PR# 14460 Possible race condition calling sc_stop (malloc.c)
Problem Report Summary
Submitter: prestoat2000
Category: Runtime
Priority: Medium
Date: 2008/06/10
Class: Bug
Severity: Serious
Number: 14460
Release: 6.2.73753
Confidential: No
Status: Open
Responsible:
Environment: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.14) Gecko/20080421 Firefox/2.0.0.14
OpenSolaris 2008.05 snv_90
Synopsis: Possible race condition calling sc_stop (malloc.c)
Description
Based on code inspection only, it looks like there might be a race condition involving sc_stop in malloc.c. If two different threads both call `emalloc_size', it appears that they might both wind up calling `sc_stop' at about the same time. The first thread could synchronize GC, set gen_scavenge to GS_OFF, free the "to" arena, explode the scavenge zone and zero the "to" and "from" zones. When it releases eif_gc_mutex, the second thread, which was blocked on GC synchronization, would wake up and proceed to do what the first thread did, without checking whether generation scavening was still off. Since `sc_to.sc_arena' was previously zeroed, 0 will be passed to `eif_rt_xfree'. Looking at that routine, it doesn't look like the consequences will be good. This might be related to bug 14452. If this analysis is incorrect, you can just close this report, though a brief indication of why I'm wrong would be appreciated.
To Reproduce
Problem Report Interactions
My analysis seems to be correct. Here is a reproducible test case that can be turned into an eweasel test. Freeze with attached classes and config file. Execute system with arguments "10 10000" (10 worker threads, 10000 iterations each). System crashes with run-time panic. Stack trace is: (dbx) bt current thread: t@3 =>[1] eif_rt_xfree(0x0, 0x80000000, 0x14b87c8, 0x2768af8, 0xfffffff8, 0x0), at 0x145cd68 [2] sc_stop(0x2768af8, 0x66c00, 0x1, 0x14b87c8, 0xfffffff8, 0x0), at 0x145e798 [3] eif_mem_tiny(0xa, 0x2, 0x151f604, 0x14b87c8, 0x66e3c, 0x66c00), at 0x14832f0 [4] F129_3598(0x1676628, 0x1bbdc8, 0x246, 0x1f35b78, 0x14b87c8, 0x14e836c), at 0x11b87f8 [5] F583_6149(0x1676628, 0x1bbdc8, 0x246, 0x1f35b78, 0x14b87c8, 0x14e836c), at 0x7179c [6] F582_6146(0x1676628, 0x1e4c, 0x12d, 0x1bbc00, 0x2769298, 0x14b87c8), at 0x6f27c [7] A582_46(0x1676628, 0x2769298, 0x1, 0x14b87c8, 0xfffffffc, 0x0), at 0xacd34 [8] eif_thr_entry(0x1674e78, 0x2769298, 0xaccf0, 0x1f7ea4c, 0x1674e78, 0x2768 .... Output truncated, Click download to get the full message