Closed Bug 1950041 Opened 1 year ago Closed 1 year ago

Race condition between deferred purge and deleting a private arena

Categories

(Core :: Memory Allocator, defect)

defect

Tracking

()

RESOLVED FIXED
138 Branch
Tracking Status
firefox-esr128 --- unaffected
firefox135 --- unaffected
firefox136 --- unaffected
firefox137 --- unaffected
firefox138 --- fixed

People

(Reporter: pbone, Assigned: pbone)

References

(Regression)

Details

(Keywords: regression)

Attachments

(4 files)

This doesn't happen in practice because nothing in Firefox deletes an arena off-main-thread. But fixing this will make it safer to use arenas.

Thread 1: running MayPurgeStep, finds arena in the list, releases list lock.
Thread 2: Destroys arena.
Thread 1: Attempts to purge destroyed arena.

There's a couple of other related cases such as when a Purge() is already underway but releases the lock for the system call. this wasn't previously a problem because although it released the lock it was synchronous with an explicit call to free() or realloc() or the arena collection lock was held for the duration of the purge.

Beta is unaffected because no code currently deletes arenas off-main-thread and all delayed purge occurs on the main thread.

Set release status flags based on info from the regressing bug 1903758

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #5)

Set release status flags based on info from the regressing bug 1903758

Note that we currently do not delete arenas off main thread, so there is no release impact.

Set release status flags based on info from the regressing bug 1903758

Note that this only applies to private arenas which were safe for deletion before Bug 1903758. Thread-local (aka public) arenas aren't safe for deletion because they're used implicitly (Bug 1364359).

Summary: Race condition between deferred purge and deleting an arena → Race condition between deferred purge and deleting a private arena
Attachment #9469894 - Attachment description: Bug 1950041 - ShouldContinuePurge's parameter should be explicit r=glandium → Bug 1950041 - Use an enum for the kind of purge condition r=glandium

Hi :pbone! were you going to land this on 138? Since this doesn't affect beta, wondering if you should land soon for it to get good bake time in nightly.

Flags: needinfo?(pbone)

Hi Dianna, Yes this should land soon. Bug 1947687 is landing now which this depends on.

Nightly is also currently unaffected like beta, It's a theoretical thing that we're not making use of yet in Firefox.

Depends on: 1947687
Flags: needinfo?(pbone)
Pushed by pbone@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/70ec52f9316c Fix a comment r=glandium https://hg.mozilla.org/integration/autoland/rev/6771560ca736 Use an enum for the kind of purge condition r=glandium https://hg.mozilla.org/integration/autoland/rev/2efb94b34159 Use an enum for Purge()'s return value r=glandium https://hg.mozilla.org/integration/autoland/rev/267514795e90 Delay destruction of an arena until purging is complete r=glandium,jstutte
Duplicate of this bug: 1935086
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: