PR# 14517 Possible execution of `eif_thr_exit' and call to eif_access while GC in progress
Problem Report Summary
Submitter: prestoat2000
Category: Runtime
Priority: Medium
Date: 2008/06/23
Class: Bug
Severity: Serious
Number: 14517
Release: 6.2.73753
Confidential: No
Status: Open
Responsible:
Environment: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.8.1.14) Gecko/20080421 Firefox/2.0.0.14
Solaris 10 on x86
Synopsis: Possible execution of `eif_thr_exit' and call to eif_access while GC in progress
Description
I'm tired today, so I might be wrong, but please consider the following scenario which may demonstrate a threading bug. Main thread calls `reclaim'. One of its child threads is in a blocking C external routine, so its status is EIF_THREAD_BLOCKED (it has called `eif_exit_eiffel_code'). A second child thread is executing in some Eiffel code. Main thread in `reclaim' calls `eif_terminate_all_other_threads'. It synchronizes GC, locking eif_gc_mutex. Second child thread tries to create an object, which calls `emalloc_size' and needs to trigger_smart_gc_cycle. It ends up waiting for eif_gc_mutex. Its status is EIF_THREAD_BLOCKED because it called EIF_ENTER_C in trigger_smart_gc_cycle. Main thread finds both other threads are blocked, so eif_synchronize_gc call completes. Main thread marks the two blocked threads as "gc stop requested", then calls eif_unsychronize_gc, then calls EIF_ENTER_C, which sets its status to EIF_THREAD_BLOCKED. Second child thread wakes up, acquires eif_gc_mutex and proceeds to start a GC cycle, since both other threads are marked "blocked". First child thread returns from blocking C external and calls `eif_enter_eiffel_code'. It see that gc_stop_thread_request is set, so it calls eif_thr_exit. Now first child thread status is EIF_THREAD_RUNNING but a GC cycle is in progress. It has a parent thread, so it calls `eif_access' on eif_thr_context->current to get the offset of the "terminated" attribute. First child thread evaluates `eif_access(eif_thr_context->current)', then second child thread moves the object it refers to. First child thread stores into the old location of the object.
To Reproduce
Problem Report Interactions