PR# 14460 Possible race condition calling sc_stop (malloc.c)

Problem Report Summary
Submitter: prestoat2000
Category: Runtime
Priority: Medium
Date: 2008/06/10
Class: Bug
Severity: Serious
Number: 14460
Release: 6.2.73753
Confidential: No
Status: Open
Responsible:
Environment: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.14) Gecko/20080421 Firefox/2.0.0.14 OpenSolaris 2008.05 snv_90
Synopsis: Possible race condition calling sc_stop (malloc.c)

Description
Based on code inspection only, it looks like there might be a race condition
involving sc_stop in malloc.c.  If two different threads both call
`emalloc_size', it appears that they might both wind up calling `sc_stop'
at about the same time.  The first thread could synchronize GC, set
gen_scavenge to GS_OFF, free the "to" arena, explode the scavenge zone
and zero the "to" and "from" zones.  When it releases eif_gc_mutex,
the second thread, which was blocked on GC synchronization, would wake
up and proceed to do what the first thread did, without checking whether
generation scavening was still off.  Since `sc_to.sc_arena' was previously
zeroed, 0 will be passed to `eif_rt_xfree'.  Looking at that routine,
it doesn't look like the consequences will be good.

This might be related to bug 14452.

If this analysis is incorrect, you can just close this report, though a brief
indication of why I'm wrong would be appreciated.
To Reproduce

										

									

								

							

						

					

				

			

		

	









	

		

			
Problem Report Interactions

			

				

					
					

						

							
							

								

									
									
										

											

									
											From:prestoat2000   
											Date:2008/06/11   
											
											Download   
										

										

                                            
										 	
My analysis seems to be correct.  Here is a reproducible test case that can be
turned into an eweasel test.

Freeze with attached classes and config file.
Execute system with arguments "10 10000" (10 worker threads, 10000 iterations
   each).
System crashes with run-time panic.

Stack trace is:

(dbx) bt
current thread: t@3
=>[1] eif_rt_xfree(0x0, 0x80000000, 0x14b87c8, 0x2768af8, 0xfffffff8, 0x0), at 0x145cd68
  [2] sc_stop(0x2768af8, 0x66c00, 0x1, 0x14b87c8, 0xfffffff8, 0x0), at 0x145e798
  [3] eif_mem_tiny(0xa, 0x2, 0x151f604, 0x14b87c8, 0x66e3c, 0x66c00), at 0x14832f0
  [4] F129_3598(0x1676628, 0x1bbdc8, 0x246, 0x1f35b78, 0x14b87c8, 0x14e836c), at 0x11b87f8
  [5] F583_6149(0x1676628, 0x1bbdc8, 0x246, 0x1f35b78, 0x14b87c8, 0x14e836c), at 0x7179c
  [6] F582_6146(0x1676628, 0x1e4c, 0x12d, 0x1bbc00, 0x2769298, 0x14b87c8), at 0x6f27c
  [7] A582_46(0x1676628, 0x2769298, 0x1, 0x14b87c8, 0xfffffffc, 0x0), at 0xacd34
  [8] eif_thr_entry(0x1674e78, 0x2769298, 0xaccf0, 0x1f7ea4c, 0x1674e78, 0x2768
....
Output truncated, Click download to get the full message

											
											
											
											

											
											

												

													

														

															Attachment:
															test.e    
															Size:596
														

													

												

											

											
											

												

													

														

															Attachment:
															worker.e    
															Size:630
														

													

												

											

											
											

												

													

														

															Attachment:
															Ace    
															Size:1422