My favorites | Sign in
Logo
Project Home
  
Downloads
  
Wiki
  
Issues
    
New issue | Search
for
| Advanced search | Search tips
Issue 24724: Data race on reference couter in workers
3 people starred this issue and may be notified of changes. Back to list
 
Reported by timur...@chromium.org, Oct 13, 2009 
This data race was found using ThreadSanitizer ( http://dev.chromium.org/developers/how-tos/using-valgrind/threadsanitizer ).
Please note that the previous data race found on ref. counter was the cause of a top crasher (see http://crbug.com/18488).

This data race can be proved using RaceChecker class (see
http://code.google.com/p/data-race-test/wiki/RaceCheckerClass )

What steps will reproduce the problem?
1. Apply the attached patch
   * adds RaceChecker class files into third_party/WebKit/...,
   * adds dependencies for these files
   * puts RaceChecker calls into JavaScriptCore/wtf/RefCounted.h
     under m_racecheck condition (set to "true" if "do_racecheck()" is called)
   * adds do_racecheck() call to WebKit::WorkerRunLoop::Task
2. gclient runhooks --force && hammer -C build ui_tests
3. RACECHECKER=2 RACECHECKER_SLEEP_MS=50 ./sconsbuild/Debug/ui_tests --gtest_filter="*WorkerTest.SingleWorker*"

The RaceChecker report looks like the following:
Race found between these points
=== writer: 
chrome(_ZN3WTF14RefCountedBase9derefBaseEv+0x3a)[0xa1d5236]
chrome(_ZN3WTF10RefCountedIN7WebCore13WorkerRunLoop4TaskEE5derefEv+0x11)[0xa9ef4ff]
chrome(_ZN3WTF6RefPtrIN7WebCore13WorkerRunLoop4TaskEED1Ev+0x1f)[0xa9ef541]
chrome(_ZN7WebCore13WorkerRunLoop15postTaskForModeEN3WTF10PassRefPtrINS_22ScriptExecutionContext4TaskEEERKNS_6StringE+0x78)[0xa9edd1c]
chrome(_ZN7WebCore13WorkerRunLoop8postTaskEN3WTF10PassRefPtrINS_22ScriptExecutionContext4TaskEEE+0x3f)[0xa9edd7f]
chrome(_ZN13WebWorkerImpl26postMessageToWorkerContextERKN6WebKit9WebStringERKNS0_9WebVectorIPNS0_21WebMessagePortChannelEEE+0x20e)[0xaaf466a]
chrome(_ZN20WebWorkerClientProxy13OnPostMessageERKSbItN4base20string16_char_traitsESaItEERKSt6vectorIiSaIiEESA_+0xe1)[0x9a5fee9]
chrome(_Z16DispatchToMethodI20WebWorkerClientProxyMS0_FvRKSbItN4base20string16_char_traitsESaItEERKSt6vectorIiSaIiEESB_ES4_S9_S9_EvPT_T0_RK6Tuple3IT1_T2_T3_E+0x56)
[0x9a610b2]
chrome(_ZN3IPC16MessageWithTupleI6Tuple3ISbItN4base20string16_char_traitsESaItEESt6vectorIiSaIiEES8_EE8DispatchI20WebWorkerClientProxyMSC_FvRKS5_RKS8_SG_EEEbPKNS_7
MessageEPT_T0_+0x47)[0x9a6155b]
chrome(_ZN20WebWorkerClientProxy17OnMessageReceivedERKN3IPC7MessageE+0x145)[0x9a602d9]
chrome(_ZN13MessageRouter12RouteMessageERKN3IPC7MessageE+0x4e)[0xabfddba]
chrome(_ZN13MessageRouter17OnMessageReceivedERKN3IPC7MessageE+0x51)[0xabfde17]
chrome(_ZN11ChildThread17OnMessageReceivedERKN3IPC7MessageE+0x190)[0xabee900]
chrome(_ZN3IPC12ChannelProxy7Context17OnDispatchMessageERKNS_7MessageE+0x91)[0xa0a4953]
chrome(_Z16DispatchToMethodIN3IPC12ChannelProxy7ContextEMS2_FvRKNS0_7MessageEES3_EvPT_T0_RK6Tuple1IT1_E+0x41)[0xa0a57ff]
chrome(_ZN14RunnableMethodIN3IPC12ChannelProxy7ContextEMS2_FvRKNS0_7MessageEE6Tuple1IS3_EE3RunEv+0x39)[0xa0a583b]
chrome(_ZN11MessageLoop7RunTaskEP4Task+0xce)[0x9aa29f6]
chrome(_ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE+0x35)[0x9aa30c1]
=== writer: 
chrome(_ZN3WTF14RefCountedBase3refEv+0x3a)[0xa1d5144]
chrome(_ZN3WTF10PassRefPtrIN7WebCore13WorkerRunLoop4TaskEEC1IS3_EERKNS_6RefPtrIT_EE+0x31)[0xa9ef401]
chrome(_ZN3WTF5DequeINS_6RefPtrIN7WebCore13WorkerRunLoop4TaskEEEE6findIfIKNS2_13ModePredicateEEENS_13DequeIteratorIS5_EERT_+0x4d)[0xa9ef813]
chrome(_ZN3WTF12MessageQueueINS_6RefPtrIN7WebCore13WorkerRunLoop4TaskEEEE33waitForMessageFilteredWithTimeoutIKNS2_13ModePredicateEEENS_22MessageQueueWaitResultERS5
_RT_d+0x123)[0xa9efbe9]
chrome(_ZN7WebCore13WorkerRunLoop9runInModeEPNS_13WorkerContextERKNS_13ModePredicateE+0x16f)[0xa9edf1b]
chrome(_ZN7WebCore13WorkerRunLoop3runEPNS_13WorkerContextE+0x5c)[0xa9ee05a]
chrome(_ZN7WebCore12WorkerThread12runEventLoopEv+0x28)[0xac96abe]
chrome(_ZN7WebCore21DedicatedWorkerThread12runEventLoopEv+0x4a)[0xac936b2]
chrome(_ZN7WebCore12WorkerThread12workerThreadEv+0x175)[0xac96c35]
chrome(_ZN7WebCore12WorkerThread17workerThreadStartEPv+0x11)[0xac96d07]
chrome[0xaa57c34]
/lib32/libpthread.so.0[0xf76b94fb]
/lib32/libc.so.6(clone+0x5e)[0xf739009e]

Sample ThreadSanitizer report is also attached.
WebKit ref counter race ThreadSanitizer report.txt
16.7 KB   Download
WebKit ref counter race.patch
12.8 KB   Download
Comment 1 by laforge@chromium.org, Oct 14, 2009 
(No comment was entered for this change.)
Labels: -Area-Misc Area-WebKit
Comment 2 by karen@chromium.org, Oct 14, 2009 
(No comment was entered for this change.)
Labels: Mstone-X
Comment 3 by bugdroid1@chromium.org, Oct 14, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=28953 

------------------------------------------------------------------------
r28953 | timurrrr@chromium.org | 2009-10-14 02:18:37 -0700 (Wed, 14 Oct 2009) | 5 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/tools/valgrind/tsan/suppressions.txt?r1=28953&r2=28952

Added suppressions for two real races and one benign
Also fixed indentations for the last two suppressions
TBR=dank,stuartmorgan
BUG=24715,24724
Review URL: http://codereview.chromium.org/269073
------------------------------------------------------------------------
Comment 4 by timur...@chromium.org, Oct 15, 2009 
(No comment was entered for this change.)
Labels: -Valgrind-Tsan ThreadSanitizer
Comment 5 by evan@chromium.org, Oct 20, 2009 
dimich, you're the worker expert, right?

Here's a deobfuscated backtrace.
chrome(WTF::RefCounted<WebCore::WorkerRunLoop::Task>::deref()+0x11)[0xa9ef4ff]
chrome(WTF::RefPtr<WebCore::WorkerRunLoop::Task>::~RefPtr()+0x1f)[0xa9ef541]
chrome(WebCore::WorkerRunLoop::postTaskForMode(WTF::PassRefPtr<WebCore::ScriptExecuti
onContext::Task>, WebCore::String const&)+0x78)[0xa9edd1c]
chrome(WebCore::WorkerRunLoop::postTask(WTF::PassRefPtr<WebCore::ScriptExecutionConte
xt::Task>)+0x3f)[0xa9edd7f]
chrome(WebWorkerImpl::postMessageToWorkerContext(WebKit::WebString const&, 
WebKit::WebVector<WebKit::WebMessagePortChannel*> const&)+0x20e)[0xaaf466a]
chrome(WebWorkerClientProxy::OnPostMessage(std::basic_string<unsigned short, 
base::string16_char_traits, std::allocator<unsigned short> > const&, std::vector<int, 
std::allocator<int> > const&, std::vector<int, std::allocator<int> > 
const&)+0xe1)[0x9a5fee9]
chrome(void DispatchToMethod<WebWorkerClientProxy, void 
(WebWorkerClientProxy::*)(std::basic_string<unsigned short, 
base::string16_char_traits, std::allocator<unsigned short> > const&, std::vector<int, 
std::allocator<int> > const&, std::vector<int, std::allocator<int> > const&), 
std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned 
short> >, std::vector<int, std::allocator<int> >, std::vector<int, 
std::allocator<int> > >(WebWorkerClientProxy*, void 
(WebWorkerClientProxy::*)(std::basic_string<unsigned short, 
base::string16_char_traits, std::allocator<unsigned short> > const&, std::vector<int, 
std::allocator<int> > const&, std::vector<int, std::allocator<int> > const&), 
Tuple3<std::basic_string<unsigned short, base::string16_char_traits, 
std::allocator<unsigned short> >, std::vector<int, std::allocator<int> >, 
std::vector<int, std::allocator<int> > > const&)+0x56)
[0x9a610b2]
chrome(_ZN3IPC16MessageWithTupleI6Tuple3ISbItN4base20string16_char_traitsESaItEESt6ve
ctorIiSaIiEES8_EE8DispatchI20WebWorkerClientProxyMSC_FvRKS5_RKS8_SG_EEEbPKNS_7
MessageEPT_T0_+0x47)[0x9a6155b]
chrome(WebWorkerClientProxy::OnMessageReceived(IPC::Message const&)+0x145)[0x9a602d9]
chrome(MessageRouter::RouteMessage(IPC::Message const&)+0x4e)[0xabfddba]
chrome(MessageRouter::OnMessageReceived(IPC::Message const&)+0x51)[0xabfde17]
chrome(ChildThread::OnMessageReceived(IPC::Message const&)+0x190)[0xabee900]
chrome(IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message 
const&)+0x91)[0xa0a4953]
chrome(void DispatchToMethod<IPC::ChannelProxy::Context, void 
(IPC::ChannelProxy::Context::*)(IPC::Message const&), 
IPC::Message>(IPC::ChannelProxy::Context*, void 
(IPC::ChannelProxy::Context::*)(IPC::Message const&), Tuple1<IPC::Message> 
const&)+0x41)[0xa0a57ff]
chrome(RunnableMethod<IPC::ChannelProxy::Context, void 
(IPC::ChannelProxy::Context::*)(IPC::Message const&), Tuple1<IPC::Message> 
>::Run()+0x39)[0xa0a583b]
chrome(MessageLoop::RunTask(Task*)+0xce)[0x9aa29f6]
chrome(MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask 
const&)+0x35)[0x9aa30c1]
=== writer: 
chrome(WTF::RefCountedBase::ref()+0x3a)[0xa1d5144]
chrome(WTF::PassRefPtr<WebCore::WorkerRunLoop::Task>::PassRefPtr<WebCore::WorkerRunLo
op::Task>(WTF::RefPtr<WebCore::WorkerRunLoop::Task> const&)+0x31)[0xa9ef401]
chrome(WTF::DequeIterator<WTF::RefPtr<WebCore::WorkerRunLoop::Task> > 
WTF::Deque<WTF::RefPtr<WebCore::WorkerRunLoop::Task> >::findIf<WebCore::ModePredicate 
const>(WebCore::ModePredicate const&)+0x4d)[0xa9ef813]
chrome(_ZN3WTF12MessageQueueINS_6RefPtrIN7WebCore13WorkerRunLoop4TaskEEEE33waitForMes
sageFilteredWithTimeoutIKNS2_13ModePredicateEEENS_22MessageQueueWaitResultERS5
_RT_d+0x123)[0xa9efbe9]
chrome(WebCore::WorkerRunLoop::runInMode(WebCore::WorkerContext*, 
WebCore::ModePredicate const&)+0x16f)[0xa9edf1b]
chrome(WebCore::WorkerRunLoop::run(WebCore::WorkerContext*)+0x5c)[0xa9ee05a]
chrome(WebCore::WorkerThread::runEventLoop()+0x28)[0xac96abe]
chrome(WebCore::DedicatedWorkerThread::runEventLoop()+0x4a)[0xac936b2]
chrome(WebCore::WorkerThread::workerThread()+0x175)[0xac96c35]

This can cause hard to find crashes in workers, so it would be worth fixing if you 
get the chance.
Summary: Data race on reference couter in workers
Status: Assigned
Owner: dim...@chromium.org
Comment 6 by dim...@chromium.org, Oct 20, 2009 
Very cool bug, I'll take a look!
Comment 7 by dank@chromium.org, Oct 21, 2009 
Let's triage race bugs to pri 1 initially unless we're sure they're benign.
Labels: -Pri-2 Pri-1
Comment 8 by dank@chromium.org, Oct 21, 2009 
(No comment was entered for this change.)
Labels: -Mstone-X Mstone-5 ReleaseBlock-Beta
Comment 9 by dank@chromium.org, Oct 21, 2009 
moving to mstone 4 after discussion with karen
Labels: -Mstone-5 Mstone-4
Comment 10 by dim...@chromium.org, Oct 27, 2009 
Corresponding bug upstream: https://bugs.webkit.org/show_bug.cgi?id=30612
Status: Started
Comment 11 by dim...@chromium.org, Nov 02, 2009 
Upstream bug landed.
Comment 12 by dim...@chromium.org, Nov 03, 2009 
(No comment was entered for this change.)
Status: Fixed
Comment 13 by bugdroid1@chromium.org, Nov 05, 2009 
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=31114 

------------------------------------------------------------------------
r31114 | timurrrr@chromium.org | 2009-11-05 11:00:41 -0800 (Thu, 05 Nov 2009) | 4 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/tools/valgrind/tsan/suppressions.txt?r1=31114&r2=31113

Remove the suppression for bug_24724
BUG=24724
TEST=TSAN UI should remain green
Review URL: http://codereview.chromium.org/360010
------------------------------------------------------------------------
Sign in to add a comment

Powered by Google Project Hosting