Closed
Bug 547703
Opened 15 years ago
Closed 7 years ago
IPDL: Two self-loop messages can't race
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: benjamin, Assigned: cjones)
Details
Attachments
(3 files, 1 obsolete file)
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
(deleted),
text/plain
|
Details |
I tried to create an async stateful protocol for streams, and got a very strange IPDL error message.
Parsing specification ../../../src/dom/plugins/PBrowserStream.ipdl
/builds/mozilla-central/src/dom/plugins/PBrowserStream.ipdl:78: error: in protocol `PBrowserStream', the sequence of events
parent: +--`send Write'-->( state `ALIVE' )
/
( state `ALIVE' )
\
child: +--`send NPN_RequestRead'-->( state `ALIVE' )
lead to parent/child states in which parent/child state can become more than one step out of sync (though this divergence might not lead to error conditions)
Specification is not well typed.
I don't see how this is out of sync at all?
Assignee | ||
Comment 1•15 years ago
|
||
As we briefly discussed today, this error message is just the IPDL type checker saying "I refuse to check transitions for more than one 'step' (pair of potentially racy messages)". To get an alpha out the door, I think we should implement this protocol in C++ but comment it out in the IPDL.
There's a bigger question of whether the one-'step' rule needs to be tweaked, but we can deal with that later.
Assignee | ||
Comment 2•15 years ago
|
||
Oops, there *is* an IPDL type checker bug here: if two "racing" messages are both self-loops (from state S to state S), then by definition they can't race. Turns out that with this type checker bug fixed, the protocol is indeed non-racy by current standards. Apologies for overlooking this earlier.
The rule I thought this protocol violated was two messages that both transition (S --M1--> T), (S --M2--> T), where T has racy messages, are "unchecked" by IPDL; it would need to look more than one "step" ahead to check. In that case it errors out with a message similar to the above.
Summary: Non-race can race? → IPDL: Two self-loop messages can't race
Assignee | ||
Comment 3•15 years ago
|
||
The above protocol passes the type checker with this patch applied.
Assignee: nobody → jones.chris.g
Attachment #428380 -
Flags: review?
Assignee | ||
Updated•15 years ago
|
Attachment #428380 -
Flags: review? → review?(benjamin)
Assignee | ||
Comment 4•15 years ago
|
||
Comment on attachment 428380 [details] [diff] [review]
Self-loop messages don't race
Struck me just before bed that this isn't quite right. Will fix tomorrow.
Attachment #428380 -
Attachment is obsolete: true
Attachment #428380 -
Flags: review?(benjamin)
Assignee | ||
Comment 5•15 years ago
|
||
With a fixed-up patch, there's still a race reported:
/home/cjones/mozilla/electrolysis/dom/plugins/PBrowserStream.ipdl:78: error: in protocol `PBrowserStream', the sequence of events
parent: +--`send Write'-->( state `ALIVE' )--`recv NPN_DestroyStream'-->( state [error] )
/
( state `ALIVE' )
\
child: +--`send NPN_DestroyStream'-->( state `DYING' )--`recv Write'-->( state [error] )
results in error(s) or leaves parent/child state out of sync for more than one step and is thus a race hazard; i.e., triggers `Write' and `NPN_DestroyStream' fail to commute in state `ALIVE'
Specification is not well typed.
|discard| is probably the easiest way to resolve this, and we can fake it in the mean time.
Assignee | ||
Comment 6•15 years ago
|
||
I didn't find a way to write a test for this fix that didn't hit bug 548069. That said, I still think the implemented-in-C++-but-commented-out-in-IPDL protocol should go into the alpha.
Attachment #428501 -
Flags: review?(benjamin)
Reporter | ||
Updated•15 years ago
|
Attachment #428501 -
Flags: review?(benjamin) → review+
Here's another protocol that I think should work but doesn't with this patch applied.
Assignee | ||
Comment 8•12 years ago
|
||
I turned this into an IPDL test. It's actually not a protocol error per se, in the sense of violating a safety property. Rather, the type checker refuses to explore more than one transition step to see if there is a safety error.
The real fix for this is bug 548705.
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•