TSan: data race js/src/../../js/src/jsinferinlines.h:601 BytecodeTypes<js::types::StackTypeSet>

RESOLVED FIXED in mozilla30

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 1 bug)

Trunk
mozilla30
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [tsan])

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
Created attachment 8370001 [details]
Logfile with TSan trace

The attached logfile shows a thread/data race (mozilla-central revision tsan-trace1.txt) detected by TSan (ThreadSanitizer).

Typically, races reported by TSan are not false positives, but it is possible that the race is benign. Even in this case though, we should try to come up with a fix unless this would cause inacceptable performance issues. Also note that seemingly benign races can possibly be harmful (also depending on the compiler and the architecture) [1].

If the bug cannot be fixed, then this bug should be used to either make a compile-time annotation for blacklisting or add an entry to the runtime blacklist.

[1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
(Reporter)

Comment 1

4 years ago
m-c revision for the trace is 44ba69cacd7e, my script messed that up somehow.
(Assignee)

Comment 2

4 years ago
Created attachment 8370041 [details] [diff] [review]
Patch

The problem is here:

    if (bytecodeMap[*hint + 1] == offset && (*hint + 1) < script->nTypeSets()) {

When this runs off-thread, bytecodeMap[*hint + 1] can read the hint field that's stored at the end of the bytecodeMap and used by the main thread. It's not a real bug because (*hint + 1) < script->nTypeSets() will always be false in this case.

This patch just swaps the LHS and RHS of the && expression to fix the TSan failure.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #8370041 - Flags: review?(bhackett1024)
Attachment #8370041 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 3

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/335f59774b9f
https://hg.mozilla.org/mozilla-central/rev/335f59774b9f
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.