Race condition between deferred purge and deleting a private arena
Categories
(Core :: Memory Allocator, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr128 | --- | unaffected |
| firefox135 | --- | unaffected |
| firefox136 | --- | unaffected |
| firefox137 | --- | unaffected |
| firefox138 | --- | fixed |
People
(Reporter: pbone, Assigned: pbone)
References
(Regression)
Details
(Keywords: regression)
Attachments
(4 files)
This doesn't happen in practice because nothing in Firefox deletes an arena off-main-thread. But fixing this will make it safer to use arenas.
Thread 1: running MayPurgeStep, finds arena in the list, releases list lock.
Thread 2: Destroys arena.
Thread 1: Attempts to purge destroyed arena.
There's a couple of other related cases such as when a Purge() is already underway but releases the lock for the system call. this wasn't previously a problem because although it released the lock it was synchronous with an explicit call to free() or realloc() or the arena collection lock was held for the duration of the purge.
| Assignee | ||
Comment 1•1 year ago
|
||
| Assignee | ||
Comment 2•1 year ago
|
||
| Assignee | ||
Comment 3•1 year ago
|
||
| Assignee | ||
Comment 4•1 year ago
|
||
Beta is unaffected because no code currently deletes arenas off-main-thread and all delayed purge occurs on the main thread.
Comment 5•1 year ago
|
||
Set release status flags based on info from the regressing bug 1903758
Comment 6•1 year ago
|
||
(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #5)
Set release status flags based on info from the regressing bug 1903758
Note that we currently do not delete arenas off main thread, so there is no release impact.
Comment 7•1 year ago
|
||
Set release status flags based on info from the regressing bug 1903758
| Assignee | ||
Comment 8•1 year ago
|
||
| Assignee | ||
Comment 9•1 year ago
|
||
Note that this only applies to private arenas which were safe for deletion before Bug 1903758. Thread-local (aka public) arenas aren't safe for deletion because they're used implicitly (Bug 1364359).
Updated•1 year ago
|
Comment 10•1 year ago
|
||
Hi :pbone! were you going to land this on 138? Since this doesn't affect beta, wondering if you should land soon for it to get good bake time in nightly.
| Assignee | ||
Comment 11•1 year ago
|
||
Hi Dianna, Yes this should land soon. Bug 1947687 is landing now which this depends on.
Nightly is also currently unaffected like beta, It's a theoretical thing that we're not making use of yet in Firefox.
Comment 12•1 year ago
|
||
Comment 13•1 year ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/70ec52f9316c
https://hg.mozilla.org/mozilla-central/rev/6771560ca736
https://hg.mozilla.org/mozilla-central/rev/2efb94b34159
https://hg.mozilla.org/mozilla-central/rev/267514795e90
Description
•