Closed Bug 419091 Opened 17 years ago Closed 17 years ago

Assertion failure: JS_PROPERTY_CACHE(cx).disabled >= 0, at jsinterp.c:463 using js.c Scatter() test and gczeal(2)

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9

People

(Reporter: crowderbt, Assigned: jorendorff)

References

Details

(Keywords: testcase)

Attachments

(2 files, 2 obsolete files)

v2
3.74 KB, patch
brendan
: review+
Details | Diff | Splinter Review
v2 CVS-2
3.20 KB, patch
Details | Diff | Splinter Review
gczeal(2); function f() { for (let i = 0; i < 10; i++) { let y = { x: i } } } for (let i = 0; i < 10; i++) scatter([f, f]);
Status: NEW → ASSIGNED
At the top of js_GC, we call js_DisablePropertyCache for a certain set of contexts. At the bottom, we call js_EnablePropertyCache for a certain set of contexts. If the two sets are not equal, the effect on .disabled can be unbalanced. JS_SetContextThread racing with GC can make this happen. Sequence of events: * Thread 1 creates context cx2 and calls JS_ClearContextThread(cx2), so cx2->thread is NULL. * Thread 1 starts thread 2. * Thread 1 enters GC. * The "disable pcache" code in js_GC runs; at this point cx2->thread is NULL. * Thread 2 calls JS_SetContextThread(cx2), setting cx2->thread. This happens outside all locks/requests. * The "enable pcache" code in js_GC runs; at this point cx2->thread is non-null, so js_GC calls js_EnablePropertyCache(cx2) without having disabled the property cache on thread 2. The assertion fails here. That story is consistent with my gdb-ing. One sort of heavy-handed fix would be to JS_LOCK_GC and JS_AWAIT_GC_DONE in JS_{Set,Clear}ContextThread. I think another possibility would be to make js_GC disable/enable the cache only for contexts that are in active requests (i.e. stopped inside libjs at a safe point other than JS_BeginRequest). Haven't thought this through, though.
I also just hit this bug in a big way. This pretty much breaks any multi-threaded embedder. It happens exactly as described above in comment #1. We have an idle pool of many contexts. js_SetContextThread() is called one of the contexts while another is running GC. A thread could also call JS_ClearContextThread() and unbalance the enable/disable pairing while GC is running too. This bug should block 1.9. I also don't like the JS_LOCK_GC above. Thread contention is evil. I suppose you could keep a temporary list of those contexts which you called js_DisablePropertyCache() on to ensure you only call js_EnablePropertyCache() on the right ones. A flag on the context indicating its property cache is "disabled" would do the same I suppose... Brendan, I need a work around (or fix). Can you suggest one? I can write the patch. Tell me how you want this done. Thanks.
Assignee: general → brendan
Status: ASSIGNED → NEW
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.9
Mike: with the patch for bug 425828 applied to your tree, how are things? /be
Running the code in comment 0 a few times still hits this assertion in trunk (debug JS_THREADSAFE js shell on Mac). blocking1.9?
Flags: blocking1.9?
We do not live in a world in which we would not ship 1.9 (or FF3) because this bug was left unfixed, given that the propcache disabling itself is just paranoia (per the check-in comment) and this only affects debug builds that race context creation against GC. Minusing!
Flags: blocking1.9? → blocking1.9-
I thought there were several threads in FF3? main, anti-phishing, others? This is just plain busted and needs fixing Mike.
As noted in bug 429978: we walk the context list here without holding the GC lock: http://mxr.mozilla.org/seamonkey/source/js/src/jsgc.c#3179
Nobody's saying it doesn't need fixing (that would be WONTFIX or INVALID), just that it would not keep us from shipping if this bug were the last one left. JS is only run on one thread in FF3 outside of extensions, and even with (unknown) extensions the specific race is a) rare, and b) harmless unless scripts run during GC, which they very much should not.
MikeM: we'll fix before the 1.8 source release (which should happen pretty soon, first half of this year or bust). Shaver, please set blocking js1.8src for such bugs you may mark 1.9-. /be
Blocks: js1.8src
Roger, wilco. Thanks.
Brendan, Any news? A forthcoming patch would be nice... I'm still running into this on a regular basis..
I've hit this assert frequently with the DOM worker threads and I don't think we could try shipping the feature with this bug.
Attached patch v1 - the "don't do that" fix (obsolete) — Splinter Review
This fixes the bug by not disabling the property cache during GC. (This is just what bsmedberg did in bug 429978 comment 4.) bent and Mike, give this a shot. brendan may minus this one, as it removes some paranoia. Thinking it over, I'm not sure that particular bit of paranoia is worth keeping, though.
Attachment #325825 - Flags: review?(brendan)
Comment on attachment 325825 [details] [diff] [review] v1 - the "don't do that" fix This seems to prevent the asserts in my threading tests. Thanks!
Take my bug... please! (Who remembers Henny Youngman?) /be
Assignee: brendan → jorendorff
Status: ASSIGNED → NEW
Should go into hg.m.o/m-c for 1.9.1, for sure. bent, want to make this block your workerpool bug for compleatness? /be
Target Milestone: mozilla1.9 → mozilla1.9.1a1
Comment on attachment 325825 [details] [diff] [review] v1 - the "don't do that" fix >- /* >- * Clear property cache weak references and disable the cache so nothing >- * can fill it during GC (this is paranoia, since scripts should not run >- * during GC). >- */ >- js_DisablePropertyCache(cx); Agree on taking this out, at this place in jsgc.cpp -- but we should JS_ASSERT(!cx->runtime->gcRunning) in js_FillPropertyCache to cover the bet. >- if (!(rt->shapeGen & SHAPE_OVERFLOW_BIT)) { >- js_EnablePropertyCache(cx); >-#ifdef JS_THREADSAFE >- iter = NULL; >- while ((acx = js_ContextIterator(rt, JS_FALSE, &iter)) != NULL) { >- if (!acx->thread || acx->thread == cx->thread) >- continue; >- js_EnablePropertyCache(acx); >- } >-#endif >- } >- This isn't right, if we manage to overflow the shape identifier space then we should disable here (rather than decide not to re-enable), and run without the property cache until such time as shapes are GC'd to reduce the total number of shapes to less 2**24. /be
Indeed, blocks bug 437152.
Blocks: workerthreads
Target Milestone: mozilla1.9.1a1 → mozilla1.9
(In reply to comment #17) Sorry for missing that, my spider-sense tingled but I ignored it. :-P I'm scratching my head over something though. I don't see what implements the "until such time as..." part currently; instead it looks like the property cache would remain disabled forever, and GC would start happening very frequently (from js_GenerateShape). If that's right, it would be a separate bug; for now I'll just retain the current behavior by flipping that if-block (rather than deleting it).
Status: NEW → ASSIGNED
Attached patch v2Splinter Review
This update addresses comment 17, but see comment 19.
Attachment #325825 - Attachment is obsolete: true
Attachment #326015 - Flags: review?(brendan)
Attachment #325825 - Flags: review?(brendan)
Comment on attachment 326015 [details] [diff] [review] v2 You're right, I dreamt about healing (and avoiding fruitless mega-GC-run attempts to reduce shape population) but never implemented. (Too many late nights were required to get the shape-based stuff done and right for Fx3.) Could you please file a bug on that and cite it in a FIXME: comment for the overflow paragraph in js_GC? Thanks, r=me with that. /be
Attachment #326015 - Flags: review?(brendan) → review+
Filed bug 440834.
No longer blocks: js1.8src
Blocks: js1.8
No longer blocks: js1.8
We'll do a mini-branch in cvs.mozilla.org for js1.8, and back-port what lands here. Should be easy. If you happen to have a cvs tree around and want to do the patch, we'll be grateful. /be
Pushed (with FIXME comment): http://hg.mozilla.org/mozilla-central/index.cgi/rev/d971499d7eda Should this bug remain open for tracking js1.8? I'm marking it FIXED for now.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
It blocks js1.8src even thought it is resolved, so it will be tracked. /be
Keywords: testcase
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-419091.js,v <-- regress-419091.js initial revision: 1.1 http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63
Flags: in-testsuite+
Flags: in-litmus-
Attached patch v2 CVS (obsolete) — Splinter Review
Patch v2 updated to apply to CVS for RC2.
Attached patch v2 CVS-2Splinter Review
Fix broken logic inversion around rt->shapeGen
Attachment #401670 - Attachment is obsolete: true
Blocks: 472619
No longer blocks: 472619
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: