The following testcase crashes on mozilla-central revision 368ae05266bd (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-eager): while(true) { evalInWorker(` setJitCompilerOption("baseline.warmup.trigger", 10); `); let m = parseModule(""); m.declarationInstantiation(); } Backtrace: received signal SIGSEGV, Segmentation fault. #0 mozilla::LinkedListElement<js::jit::IonBuilder>::setNextUnsafe (aElem=0x7ffff5381270, this=0x7ffff5f072b0) at dist/include/mozilla/LinkedList.h:336 #1 mozilla::LinkedList<js::jit::IonBuilder>::insertFront (aElem=0x7ffff5381270, this=<optimized out>) at dist/include/mozilla/LinkedList.h:465 #2 js::jit::JitRuntime::ionLazyLinkListAdd (this=0x7ffff5f07000, rt=0x7ffff5f19000, builder=0x7ffff5381270) at js/src/jit/Ion.cpp:375 #3 0x00000000007a47d4 in js::jit::MoveFinshedBuildersToLazyLinkList (lock=..., rt=0x7ffff5f19000) at js/src/jit/Ion.cpp:1929 #4 js::jit::AttachFinishedCompilations (cx=cx@entry=0x7ffff5f17000) at js/src/jit/Ion.cpp:1961 #5 0x0000000000c6f70c in HandleInterrupt (cx=0x7ffff5f17000, invokeCallback=false) at js/src/vm/Runtime.cpp:431 #6 0x00001d6be56d3a16 in ?? () #7 0x0000000000000000 in ?? () rax 0x7ffff5381388 140737307480968 rbx 0x7ffff5381270 140737307480688 rcx 0x7ffff5381201 140737307480577 rdx 0x7ffff55452d8 140737309332184 rsi 0x7ffff5f19001 140737319636993 rdi 0x7ffff5f072b0 140737319563952 rbp 0x7fffffffc350 140737488339792 rsp 0x7fffffffc330 140737488339760 r8 0x7ffff5f17118 140737319629080 r9 0x7ffff5f17030 140737319628848 r10 0x7fffffffc3d0 140737488339920 r11 0x7ffff5564400 140737309459456 r12 0x7ffff5f07000 140737319563264 r13 0x7ffff5f19000 140737319636992 r14 0x7ffff5f19000 140737319636992 r15 0x7fffffffc3c0 140737488339904 rip 0x739d3b <js::jit::JitRuntime::ionLazyLinkListAdd(JSRuntime*, js::jit::IonBuilder*)+187> => 0x739d3b <js::jit::JitRuntime::ionLazyLinkListAdd(JSRuntime*, js::jit::IonBuilder*)+187>: mov %rdi,0x120(%rbx) 0x739d42 <js::jit::JitRuntime::ionLazyLinkListAdd(JSRuntime*, js::jit::IonBuilder*)+194>: mov %rdx,0x118(%rbx) This is a critical fuzzblocker, disabling all evalInWorker testing until resolved.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5dc06b87c88e).

Thanks, I will investigate …

This is only a lack of instrumentation in case of cancelled compilations, which causes the Off-threads compilations to be moved from the pending list to the finished list. Once in the finished list, they are then moved to a Link listed used for removing IonBuilder instances quickly when Lazy-linking. When moving from the pending list to the finished list, when cancelled, we should remove the memory protection on the LifoAlloc chunks.

When we register Ion compilations to be resumed on another thread, we add them to the list of pending compilations. The memory is protected in order to prevent bad things to happen to our memory. This patch undo the memory protection and re-protect after, in order to let the GC mutate the GC roots of the Ion compilation.

Comment on attachment 8987543 [details] [diff] [review] Unprotect memory before moving to the list of finished/cancelled compilations. Review of attachment 8987543 [details] [diff] [review]: ----------------------------------------------------------------- Makes sense

Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0eded40b1124 Unprotect memory before moving to the list of finished/cancelled compilations. r=tcampbell https://hg.mozilla.org/integration/mozilla-inbound/rev/4a596e6a7ccb Reprotect memory of pending Ion compilations in case of moving GCs. r=jonco

Backed out for bustages on bug1470732.js There were also Jittest failures on the same file. Backout : https://hg.mozilla.org/integration/mozilla-inbound/rev/c72e4e49fd83c9ab946b29e64e8a5b65005a253b Push: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=4a596e6a7ccbaabeec685b7b37720349452f9da6 Bustage log link: https://treeherder.mozilla.org/logviewer.html#?job_id=184944616&repo=mozilla-inbound&lineNumber=15892 Failure link: https://treeherder.mozilla.org/logviewer.html#?job_id=184948660&repo=mozilla-inbound&lineNumber=15379

Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/4c11981dd15d Unprotect memory before moving to the list of finished/cancelled compilations. r=tcampbell https://hg.mozilla.org/integration/mozilla-inbound/rev/fae4bcc8883f Reprotect memory of pending Ion compilations in case of moving GCs. r=jonco

This was a test failure caused by the fact that evalInWorker only works when we enable multiple threads.

Backout by shindli@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d0354475453f Backed out 2 changesets for tsan bustages in race /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp on a CLOSED TREE

Backed out 2 changesets (bug 1470732) for tsan bustages in race /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp on a CLOSED TREE Failure: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&fromchange=43040128202efc47d4249e623e6d3ffd1a5d9588&selectedJob=184994122 Problematic push: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=fae4bcc8883f22dc6410153cead403585c7d46e1&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception Log: https://treeherder.mozilla.org/logviewer.html#?job_id=184994122&repo=mozilla-inbound&lineNumber=11116 Backout: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=d0354475453fa31cbe93f7eb447e1f9a5ef5880f&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception [task 2018-06-26T18:10:53.754Z] SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/build/src/js/src/jsapi.cpp:7151:49 in JS_SetGlobalJitCompilerOption(JSContext*, JSJitCompilerOption, unsigned int)

(In reply to Stefan Hindli [:stefan_hindli] from comment #13) > [task 2018-06-26T18:10:53.754Z] SUMMARY: ThreadSanitizer: data race > /builds/worker/workspace/build/src/js/src/jsapi.cpp:7151:49 in > JS_SetGlobalJitCompilerOption(JSContext*, JSJitCompilerOption, unsigned int) I thought we had whitelisted this TSan failure ?! As the test case is causing so much trouble I will land it in a separate commit …

Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/30d18b71facc Unprotect memory before moving to the list of finished/cancelled compilations. r=tcampbell https://hg.mozilla.org/integration/mozilla-inbound/rev/918a0ac3a5d0 Reprotect memory of pending Ion compilations in case of moving GCs. r=jonco

Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/aa82f0ed1043 Add test case. r=tcampbell

https://hg.mozilla.org/mozilla-central/rev/30d18b71facc https://hg.mozilla.org/mozilla-central/rev/918a0ac3a5d0 https://hg.mozilla.org/mozilla-central/rev/aa82f0ed1043

Nicolas, is that safe to uplift to beta or should we let it ride the trains?

Yes, it should be safe to upload to beta. This should be no-op on beta, but not on dev-edition. (DIAGNOSTIC_ASSERT)

(In reply to Nicolas B. Pierron [:nbp] {backlog: 39} from comment #19) > Yes, it should be safe to upload to beta. > This should be no-op on beta, but not on dev-edition. (DIAGNOSTIC_ASSERT) Can you request the uplift? Thanks

Comment on attachment 8987547 [details] [diff] [review] Reprotect memory of pending Ion compilations in case of moving GCs. Approval Request Comment [Feature/Bug causing the regression]: Bug 1437600 [User impact if declined]: false positif crashes on dev-edition. [Is this code covered by automated tests?]: It is covered by fuzzers. [Has the fix been verified in Nightly?]: yes. [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: all 3 patches listed in comment 17. [Is the change risky?]: no (no-op on beta) [Why is the change risky/not risky?]: no-op on non diagnostic builds. [String changes made/needed]: N/A

Comment on attachment 8987547 [details] [diff] [review] Reprotect memory of pending Ion compilations in case of moving GCs. Fix for false positive results on dev edition, sounds good to uplift.

https://hg.mozilla.org/releases/mozilla-beta/rev/5d3dcb2922cb https://hg.mozilla.org/releases/mozilla-beta/rev/75dd2f223571 https://hg.mozilla.org/releases/mozilla-beta/rev/94d94a0e3473