New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 701732 link

Starred by 1 user
Status: Fixed
Owner:
mlippautz@chromium.org
Closed: Mar 2017
Cc:
hpayer@chromium.org
u...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Data race in MigrateObject

Project Member Reported by maxmorin@chromium.org, Mar 15 2017 
Found running ToT Chromium. Mlippautz: You seem to have worked in this area, could you take a look? Please let me know if I can help out somehow.

Tsan output:
==================
WARNING: ThreadSanitizer: data race (pid=64504)
  Write of size 8 at 0x7f566b5bb3b8 by thread T19:
    #0 MigrateObject<v8::internal::MarkCompactCollector::EvacuateVisitorBase::MigrationMode::kFast> v8/src/heap/mark-compact.cc:1680 (chrome+0x1fcb398)
    #1 MigrateObject v8/src/heap/mark-compact.cc:1641 (chrome+0x1fcb398)
    #2 TryEvacuateObject v8/src/heap/mark-compact.cc:1630 (chrome+0x1fcb398)
    #3 Visit v8/src/heap/mark-compact.cc:1906 (chrome+0x1fddd6f)
    #4 VisitLiveObjects<v8::internal::MarkCompactCollector::EvacuateOldSpaceVisitor> v8/src/heap/mark-compact.cc:3482 (chrome+0x1fddd6f)
    #5 EvacuatePage v8/src/heap/mark-compact.cc:3095 (chrome+0x1fdd6f7)
    #6 ProcessPageInParallel v8/src/heap/mark-compact.cc:3191 (chrome+0x1fdd093)
    #7 RunInternal v8/src/heap/page-parallel-job.h:161 (chrome+0x1fdd093)
    #8 Run v8/src/cancelable-task.h:146 (chrome+0x1adc8d3)
    #9 <null> v8/src/cancelable-task.h:? (chrome+0x1adc8d3)
    #10 Invoke<v8::Task *> base/bind_internal.h:214 (chrome+0x53bdb85)
    #11 MakeItSo<void (v8::Task::*const &)(), v8::Task *> base/bind_internal.h:285 (chrome+0x53bdb85)
    #12 RunImpl<void (v8::Task::*const &)(), const std::__1::tuple<base::internal::OwnedWrapper<v8::Task> > &, 0> base/bind_internal.h:361 (chrome+0x53bdb85)
    #13 Run base/bind_internal.h:339 (chrome+0x53bdb85)
    #14 Run base/callback.h:68 (chrome+0x31ceadd)
    #15 ThreadMain base/threading/worker_pool_posix.cc:100 (chrome+0x31ceadd)
    #16 ThreadFunc base/threading/platform_thread_posix.cc:71 (chrome+0x31c325d)

  Previous atomic read of size 8 at 0x7f566b5bb3b8 by thread T15:
    #0 __tsan_atomic64_load ??:? (chrome+0xc1d3e4)
    #1 NoBarrier_Load v8/src/base/atomicops_internals_portable.h:161 (chrome+0x1fcd69c)
    #2 map_word v8/src/objects-inl.h:1508 (chrome+0x1fcd69c)
    #3 cast_gc_safe v8/src/layout-descriptor-inl.h:142 (chrome+0x1fcd69c)
    #4 layout_descriptor_gc_safe v8/src/objects-inl.h:5357 (chrome+0x1fcd69c)
    #5 LayoutDescriptorHelper v8/src/layout-descriptor-inl.h:230 (chrome+0x1fcd69c)
    #6 IterateBodyImpl<v8::internal::RecordMigratedSlotVisitor> v8/src/objects-body-descriptors-inl.h:44 (chrome+0x1fcd69c)
    #7 BodyDescriptorApply<v8::internal::CallIterateBody, void, v8::internal::HeapObject *, int, v8::internal::RecordMigratedSlotVisitor *> v8/src/objects-body-descriptors.h:? (chrome+0x1fcd3ac)
    #8 IterateBodyFast<v8::internal::RecordMigratedSlotVisitor> v8/src/objects-body-descriptors-inl.h:616 (chrome+0x1fcb2e3)
    #9 MigrateObject<v8::internal::MarkCompactCollector::EvacuateVisitorBase::MigrationMode::kFast> v8/src/heap/mark-compact.cc:1661 (chrome+0x1fcb2e3)
    #10 MigrateObject v8/src/heap/mark-compact.cc:1641 (chrome+0x1fcb2e3)
    #11 TryEvacuateObject v8/src/heap/mark-compact.cc:1630 (chrome+0x1fcb2e3)
    #12 Visit v8/src/heap/mark-compact.cc:1906 (chrome+0x1fddd6f)
    #13 VisitLiveObjects<v8::internal::MarkCompactCollector::EvacuateOldSpaceVisitor> v8/src/heap/mark-compact.cc:3482 (chrome+0x1fddd6f)
    #14 EvacuatePage v8/src/heap/mark-compact.cc:3095 (chrome+0x1fdd6f7)
    #15 ProcessPageInParallel v8/src/heap/mark-compact.cc:3191 (chrome+0x1fdd093)
    #16 RunInternal v8/src/heap/page-parallel-job.h:161 (chrome+0x1fdd093)
    #17 Run v8/src/cancelable-task.h:146 (chrome+0x1adc8d3)
    #18 <null> v8/src/cancelable-task.h:? (chrome+0x1adc8d3)
    #19 Invoke<v8::Task *> base/bind_internal.h:214 (chrome+0x53bdb85)
    #20 MakeItSo<void (v8::Task::*const &)(), v8::Task *> base/bind_internal.h:285 (chrome+0x53bdb85)
    #21 RunImpl<void (v8::Task::*const &)(), const std::__1::tuple<base::internal::OwnedWrapper<v8::Task> > &, 0> base/bind_internal.h:361 (chrome+0x53bdb85)
    #22 Run base/bind_internal.h:339 (chrome+0x53bdb85)
    #23 Run base/callback.h:68 (chrome+0x31ceadd)
    #24 ThreadMain base/threading/worker_pool_posix.cc:100 (chrome+0x31ceadd)
    #25 ThreadFunc base/threading/platform_thread_posix.cc:71 (chrome+0x31c325d)

  Thread T19 'WorkerPool/6452' (tid=64528, running) created by main thread at:
    #0 pthread_create ??:? (chrome+0xbe0985)
    #1 CreateThread base/threading/platform_thread_posix.cc:110 (chrome+0x31c2d57)
    #2 CreateNonJoinableWithPriority base/threading/platform_thread_posix.cc:207 (chrome+0x31c2e98)
    #3 CreateNonJoinable base/threading/platform_thread_posix.cc:197 (chrome+0x31c2e98)
    #4 AddTask base/threading/worker_pool_posix.cc:157 (chrome+0x31ce474)
    #5 PostTask base/threading/worker_pool_posix.cc:142 (chrome+0x31cdf43)
    #6 PostTask base/threading/worker_pool_posix.cc:64 (chrome+0x31cdf43)
    #7 PostTask base/threading/worker_pool_posix.cc:117 (chrome+0x31cdf43)
    #8 CallOnBackgroundThread gin/v8_platform.cc:70 (chrome+0x53bc18f)
    #9 Run<(lambda at ../../v8/src/heap/mark-compact.cc:3711:22)> v8/src/heap/page-parallel-job.h:95 (chrome+0x1fdefe3)
    #10 UpdatePointersInParallel<v8::internal::PointerDirection::OLD_TO_NEW> v8/src/heap/mark-compact.cc:3711 (chrome+0x1fc7a86)
    #11 UpdatePointersAfterEvacuation v8/src/heap/mark-compact.cc:3788 (chrome+0x1fc70ff)
    #12 EvacuateNewSpaceAndCandidates v8/src/heap/mark-compact.cc:3539 (chrome+0x1fbaa59)
    #13 v8::internal::MarkCompactCollector::CollectGarbage() v8/src/heap/mark-compact.cc:320 (chrome+0x1fb79e9)
    #14 MarkCompact v8/src/heap/heap.cc:1473 (chrome+0x1f83358)
    #15 PerformGarbageCollection v8/src/heap/heap.cc:1334 (chrome+0x1f80ebd)
    #16 CollectGarbage v8/src/heap/heap.cc:1014 (chrome+0x1f7fbf7)
    #17 CollectAllGarbage v8/src/heap/heap-inl.h:685 (chrome+0x1f7e2ea)
    #18 HandleGCRequest v8/src/heap/heap.cc:796 (chrome+0x1f7e2ea)
    #19 HandleInterrupts v8/src/execution.cc:470 (chrome+0x1f152d3)
    #20 __RT_impl_Runtime_StackGuard v8/src/runtime/runtime-internal.cc:307 (chrome+0x23458e2)
    #21 Runtime_StackGuard v8/src/runtime/runtime-internal.cc:297 (chrome+0x23458e2)
    #22 <null> <null> (0x7f56962843fd)
    #23 CallInternal v8/src/execution.cc:181 (chrome+0x1f13e9e)
    #24 Call v8/src/execution.cc:191 (chrome+0x1f13e9e)
    #25 Builtin_Impl_GlobalEval v8/src/builtins/builtins-global.cc:101 (chrome+0x1a69505)
    #26 Builtin_GlobalEval v8/src/builtins/builtins-global.cc:85 (chrome+0x1a68ffe)
    #27 <null> <null> (0x7f569628419d)
    #28 CallInternal v8/src/execution.cc:181 (chrome+0x1f13e9e)
    #29 Call v8/src/execution.cc:191 (chrome+0x1f13e9e)
    #30 Call v8/src/api.cc:5121 (chrome+0x196c6fa)
    #31 callFunction third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:656 (chrome+0x633e7a3)
    #32 callListenerFunction third_party/WebKit/Source/bindings/core/v8/V8EventListener.cpp:112 (chrome+0x635d6e9)
    #33 invokeEventHandler third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:142 (chrome+0x635eccb)
    #34 handleEvent third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:101 (chrome+0x635eaff)
    #35 handleEvent third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:89 (chrome+0x635e992)
    #36 fireEventListeners third_party/WebKit/Source/core/events/EventTarget.cpp:712 (chrome+0x6a5cc29)
    #37 fireEventListeners third_party/WebKit/Source/core/events/EventTarget.cpp:576 (chrome+0x6a5c155)
    #38 dispatchEventInternal third_party/WebKit/Source/core/events/EventTarget.cpp:481 (chrome+0x6a5bfbd)
    #39 dispatchEvent third_party/WebKit/Source/core/events/EventTarget.cpp:474 (chrome+0x6a5bf57)
    #40 dispatchReadyStateChangeEvent third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequestProgressEventThrottle.cpp:136 (chrome+0x72d85d5)
    #41 dispatchReadyStateChangeEvent third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:545 (chrome+0x72cfbce)
    #42 changeState third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:524 (chrome+0x72d51bf)
    #43 endLoading third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:1664 (chrome+0x72d51bf)
    #44 didFinishLoadingInternal third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:1594 (chrome+0x72d507a)
    #45 didFinishLoading third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:1569 (chrome+0x72d4cb8)
    #46 non-virtual thunk to blink::XMLHttpRequest::didFinishLoading(unsigned long, double) third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:? (chrome+0x72d50ad)
    #47 handleSuccessfulFinish third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:917 (chrome+0x703b774)
    #48 notifyFinished third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:894 (chrome+0x703a03a)
    #49 non-virtual thunk to blink::DocumentThreadableLoader::notifyFinished(blink::Resource*) third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:? (chrome+0x703b824)
    #50 checkNotify third_party/WebKit/Source/platform/loader/fetch/Resource.cpp:367 (chrome+0x2a1e1f1)
    #51 finish third_party/WebKit/Source/platform/loader/fetch/Resource.cpp:432 (chrome+0x2a1edd5)
    #52 handleLoaderFinish third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp:1201 (chrome+0x2a2d669)
    #53 didFinishLoading third_party/WebKit/Source/platform/loader/fetch/ResourceLoader.cpp:431 (chrome+0x2a39902)
    #54 OnCompletedRequest content/child/web_url_loader_impl.cc:870 (chrome+0x8f120c6)
    #55 OnCompletedRequest content/child/web_url_loader_impl.cc:1022 (chrome+0x8f125c6)
    #56 OnRequestComplete content/child/resource_dispatcher.cc:404 (chrome+0x601685b)
    #57 DispatchToMethodImpl<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), const std::__1::tuple<int, content::ResourceRequestCompletionStatus> &, 0, 1> base/tuple.h:91 (chrome+0x6018994)
    #58 DispatchToMethod<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), const std::__1::tuple<int, content::ResourceRequestCompletionStatus> &> base/tuple.h:98 (chrome+0x6018994)
    #59 DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), void, std::__1::tuple<int, content::ResourceRequestCompletionStatus> > ipc/ipc_message_templates.h:26 (chrome+0x6018994)
    #60 Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &)> ipc/ipc_message_templates.h:121 (chrome+0x6018994)
    #61 DispatchMessage content/child/resource_dispatcher.cc:566 (chrome+0x6013f64)
    #62 OnMessageReceived content/child/resource_dispatcher.cc:136 (chrome+0x6013489)
    #63 DispatchMessage content/child/resource_scheduling_filter.cc:74 (chrome+0x601a453)
    #64 Invoke<const base::WeakPtr<content::ResourceSchedulingFilter> &, const IPC::Message &> base/bind_internal.h:214 (chrome+0x601a732)
    #65 MakeItSo<void (content::ResourceSchedulingFilter::*const &)(const IPC::Message &), const base::WeakPtr<content::ResourceSchedulingFilter> &, const IPC::Message &> base/bind_internal.h:305 (chrome+0x601a732)
    #66 RunImpl<void (content::ResourceSchedulingFilter::*const &)(const IPC::Message &), const std::__1::tuple<base::WeakPtr<content::ResourceSchedulingFilter>, IPC::Message> &, 0, 1> base/bind_internal.h:361 (chrome+0x601a732)
    #67 Run base/bind_internal.h:339 (chrome+0x601a732)
    #68 Run base/callback.h:68 (chrome+0x3213c8a)
    #69 RunTask base/debug/task_annotator.cc:59 (chrome+0x3213c8a)
    #70 ProcessTaskFromWorkQueue third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:533 (chrome+0x61d6b3c)
    #71 DoWork third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:331 (chrome+0x61d47e3)
    #72 Invoke<const base::WeakPtr<blink::scheduler::TaskQueueManager> &, const bool &> base/bind_internal.h:214 (chrome+0x61d8dbf)
    #73 MakeItSo<void (blink::scheduler::TaskQueueManager::*const &)(bool), const base::WeakPtr<blink::scheduler::TaskQueueManager> &, const bool &> base/bind_internal.h:305 (chrome+0x61d8dbf)
    #74 RunImpl<void (blink::scheduler::TaskQueueManager::*const &)(bool), const std::__1::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>, bool> &, 0, 1> base/bind_internal.h:361 (chrome+0x61d8dbf)
    #75 Run base/bind_internal.h:339 (chrome+0x61d8dbf)
    #76 Run base/callback.h:68 (chrome+0x3213c8a)
    #77 RunTask base/debug/task_annotator.cc:59 (chrome+0x3213c8a)
    #78 RunTask base/message_loop/message_loop.cc:423 (chrome+0x315a8c2)
    #79 DeferOrRunPendingTask base/message_loop/message_loop.cc:434 (chrome+0x315ae8d)
    #80 DoWork base/message_loop/message_loop.cc:527 (chrome+0x315b664)
    #81 Run base/message_loop/message_pump_default.cc:33 (chrome+0x315f161)
    #82 RunHandler base/message_loop/message_loop.cc:387 (chrome+0x315a3ab)
    #83 Run base/run_loop.cc:37 (chrome+0x318fbe9)
    #84 RendererMain content/renderer/renderer_main.cc:200 (chrome+0x7bb4a6f)
    #85 RunZygote content/app/content_main_runner.cc:420 (chrome+0x2bf9afd)
    #86 RunNamedProcessTypeMain content/app/content_main_runner.cc:499 (chrome+0x2bfa657)
    #87 Run content/app/content_main_runner.cc:836 (chrome+0x2bfb1e4)
    #88 ContentMain content/app/content_main.cc:20 (chrome+0x2bf930e)
    #89 ChromeMain chrome/app/chrome_main.cc:121 (chrome+0xc3ebfb)
    #90 main chrome/app/chrome_exe_main_aura.cc:17 (chrome+0xc3eb4e)

  Thread T15 'WorkerPool/6452' (tid=64524, running) created by main thread at:
    #0 pthread_create ??:? (chrome+0xbe0985)
    #1 CreateThread base/threading/platform_thread_posix.cc:110 (chrome+0x31c2d57)
    #2 CreateNonJoinableWithPriority base/threading/platform_thread_posix.cc:207 (chrome+0x31c2e98)
    #3 CreateNonJoinable base/threading/platform_thread_posix.cc:197 (chrome+0x31c2e98)
    #4 AddTask base/threading/worker_pool_posix.cc:157 (chrome+0x31ce474)
    #5 PostTask base/threading/worker_pool_posix.cc:142 (chrome+0x31cdf43)
    #6 PostTask base/threading/worker_pool_posix.cc:64 (chrome+0x31cdf43)
    #7 PostTask base/threading/worker_pool_posix.cc:117 (chrome+0x31cdf43)
    #8 CallOnBackgroundThread gin/v8_platform.cc:70 (chrome+0x53bc18f)
    #9 Run<(lambda at ../../v8/src/heap/mark-compact.cc:3270:29)> v8/src/heap/page-parallel-job.h:95 (chrome+0x1fc4a33)
    #10 EvacuatePagesInParallel v8/src/heap/mark-compact.cc:3270 (chrome+0x1fc4a33)
    #11 EvacuateNewSpaceAndCandidates v8/src/heap/mark-compact.cc:3536 (chrome+0x1fba9f8)
    #12 v8::internal::MarkCompactCollector::CollectGarbage() v8/src/heap/mark-compact.cc:320 (chrome+0x1fb79e9)
    #13 MarkCompact v8/src/heap/heap.cc:1473 (chrome+0x1f83358)
    #14 PerformGarbageCollection v8/src/heap/heap.cc:1334 (chrome+0x1f80ebd)
    #15 CollectGarbage v8/src/heap/heap.cc:1014 (chrome+0x1f7fbf7)
    #16 CollectAllGarbage v8/src/heap/heap-inl.h:685 (chrome+0x1f7e2ea)
    #17 HandleGCRequest v8/src/heap/heap.cc:796 (chrome+0x1f7e2ea)
    #18 HandleInterrupts v8/src/execution.cc:470 (chrome+0x1f152d3)
    #19 __RT_impl_Runtime_StackGuard v8/src/runtime/runtime-internal.cc:307 (chrome+0x23458e2)
    #20 Runtime_StackGuard v8/src/runtime/runtime-internal.cc:297 (chrome+0x23458e2)
    #21 <null> <null> (0x7f56962843fd)
    #22 CallInternal v8/src/execution.cc:181 (chrome+0x1f13e9e)
    #23 Call v8/src/execution.cc:191 (chrome+0x1f13e9e)
    #24 Builtin_Impl_GlobalEval v8/src/builtins/builtins-global.cc:101 (chrome+0x1a69505)
    #25 Builtin_GlobalEval v8/src/builtins/builtins-global.cc:85 (chrome+0x1a68ffe)
    #26 <null> <null> (0x7f569628419d)
    #27 CallInternal v8/src/execution.cc:181 (chrome+0x1f13e9e)
    #28 Call v8/src/execution.cc:191 (chrome+0x1f13e9e)
    #29 Call v8/src/api.cc:5121 (chrome+0x196c6fa)
    #30 callFunction third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:656 (chrome+0x633e7a3)
    #31 callListenerFunction third_party/WebKit/Source/bindings/core/v8/V8EventListener.cpp:112 (chrome+0x635d6e9)
    #32 invokeEventHandler third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:142 (chrome+0x635eccb)
    #33 handleEvent third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:101 (chrome+0x635eaff)
    #34 handleEvent third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:89 (chrome+0x635e992)
    #35 fireEventListeners third_party/WebKit/Source/core/events/EventTarget.cpp:712 (chrome+0x6a5cc29)
    #36 fireEventListeners third_party/WebKit/Source/core/events/EventTarget.cpp:576 (chrome+0x6a5c155)
    #37 dispatchEventInternal third_party/WebKit/Source/core/events/EventTarget.cpp:481 (chrome+0x6a5bfbd)
    #38 dispatchEvent third_party/WebKit/Source/core/events/EventTarget.cpp:474 (chrome+0x6a5bf57)
    #39 dispatchReadyStateChangeEvent third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequestProgressEventThrottle.cpp:136 (chrome+0x72d85d5)
    #40 dispatchReadyStateChangeEvent third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:545 (chrome+0x72cfbce)
    #41 changeState third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:524 (chrome+0x72d51bf)
    #42 endLoading third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:1664 (chrome+0x72d51bf)
    #43 didFinishLoadingInternal third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:1594 (chrome+0x72d507a)
    #44 didFinishLoading third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:1569 (chrome+0x72d4cb8)
    #45 non-virtual thunk to blink::XMLHttpRequest::didFinishLoading(unsigned long, double) third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp:? (chrome+0x72d50ad)
    #46 handleSuccessfulFinish third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:917 (chrome+0x703b774)
    #47 notifyFinished third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:894 (chrome+0x703a03a)
    #48 non-virtual thunk to blink::DocumentThreadableLoader::notifyFinished(blink::Resource*) third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:? (chrome+0x703b824)
    #49 checkNotify third_party/WebKit/Source/platform/loader/fetch/Resource.cpp:367 (chrome+0x2a1e1f1)
    #50 finish third_party/WebKit/Source/platform/loader/fetch/Resource.cpp:432 (chrome+0x2a1edd5)
    #51 handleLoaderFinish third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp:1201 (chrome+0x2a2d669)
    #52 didFinishLoading third_party/WebKit/Source/platform/loader/fetch/ResourceLoader.cpp:431 (chrome+0x2a39902)
    #53 OnCompletedRequest content/child/web_url_loader_impl.cc:870 (chrome+0x8f120c6)
    #54 OnCompletedRequest content/child/web_url_loader_impl.cc:1022 (chrome+0x8f125c6)
    #55 OnRequestComplete content/child/resource_dispatcher.cc:404 (chrome+0x601685b)
    #56 DispatchToMethodImpl<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), const std::__1::tuple<int, content::ResourceRequestCompletionStatus> &, 0, 1> base/tuple.h:91 (chrome+0x6018994)
    #57 DispatchToMethod<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), const std::__1::tuple<int, content::ResourceRequestCompletionStatus> &> base/tuple.h:98 (chrome+0x6018994)
    #58 DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &), void, std::__1::tuple<int, content::ResourceRequestCompletionStatus> > ipc/ipc_message_templates.h:26 (chrome+0x6018994)
    #59 Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, const content::ResourceRequestCompletionStatus &)> ipc/ipc_message_templates.h:121 (chrome+0x6018994)
    #60 DispatchMessage content/child/resource_dispatcher.cc:566 (chrome+0x6013f64)
    #61 OnMessageReceived content/child/resource_dispatcher.cc:136 (chrome+0x6013489)
    #62 DispatchMessage content/child/resource_scheduling_filter.cc:74 (chrome+0x601a453)
    #63 Invoke<const base::WeakPtr<content::ResourceSchedulingFilter> &, const IPC::Message &> base/bind_internal.h:214 (chrome+0x601a732)
    #64 MakeItSo<void (content::ResourceSchedulingFilter::*const &)(const IPC::Message &), const base::WeakPtr<content::ResourceSchedulingFilter> &, const IPC::Message &> base/bind_internal.h:305 (chrome+0x601a732)
    #65 RunImpl<void (content::ResourceSchedulingFilter::*const &)(const IPC::Message &), const std::__1::tuple<base::WeakPtr<content::ResourceSchedulingFilter>, IPC::Message> &, 0, 1> base/bind_internal.h:361 (chrome+0x601a732)
    #66 Run base/bind_internal.h:339 (chrome+0x601a732)
    #67 Run base/callback.h:68 (chrome+0x3213c8a)
    #68 RunTask base/debug/task_annotator.cc:59 (chrome+0x3213c8a)
    #69 ProcessTaskFromWorkQueue third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:533 (chrome+0x61d6b3c)
    #70 DoWork third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:331 (chrome+0x61d47e3)
    #71 Invoke<const base::WeakPtr<blink::scheduler::TaskQueueManager> &, const bool &> base/bind_internal.h:214 (chrome+0x61d8dbf)
    #72 MakeItSo<void (blink::scheduler::TaskQueueManager::*const &)(bool), const base::WeakPtr<blink::scheduler::TaskQueueManager> &, const bool &> base/bind_internal.h:305 (chrome+0x61d8dbf)
    #73 RunImpl<void (blink::scheduler::TaskQueueManager::*const &)(bool), const std::__1::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>, bool> &, 0, 1> base/bind_internal.h:361 (chrome+0x61d8dbf)
    #74 Run base/bind_internal.h:339 (chrome+0x61d8dbf)
    #75 Run base/callback.h:68 (chrome+0x3213c8a)
    #76 RunTask base/debug/task_annotator.cc:59 (chrome+0x3213c8a)
    #77 RunTask base/message_loop/message_loop.cc:423 (chrome+0x315a8c2)
    #78 DeferOrRunPendingTask base/message_loop/message_loop.cc:434 (chrome+0x315ae8d)
    #79 DoWork base/message_loop/message_loop.cc:527 (chrome+0x315b664)
    #80 Run base/message_loop/message_pump_default.cc:33 (chrome+0x315f161)
    #81 RunHandler base/message_loop/message_loop.cc:387 (chrome+0x315a3ab)
    #82 Run base/run_loop.cc:37 (chrome+0x318fbe9)
    #83 RendererMain content/renderer/renderer_main.cc:200 (chrome+0x7bb4a6f)
    #84 RunZygote content/app/content_main_runner.cc:420 (chrome+0x2bf9afd)
    #85 RunNamedProcessTypeMain content/app/content_main_runner.cc:499 (chrome+0x2bfa657)
    #86 Run content/app/content_main_runner.cc:836 (chrome+0x2bfb1e4)
    #87 ContentMain content/app/content_main.cc:20 (chrome+0x2bf930e)
    #88 ChromeMain chrome/app/chrome_main.cc:121 (chrome+0xc3ebfb)
    #89 main chrome/app/chrome_exe_main_aura.cc:17 (chrome+0xc3eb4e)

SUMMARY: ThreadSanitizer: data race v8/src/heap/mark-compact.cc:1680 in MigrateObject<v8::internal::MarkCompactCollector::EvacuateVisitorBase::MigrationMode::kFast>
==================

Comment 1 by maxmorin@chromium.org, Mar 15 2017 

My log contains many similar-looking tsan reports, so I'm attaching the entire thing.
tsan-log3
178 KB View Download

Comment 2 by mlippautz@chromium.org, Mar 15 2017

Cc: mlippautz@chromium.org u...@chromium.org
Owner: hpayer@chromium.org
Assigning to the current memory sheriff.

Comment 3 by mlippautz@chromium.org, Mar 15 2017

Cc: -mlippautz@chromium.org hpayer@chromium.org
Owner: mlippautz@chromium.org
Status: Started (was: Assigned)
We use a regular write where we should use a no barrier load at some point during evacuation. Will fix that.

Details: We write the forwarding pointer non-atomically when evacuating a layout descriptor in MigrateObject. This should be a non-barrier write.
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 15 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/387e2aca5e4da925f5d156315485ec27bb88c685

commit 387e2aca5e4da925f5d156315485ec27bb88c685
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Wed Mar 15 13:05:16 2017

[heap] Use no barrier store forwarding objects during evacuation

This fixes a TSAN data race when writing the forwarding pointer in
MigrateObject and reading the object as a LayoutDescriptor when trying
to figure out the layout of another object in parallel.

BUG= chromium:701732 

Change-Id: I1e291fa1afb42771244e1346680164de71c3a838
Reviewed-on: https://chromium-review.googlesource.com/455817
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43826}
[modify] https://crrev.com/387e2aca5e4da925f5d156315485ec27bb88c685/src/heap/mark-compact.cc

Comment 5 by mlippautz@chromium.org, Mar 15 2017

Status: Fixed (was: Started)
Thanks for reporting. This should be fixed once the V8 commit rolls into Chromium.

Sign in to add a comment