Issue 831072 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	█ hpayer@chromium.org Last visit > 30 days ago
Closed:	Apr 2018
Cc:	machenb...@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	1
Type:	Bug

Blocking:
issue 831318

TSAN race in v8::internal::Heap::UnprotectAndRegisterMemoryChunk(v8::internal::MemoryChunk*)

Project Member Reported by hpayer@chromium.org, Apr 10 2018

Issue description

https://logs.chromium.org/v/?s=chromium%2Fbb%2Fclient.v8.clusterfuzz%2FV8_NumFuzz_-_TSAN%2F999%2F%2B%2Frecipes%2Fsteps%2FNum_Fuzz_-_combined%2F0%2Flogs%2Funicode-case-overopti..%2F0

Example:
Test: mjsunit/unicode-case-overoptimization
Flags: --test /b/s/w/ir/test/mjsunit/mjsunit.js /b/s/w/ir/test/mjsunit/unicode-case-overoptimization.js --random-seed=-997786335 --stress-scavenge=100 --stress-compaction-random --random-gc-interval=53282 --deopt-every-n-times=11283 --fuzzer-random-seed=712276409 --nohard-abort
Command: out/Release/d8 --test test/mjsunit/mjsunit.js test/mjsunit/unicode-case-overoptimization.js --random-seed=-997786335 --stress-scavenge=100 --stress-compaction-random --random-gc-interval=53282 --deopt-every-n-times=11283 --fuzzer-random-seed=712276409 --nohard-abort
Build environment:
 gn_args: is_component_build = false is_debug = false is_tsan = true target_cpu = "x64" use_goma = true v8_enable_test_features = true
Run #1
Exit code: 66
Result: FAIL
Expected outcomes: PASS, TIMEOUT
Duration: 00:31:008
Stderr:
==================
WARNING: ThreadSanitizer: data race (pid=4747)
  Read of size 8 at 0x7b0c00000b60 by thread T6:
    #0 __emplace_unique_key_args<v8::internal::MemoryChunk *, v8::internal::MemoryChunk *const &> buildtools/third_party/libc++/trunk/include/__hash_table:2007:16 (d8+0x93d262)
    #1 __insert_unique buildtools/third_party/libc++/trunk/include/__hash_table:1157 (d8+0x93d262)
    #2 insert buildtools/third_party/libc++/trunk/include/unordered_set:515 (d8+0x93d262)
    #3 v8::internal::Heap::UnprotectAndRegisterMemoryChunk(v8::internal::MemoryChunk*) src/heap/heap.cc:2239 (d8+0x93d262)
    #4 v8::internal::PagedSpace::FreeLinearAllocationArea() src/heap/spaces.cc:1796:12 (d8+0x9cc5b3)
    #5 v8::internal::PagedSpace::RefillLinearAllocationAreaFromFreeList(unsigned long) src/heap/spaces.cc:1861:3 (d8+0x9cdfc7)
    #6 v8::internal::PagedSpace::RawSlowRefillLinearAllocationArea(int) src/heap/spaces.cc:3123:7 (d8+0x9d39fd)
    #7 v8::internal::CompactionSpace::SlowRefillLinearAllocationArea(int) src/heap/spaces.cc:3115:10 (d8+0x9d3c40)
    #8 EnsureLinearAllocationArea src/heap/spaces-inl.h:287:10 (d8+0x9205e3)
    #9 AllocateRawUnaligned src/heap/spaces-inl.h:318 (d8+0x9205e3)
    #10 v8::internal::PagedSpace::AllocateRaw(int, v8::internal::AllocationAlignment) src/heap/spaces-inl.h:374 (d8+0x9205e3)
    #11 v8::internal::LocalAllocator::Allocate(v8::internal::AllocationSpace, int, v8::internal::AllocationAlignment) src/heap/local-allocator.h (d8+0x9947ad)
    #12 TryEvacuateObject src/heap/mark-compact.cc:1262:27 (d8+0x97943d)
    #13 Visit src/heap/mark-compact.cc:1453 (d8+0x97943d)
    #14 bool v8::internal::LiveObjectVisitor::VisitBlackObjects<v8::internal::EvacuateOldSpaceVisitor, v8::internal::MajorNonAtomicMarkingState>(v8::internal::MemoryChunk*, v8::internal::MajorNonAtomicMarkingState*, v8::internal::EvacuateOldSpaceVisitor*, v8::internal::LiveObjectVisitor::IterationMode, v8::internal::HeapObject**) src/heap/mark-compact.cc:2577 (d8+0x97943d)
    #15 v8::internal::FullEvacuator::RawEvacuatePage(v8::internal::Page*, long*) src/heap/mark-compact.cc:2402:28 (d8+0x976746)
    #16 v8::internal::Evacuator::EvacuatePage(v8::internal::Page*) src/heap/mark-compact.cc:2319:5 (d8+0x976227)
    #17 v8::internal::PageEvacuationTask::RunInParallel() src/heap/mark-compact.cc:2438:19 (d8+0x99c37c)
    #18 v8::internal::ItemParallelJob::Task::RunInternal() src/heap/item-parallel-job.cc:44:3 (d8+0x968db2)
    #19 Run src/cancelable-task.h:148:7 (d8+0x4bf5b3)
    #20 non-virtual thunk to v8::internal::CancelableTask::Run() src/cancelable-task.h (d8+0x4bf5b3)
    #21 v8::platform::WorkerThread::Run() src/libplatform/worker-thread.cc:26:11 (d8+0xfdad20)
    #22 NotifyStartedAndRun src/base/platform/platform.h:386:5 (d8+0xfc9122)
    #23 v8::base::ThreadEntry(void*) src/base/platform/platform-posix.cc:726 (d8+0xfc9122)
  Previous write of size 8 at 0x7b0c00000b60 by thread T2:
    #0 __emplace_unique_key_args<v8::internal::MemoryChunk *, v8::internal::MemoryChunk *const &> buildtools/third_party/libc++/trunk/include/memory (d8+0x93d533)
    #1 __insert_unique buildtools/third_party/libc++/trunk/include/__hash_table:1157 (d8+0x93d533)
    #2 insert buildtools/third_party/libc++/trunk/include/unordered_set:515 (d8+0x93d533)
    #3 v8::internal::Heap::UnprotectAndRegisterMemoryChunk(v8::internal::MemoryChunk*) src/heap/heap.cc:2239 (d8+0x93d533)
    #4 v8::internal::PagedSpace::FreeLinearAllocationArea() src/heap/spaces.cc:1796:12 (d8+0x9cc5b3)
    #5 v8::internal::PagedSpace::RefillLinearAllocationAreaFromFreeList(unsigned long) src/heap/spaces.cc:1861:3 (d8+0x9cdfc7)
    #6 v8::internal::PagedSpace::RawSlowRefillLinearAllocationArea(int) src/heap/spaces.cc:3123:7 (d8+0x9d39fd)
    #7 v8::internal::CompactionSpace::SlowRefillLinearAllocationArea(int) src/heap/spaces.cc:3115:10 (d8+0x9d3c40)
    #8 EnsureLinearAllocationArea src/heap/spaces-inl.h:287:10 (d8+0x9205e3)
    #9 AllocateRawUnaligned src/heap/spaces-inl.h:318 (d8+0x9205e3)
    #10 v8::internal::PagedSpace::AllocateRaw(int, v8::internal::AllocationAlignment) src/heap/spaces-inl.h:374 (d8+0x9205e3)
    #11 v8::internal::LocalAllocator::Allocate(v8::internal::AllocationSpace, int, v8::internal::AllocationAlignment) src/heap/local-allocator.h (d8+0x9947ad)
    #12 TryEvacuateObject src/heap/mark-compact.cc:1262:27 (d8+0x97943d)
    #13 Visit src/heap/mark-compact.cc:1453 (d8+0x97943d)
    #14 bool v8::internal::LiveObjectVisitor::VisitBlackObjects<v8::internal::EvacuateOldSpaceVisitor, v8::internal::MajorNonAtomicMarkingState>(v8::internal::MemoryChunk*, v8::internal::MajorNonAtomicMarkingState*, v8::internal::EvacuateOldSpaceVisitor*, v8::internal::LiveObjectVisitor::IterationMode, v8::internal::HeapObject**) src/heap/mark-compact.cc:2577 (d8+0x97943d)
    #15 v8::internal::FullEvacuator::RawEvacuatePage(v8::internal::Page*, long*) src/heap/mark-compact.cc:2402:28 (d8+0x976746)
    #16 v8::internal::Evacuator::EvacuatePage(v8::internal::Page*) src/heap/mark-compact.cc:2319:5 (d8+0x976227)
    #17 v8::internal::PageEvacuationTask::RunInParallel() src/heap/mark-compact.cc:2438:19 (d8+0x99c37c)
    #18 v8::internal::ItemParallelJob::Task::RunInternal() src/heap/item-parallel-job.cc:44:3 (d8+0x968db2)
    #19 Run src/cancelable-task.h:148:7 (d8+0x4bf5b3)
    #20 non-virtual thunk to v8::internal::CancelableTask::Run() src/cancelable-task.h (d8+0x4bf5b3)
    #21 v8::platform::WorkerThread::Run() src/libplatform/worker-thread.cc:26:11 (d8+0xfdad20)
    #22 NotifyStartedAndRun src/base/platform/platform.h:386:5 (d8+0xfc9122)
    #23 v8::base::ThreadEntry(void*) src/base/platform/platform-posix.cc:726 (d8+0xfc9122)
  Location is heap block of size 40 at 0x7b0c00000b40 allocated by main thread:
    #0 operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/tsan/rtl/tsan_new_delete.cc:57:3 (d8+0x374549)
    #1 __allocate buildtools/third_party/libc++/trunk/include/new:228:10 (d8+0x95239a)
    #2 allocate buildtools/third_party/libc++/trunk/include/memory:1793 (d8+0x95239a)
    #3 allocate buildtools/third_party/libc++/trunk/include/memory:1547 (d8+0x95239a)
    #4 std::__1::__hash_table<v8::internal::MemoryChunk*, std::__1::hash<v8::internal::MemoryChunk*>, std::__1::equal_to<v8::internal::MemoryChunk*>, std::__1::allocator<v8::internal::MemoryChunk*> >::__rehash(unsigned long) buildtools/third_party/libc++/trunk/include/__hash_table:2168 (d8+0x95239a)
    #5 std::__1::__hash_table<v8::internal::MemoryChunk*, std::__1::hash<v8::internal::MemoryChunk*>, std::__1::equal_to<v8::internal::MemoryChunk*>, std::__1::allocator<v8::internal::MemoryChunk*> >::rehash(unsigned long) buildtools/third_party/libc++/trunk/include/__hash_table (d8+0x95225b)
    #6 __emplace_unique_key_args<v8::internal::MemoryChunk *, v8::internal::MemoryChunk *const &> buildtools/third_party/libc++/trunk/include/__hash_table:2027:13 (d8+0x93d414)
    #7 __insert_unique buildtools/third_party/libc++/trunk/include/__hash_table:1157 (d8+0x93d414)
    #8 insert buildtools/third_party/libc++/trunk/include/unordered_set:515 (d8+0x93d414)
    #9 v8::internal::Heap::UnprotectAndRegisterMemoryChunk(v8::internal::MemoryChunk*) src/heap/heap.cc:2239 (d8+0x93d414)
    #10 v8::internal::Heap::UnprotectAndRegisterMemoryChunk(v8::internal::HeapObject*) src/heap/heap.cc:2245:3 (d8+0x93d59b)
    #11 v8::internal::Factory::NewCode(v8::internal::CodeDesc const&, v8::internal::Code::Kind, v8::internal::Handle<v8::internal::Object>, int, v8::internal::MaybeHandle<v8::internal::ByteArray>, v8::internal::MaybeHandle<v8::internal::DeoptimizationData>, v8::internal::Movability, unsigned int, bool, int, int, int) src/heap/factory.cc:2338:15 (d8+0x911c5a)
    #12 v8::internal::Deoptimizer::EnsureCodeForDeoptimizationEntry(v8::internal::Isolate*, v8::internal::Deoptimizer::BailoutType) src/deoptimizer.cc:1958:43 (d8+0x8151f1)
    #13 v8::internal::Deoptimizer::EnsureCodeForMaxDeoptimizationEntries(v8::internal::Isolate*) src/deoptimizer.cc:1970:3 (d8+0x8152d5)
    #14 v8::internal::compiler::PipelineCompilationJob::PrepareJobImpl(v8::internal::Isolate*) src/compiler/pipeline.cc:833:3 (d8+0x6d4ab8)
    #15 v8::internal::OptimizedCompilationJob::PrepareJob(v8::internal::Isolate*) src/compiler.cc:210:22 (d8+0x4e3131)
    #16 GetOptimizedCodeNow src/compiler.cc:572:12 (d8+0x4e53ea)
    #17 v8::internal::(anonymous namespace)::GetOptimizedCode(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::ConcurrencyMode, v8::internal::BailoutId, v8::internal::JavaScriptFrame*) src/compiler.cc:731 (d8+0x4e53ea)
    #18 v8::internal::Compiler::GetOptimizedCodeForOSR(v8::internal::Handle<v8::internal::JSFunction>, v8::internal::BailoutId, v8::internal::JavaScriptFrame*) src/compiler.cc:1892:10 (d8+0x4ea29b)
    #19 __RT_impl_Runtime_CompileForOnStackReplacement src/runtime/runtime-compiler.cc:255:20 (d8+0xca499f)
    #20 v8::internal::Runtime_CompileForOnStackReplacement(int, v8::internal::Object**, v8::internal::Isolate*) src/runtime/runtime-compiler.cc:229 (d8+0xca499f)
    #21 <null> <null> (0x7eb191c041bd)
    #22 CallInternal src/execution.cc:191:10 (d8+0x8acb13)
    #23 v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) src/execution.cc:202 (d8+0x8acb13)
    #24 v8::Script::Run(v8::Local<v8::Context>) src/api.cc:2154:7 (d8+0x3adf35)
    #25 v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, v8::Shell::PrintResult, v8::Shell::ReportExceptions, v8::Shell::ProcessMessageQueue) src/d8.cc:643:28 (d8+0x377a0a)
    #26 v8::SourceGroup::Execute(v8::Isolate*) src/d8.cc:2469:10 (d8+0x3827e6)
    #27 v8::Shell::RunMain(v8::Isolate*, int, char**, bool) src/d8.cc:2939:34 (d8+0x3852bd)
    #28 v8::Shell::Main(int, char**) src/d8.cc:3430:16 (d8+0x387204)
    #29 main src/d8.cc:3465:10 (d8+0x38731e)
  Thread T6 'V8 WorkerThread' (tid=4760, running) created by main thread at:
    #0 pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:965:3 (d8+0x30a8f5)
    #1 v8::base::Thread::Start() src/base/platform/platform-posix.cc:759:14 (d8+0xfc9079)
    #2 v8::platform::WorkerThread::WorkerThread(v8::platform::TaskQueue*) src/libplatform/worker-thread.cc:15:3 (d8+0xfdac00)
    #3 make_unique<v8::platform::WorkerThread, v8::platform::TaskQueue *> src/base/template-utils.h:56:33 (d8+0xfd3e78)
    #4 v8::platform::DefaultWorkerThreadsTaskRunner::DefaultWorkerThreadsTaskRunner(unsigned int) src/libplatform/default-worker-threads-task-runner.cc:16 (d8+0xfd3e78)
    #5 __compressed_pair_elem<int &, 0> buildtools/third_party/libc++/trunk/include/memory:2104:9 (d8+0xfc9dc8)
    #6 __compressed_pair<std::__1::allocator<v8::platform::DefaultWorkerThreadsTaskRunner> &, int &> buildtools/third_party/libc++/trunk/include/memory:2206 (d8+0xfc9dc8)
    #7 __shared_ptr_emplace<int &> buildtools/third_party/libc++/trunk/include/memory:3619 (d8+0xfc9dc8)
    #8 make_shared<int &> buildtools/third_party/libc++/trunk/include/memory:4278 (d8+0xfc9dc8)
    #9 make_shared<v8::platform::DefaultWorkerThreadsTaskRunner, int &> buildtools/third_party/libc++/trunk/include/memory:4657 (d8+0xfc9dc8)
    #10 v8::platform::DefaultPlatform::EnsureBackgroundTaskRunnerInitialized() src/libplatform/default-platform.cc:119 (d8+0xfc9dc8)
    #11 v8::platform::NewDefaultPlatform(int, v8::platform::IdleTaskSupport, v8::platform::InProcessStackDumping, std::__1::unique_ptr<v8::TracingController, std::__1::default_delete<v8::TracingController> >) src/libplatform/default-platform.cc:44:13 (d8+0xfc9cf4)
    #12 v8::Shell::Main(int, char**) src/d8.cc:3297:16 (d8+0x3862f1)
    #13 main src/d8.cc:3465:10 (d8+0x38731e)
  Thread T2 'V8 WorkerThread' (tid=4756, running) created by main thread at:
    #0 pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/tsan/rtl/tsan_interceptors.cc:965:3 (d8+0x30a8f5)
    #1 v8::base::Thread::Start() src/base/platform/platform-posix.cc:759:14 (d8+0xfc9079)
    #2 v8::platform::WorkerThread::WorkerThread(v8::platform::TaskQueue*) src/libplatform/worker-thread.cc:15:3 (d8+0xfdac00)
    #3 make_unique<v8::platform::WorkerThread, v8::platform::TaskQueue *> src/base/template-utils.h:56:33 (d8+0xfd3e78)
    #4 v8::platform::DefaultWorkerThreadsTaskRunner::DefaultWorkerThreadsTaskRunner(unsigned int) src/libplatform/default-worker-threads-task-runner.cc:16 (d8+0xfd3e78)
    #5 __compressed_pair_elem<int &, 0> buildtools/third_party/libc++/trunk/include/memory:2104:9 (d8+0xfc9dc8)
    #6 __compressed_pair<std::__1::allocator<v8::platform::DefaultWorkerThreadsTaskRunner> &, int &> buildtools/third_party/libc++/trunk/include/memory:2206 (d8+0xfc9dc8)
    #7 __shared_ptr_emplace<int &> buildtools/third_party/libc++/trunk/include/memory:3619 (d8+0xfc9dc8)
    #8 make_shared<int &> buildtools/third_party/libc++/trunk/include/memory:4278 (d8+0xfc9dc8)
    #9 make_shared<v8::platform::DefaultWorkerThreadsTaskRunner, int &> buildtools/third_party/libc++/trunk/include/memory:4657 (d8+0xfc9dc8)
    #10 v8::platform::DefaultPlatform::EnsureBackgroundTaskRunnerInitialized() src/libplatform/default-platform.cc:119 (d8+0xfc9dc8)
    #11 v8::platform::NewDefaultPlatform(int, v8::platform::IdleTaskSupport, v8::platform::InProcessStackDumping, std::__1::unique_ptr<v8::TracingController, std::__1::default_delete<v8::TracingController> >) src/libplatform/default-platform.cc:44:13 (d8+0xfc9cf4)
    #12 v8::Shell::Main(int, char**) src/d8.cc:3297:16 (d8+0x3862f1)
    #13 main src/d8.cc:3465:10 (d8+0x38731e)
SUMMARY: ThreadSanitizer: data race buildtools/third_party/libc++/trunk/include/__hash_table:2007:16 in __emplace_unique_key_args<v8::internal::MemoryChunk *, v8::internal::MemoryChunk *const &>
==================

Project Member

Comment 1 by bugdroid1@chromium.org, Apr 10 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/042d5f68e061d23be47702c7cf7b890d5cc74541

commit 042d5f68e061d23be47702c7cf7b890d5cc74541
Author: Hannes Payer <hpayer@chromium.org>
Date: Tue Apr 10 08:19:07 2018

[heap] Synchronize registration of unprotected MemoryChunks.

Bug:  chromium:831072 
Change-Id: I17c7174d2910d329a4567a4e0b9b84f3e94802f9
Reviewed-on: https://chromium-review.googlesource.com/1004576
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Hannes Payer <hpayer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52504}
[modify] https://crrev.com/042d5f68e061d23be47702c7cf7b890d5cc74541/src/heap/heap.cc
[modify] https://crrev.com/042d5f68e061d23be47702c7cf7b890d5cc74541/src/heap/heap.h

Comment 2 by hpayer@chromium.org, Apr 10 2018

Status: Fixed (was: Started)

Comment 3 by kbr@chromium.org, Apr 10 2018

Blocking: 831318

►

Issue 831072 link

Issue metadata

TSAN race in v8::internal::Heap::UnprotectAndRegisterMemoryChunk(v8::internal::MemoryChunk*)

Issue description

Comment 1 by bugdroid1@chromium.org, Apr 10 2018

Comment 1 Deleted

Comment 2 by hpayer@chromium.org, Apr 10 2018

Comment 2 Deleted

Comment 3 by kbr@chromium.org, Apr 10 2018

Comment 3 Deleted

Sign in to add a comment