:21 (js+0xaf9c01) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #13 GC(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/TestingFunctions.cpp:693:3 (js+0x7363ad) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #14 CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:486:13 (js+0x33cb79) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #15 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:12 (js+0x33cb79)
[task 2023-05-29T20:47:48.266Z] #16 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:647:10 (js+0x33d6f9) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #17 js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10 (js+0x33d6f9)
[task 2023-05-29T20:47:48.266Z] #18 js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1591:10 (js+0xc37d1e) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #19 <null> <null> (0x7fc0bfb00ebc)
[task 2023-05-29T20:47:48.266Z] #20 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:32 (js+0x33beb1) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #21 ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:845:13 (js+0x33ebfc) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #22 js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:877:10 (js+0x33ebfc)
[task 2023-05-29T20:47:48.266Z] #23 ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:495:10 (js+0x447b0d) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #24 JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:519:10 (js+0x447cd7) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #25 RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) /builds/worker/checkouts/gecko/js/src/shell/js.cpp:1102:10 (js+0x2a137a) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #26 Process(JSContext*, char const*, bool, FileKind) /builds/worker/checkouts/gecko/js/src/shell/js.cpp (js+0x2a0e10) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #27 ProcessArgs /builds/worker/checkouts/gecko/js/src/shell/js.cpp:10509:12 (js+0x25a394) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #28 Shell(JSContext*, js::cli::OptionParser*) /builds/worker/checkouts/gecko/js/src/shell/js.cpp:10807:12 (js+0x25a394)
[task 2023-05-29T20:47:48.266Z] #29 main /builds/worker/checkouts/gecko/js/src/shell/js.cpp:11239:12 (js+0x252e6c) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] Previous read of size 1 at 0x7b7c00002392 by thread T2:
[task 2023-05-29T20:47:48.266Z] #0 allocNurseryObjects /builds/worker/checkouts/gecko/js/src/gc/Zone.h:485:45 (js+0xf8bd7d) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #1 js::jit::CompileZone::allocNurseryObjects() /builds/worker/checkouts/gecko/js/src/jit/CompileWrappers.cpp:136:18 (js+0xf8bd7d)
[task 2023-05-29T20:47:48.266Z] #2 IsNurseryAllocEnabled /builds/worker/checkouts/gecko/js/src/jit/MacroAssembler.cpp:568:20 (js+0x10bff78) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #3 js::jit::MacroAssembler::bumpPointerAllocate(js::jit::Register, js::jit::Register, js::jit::Label*, js::jit::CompileZone*, JS::TraceKind, unsigned int, js::jit::AllocSiteInput const&) /builds/worker/checkouts/gecko/js/src/jit/MacroAssembler.cpp:590:8 (js+0x10bff78)
[task 2023-05-29T20:47:48.266Z] #4 js::jit::MacroAssembler::nurseryAllocateObject(js::jit::Register, js::jit::Register, js::gc::AllocKind, unsigned long, js::jit::Label*, js::jit::AllocSiteInput const&) /builds/worker/checkouts/gecko/js/src/jit/MacroAssembler.cpp:340:3 (js+0x10bfd61) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #5 allocateObject /builds/worker/checkouts/gecko/js/src/jit/MacroAssembler.cpp:426:12 (js+0x10c0fe9) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #6 js::jit::MacroAssembler::createGCObject(js::jit::Register, js::jit::Register, js::jit::TemplateObject const&, js::gc::InitialHeap, js::jit::Label*, bool) /builds/worker/checkouts/gecko/js/src/jit/MacroAssembler.cpp:454:3 (js+0x10c0fe9)
[task 2023-05-29T20:47:48.266Z] #7 js::jit::CodeGenerator::visitLambda(js::jit::LLambda*) /builds/worker/checkouts/gecko/js/src/jit/CodeGenerator.cpp:3599:8 (js+0xf02921) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.266Z] #8 js::jit::CodeGenerator::generateBody() /builds/worker/checkouts/gecko/js/src/jit/CodeGenerator.cpp:6876:9 (js+0xf1e470) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #9 js::jit::CodeGenerator::generate() /builds/worker/checkouts/gecko/js/src/jit/CodeGenerator.cpp:13589:8 (js+0xf7faee) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #10 GenerateCode /builds/worker/checkouts/gecko/js/src/jit/Ion.cpp:1544:17 (js+0xfb3eb5) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #11 js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) /builds/worker/checkouts/gecko/js/src/jit/Ion.cpp:1573:10 (js+0xfb3eb5)
[task 2023-05-29T20:47:48.267Z] #12 runTask /builds/worker/checkouts/gecko/js/src/jit/IonCompileTask.cpp:52:24 (js+0xfdc20d) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #13 js::jit::IonCompileTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/jit/IonCompileTask.cpp:30:5 (js+0xfdc20d)
[task 2023-05-29T20:47:48.267Z] #14 js::GlobalHelperThreadState::runTaskLocked(js::HelperThreadTask*, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2717:9 (js+0x4a758e) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #15 runOneTask /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2686:5 (js+0x4a8713) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #16 js::HelperThread::threadLoop(js::InternalThreadPool*) /builds/worker/checkouts/gecko/js/src/vm/InternalThreadPool.cpp:282:27 (js+0x4a8713)
[task 2023-05-29T20:47:48.267Z] #17 js::HelperThread::ThreadMain(js::InternalThreadPool*, js::HelperThread*) /builds/worker/checkouts/gecko/js/src/vm/InternalThreadPool.cpp:225:11 (js+0x4a8510) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #18 callMain<0UL, 1UL> /builds/worker/checkouts/gecko/js/src/threading/Thread.h:219:5 (js+0x4af44b) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.267Z] #19 js::detail::ThreadTrampoline<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>::Start(void*) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:208:11 (js+0x4af44b)
[task 2023-05-29T20:47:48.267Z]
[task 2023-05-29T20:47:48.267Z] Location is heap block of size 3184 at 0x7b7c00001c00 allocated by main thread:
[task 2023-05-29T20:47:48.268Z] #0 malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:692:5 (js+0x1bebbc) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.268Z] #1 malloc /builds/worker/checkouts/gecko/memory/build/malloc_decls.h:51:1 (js+0x2a52d9) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.268Z] #2 moz_arena_malloc /builds/worker/checkouts/gecko/memory/build/malloc_decls.h:51:1 (js+0x2a52d9)
[task 2023-05-29T20:47:48.268Z] #3 moz_arena_malloc /builds/worker/checkouts/gecko/memory/build/malloc_decls.h:142:1 (js+0x2a52d9)
[task 2023-05-29T20:47:48.268Z] #4 js_arena_malloc /builds/worker/workspace/obj-spider/dist/include/js/Utility.h:366:10 (js+0xaec1c9) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.268Z] #5 js_malloc /builds/worker/workspace/obj-spider/dist/include/js/Utility.h:370:10 (js+0xaec1c9)
[task 2023-05-29T20:47:48.268Z] #6 js_new<JS::Zone, JSRuntime *, JS::shadow::Zone::Kind &> /builds/worker/workspace/obj-spider/dist/include/js/Utility.h:520:1 (js+0xaec1c9)
[task 2023-05-29T20:47:48.268Z] #7 MakeUnique<JS::Zone, JSRuntime *, JS::shadow::Zone::Kind &> /builds/worker/workspace/obj-spider/dist/include/js/UniquePtr.h:43:23 (js+0xaec1c9)
[task 2023-05-29T20:47:48.268Z] #8 js::NewRealm(JSContext*, JSPrincipals*, JS::RealmOptions const&) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4711:18 (js+0xaec1c9)
[task 2023-05-29T20:47:48.268Z] #9 js::GlobalObject::new_(JSContext*, JSClass const*, JSPrincipals*, JS::OnNewGlobalHookOption, JS::RealmOptions const&) /builds/worker/checkouts/gecko/js/src/vm/GlobalObject.cpp:603:18 (js+0x49207e) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.268Z] #10 JS_NewGlobalObject(JSContext*, JSClass const*, JSPrincipals*, JS::OnNewGlobalHookOption, JS::RealmOptions const&) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:1748:10 (js+0x7a5544) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.268Z] #11 NewGlobalObject(JSContext*, JS::RealmOptions&, JSPrincipals*, ShellGlobalKind, bool) /builds/worker/checkouts/gecko/js/src/shell/js.cpp:10246:21 (js+0x274d26) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.268Z] #12 Shell(JSContext*, js::cli::OptionParser*) /builds/worker/checkouts/gecko/js/src/shell/js.cpp:10784:13 (js+0x2592e8) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #13 main /builds/worker/checkouts/gecko/js/src/shell/js.cpp:11239:12 (js+0x252e6c) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z]
[task 2023-05-29T20:47:48.269Z] Thread T2 'JS Helper' (tid=17923, running) created by main thread at:
[task 2023-05-29T20:47:48.269Z] #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1048:3 (js+0x1c08eb) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #1 js::Thread::create(void* (*)(void*), void*) /builds/worker/checkouts/gecko/js/src/threading/posix/PosixThread.cpp:57:7 (js+0x803dd9) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #2 bool js::Thread::init<void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*>(void (&)(js::InternalThreadPool*, js::HelperThread*), js::InternalThreadPool*&, js::HelperThread*&&) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:88:12 (js+0x4a83f9) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #3 init /builds/worker/checkouts/gecko/js/src/vm/InternalThreadPool.cpp:215:17 (js+0x4a08a1) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #4 js::InternalThreadPool::ensureThreadCount(unsigned long, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/vm/InternalThreadPool.cpp:133:29 (js+0x4a08a1)
[task 2023-05-29T20:47:48.269Z] #5 js::InternalThreadPool::Initialize(unsigned long, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/vm/InternalThreadPool.cpp:112:18 (js+0x4a0386) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #6 js::GlobalHelperThreadState::ensureInitialized() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1543:10 (js+0x4971ec) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #7 js::EnsureHelperThreadsInitialized() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:82:30 (js+0x497126) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #8 JSRuntime::init(JSContext*, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:189:32 (js+0x5f5a66) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #9 js::NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:185:17 (js+0x4d4853) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #10 JS_NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:402:10 (js+0x79eb53) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z] #11 main /builds/worker/checkouts/gecko/js/src/shell/js.cpp:11117:25 (js+0x25291c) (BuildId: 231946d2eeb58d46b939fc7be695acd455e078d7)
[task 2023-05-29T20:47:48.269Z]
[task 2023-05-29T20:47:48.269Z] SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/js/src/threading/ProtectedData.h:104:17 in operator=<bool>
[task 2023-05-29T20:47:48.269Z] ==================
[task 2023-05-29T20:47:48.269Z] Exit code: -6
[task 2023-05-29T20:47:48.269Z] FAIL - gc/bug-1585159.js
[task 2023-05-29T20:47:48.269Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/gc/bug-1585159.js | ================== (code -6, args "--ion-eager --ion-check-range-analysis --ion-extra-checks --no-sse3") [0.8 s]
[task 2023-05-29T20:47:48.269Z] INFO exit-status : -6
[task 2023-05-29T20:47:48.269Z] INFO timed-out : False
|
||
Updated•6 months ago
|
Group: core-security → javascript-core-security
|
||
Updated•6 months ago
|
Component: JavaScript Engine → JavaScript: GC
|
||
Comment 1•6 months ago
|
||
I guess the question is whether:
- Either, the JIT should check whether the Nursery is enabled using
IsNurseryAllocEnabled. - Or, the GC should implement
IsNurseryAllocEnabledby checking some thread-safe-able inner flags instead of making a Nursery allocation.
Jan / Jon, any idea which way we should go for this issue?
Severity: -- → S3
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
Priority: -- → P2
Summary: Intermittent js/src/jit-test/tests/gc/bug-1585159.js | ================== (code -6, args "--ion-eager --ion-check-range-analysis --ion-extra-checks --no-sse3") [0.8 s] → IsNurseryAllocEnabled is not thread safe.
|
Assignee | |
Comment 2•6 months ago
|
||
The problem is there's a race in Nursery::updateAllocFlagsForZone where we cancel compilation after we've updated the flags rather than before.
Flags: needinfo?(jdemooij)
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Updated•6 months ago
|
Assignee: nobody → jcoppeard
|
|
||
Updated•6 months ago
|
Keywords: csectype-race
|
|
Assignee | |
Updated•6 months ago
|
Keywords: regression
Regressed by: 1830921
|
||
Updated•6 months ago
|
status-firefox113:
--- → unaffected
status-firefox114:
--- → affected
status-firefox115:
--- → affected
status-firefox-esr102:
--- → unaffected
|
|
Assignee | |
Comment 4•6 months ago
|
||
This calls CancelOffThreadIonCompile before changing the nursery allocation
flags to avoid the race condition with off-thread compilation reading these
flags.
Nursery::discardJitCodeForZone is renamed to make it clear that it also sets
JIT flags.
|
||
Updated•6 months ago
|
Keywords: sec-moderate
|
|
||
Updated•6 months ago
|
status-firefox116:
--- → affected
|
||
Comment 7•6 months ago
|
||
Cancel off-thread JIT compilation before changing nursery allocation flags r=jandem
https://hg.mozilla.org/integration/autoland/rev/9bb35704d9f91d34e3b7c98fc648e7042b5aac91
https://hg.mozilla.org/mozilla-central/rev/9bb35704d9f9
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
|
|
||
Updated•6 months ago
|
|
|
||
Comment 8•6 months ago
|
||
The patch landed in nightly and beta is affected.
:jonco, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox115towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 9•6 months ago
|
||
Comment on attachment 9336739 [details]
Bug 1835710 - Cancel off-thread JIT compilation before changing nursery allocation flags r?jandem
Beta/Release Uplift Approval Request
- User impact if declined: Possible crash unexpected behaviour.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a simple patch to split up Nursery::discardCodeAndSetJitFlagsForZone to avoid the race and is mostly plumbing. It's been on central for a week without causing regressions.
- String changes made/needed: None
- Is Android affected?: Yes
Flags: needinfo?(jcoppeard)
Attachment #9336739 -
Flags: approval-mozilla-beta?
|
||
Comment 10•6 months ago
|
||
Comment on attachment 9336739 [details]
Bug 1835710 - Cancel off-thread JIT compilation before changing nursery allocation flags r?jandem
Approved for 115.0b6.
Attachment #9336739 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 11•6 months ago
|
||
| uplift | ||
|
||
Updated•5 months ago
|
Whiteboard: [adv-main115+r]
|
||
Updated•5 months ago
|
QA Whiteboard: [post-critsmash-triage]
|
|
||
Updated•2 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•