Closed Bug 967930 Opened 10 years ago Closed 10 years ago

TSan: data race js/src/../../js/src/jit/JitCompartment.h:240 setFlusher

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: decoder, Assigned: shu)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tsan])

Attachments

(2 files)

Logfile with TSan trace
20.29 KB, text/plain
Details
Move AutoFlushCache instances in parallel ICs under lock.
4.99 KB, patch
efaust
: review+
Details | Diff | Splinter Review 
The attached logfile shows a thread/data race (mozilla-central revision 44ba69cacd7e) detected by TSan (ThreadSanitizer).

Typically, races reported by TSan are not false positives, but it is possible that the race is benign. Even in this case though, we should try to come up with a fix unless this would cause inacceptable performance issues. Also note that seemingly benign races can possibly be harmful (also depending on the compiler and the architecture) [1].

If the bug cannot be fixed, then this bug should be used to either make a compile-time annotation for blacklisting or add an entry to the runtime blacklist.

[1] http://software.intel.com/en-us/blogs/2013/01/06/benign-data-races-what-could-possibly-go-wrong
This looks like a PJS race.
Flags: needinfo?(shu)
Assignee: general → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Comment on attachment 8371997 [details] [diff] [review]
Move AutoFlushCache instances in parallel ICs under lock.

Review of attachment 8371997 [details] [diff] [review]:
-----------------------------------------------------------------

OK, so the changes made by this patch are fine, r=me, but I'm desperately curious why each of those locked sections has an |if (cache.canAttachStub())| after a previous |if (!cache.canAttachStub() return true;|. That seems a little strange.
Attachment #8371997 - Flags: review?(efaustbmo) → review+
(In reply to Eric Faust [:efaust] from comment #3)
> Comment on attachment 8371997 [details] [diff] [review]
> Move AutoFlushCache instances in parallel ICs under lock.
> 
> Review of attachment 8371997 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> OK, so the changes made by this patch are fine, r=me, but I'm desperately
> curious why each of those locked sections has an |if
> (cache.canAttachStub())| after a previous |if (!cache.canAttachStub() return
> true;|. That seems a little strange.

Because this is multithreaded code. :)

Before entering the critical (locked) section, we know that the cache can attach a stub, but another thread might have attached stubs in the meantime. We can have an interleaving like:

       T1                          |           T2
-----------------------------------+-------------------------------
 cache.canAttachStub() == true     |  cache.canAttachStub() == true
 acquires lock                     |
 attaches stub                     |
 releases lock                     |
                                   |  acquires lock
                                   |  cache.canAttachStub() == false
https://hg.mozilla.org/mozilla-central/rev/479ce9c26b7e
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: