Closed Bug 1240532 Opened 8 years ago Closed 8 years ago

Crash [@ ??] with evalInWorker and newGlobal

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox46 --- wontfix
firefox47 --- fixed

People

(Reporter: decoder, Assigned: terrence)

Details

(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

init_principals_destroyer_in_shell_worker-v0.diff
1.94 KB, patch
bbouvier
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 8cb42e7a16b4 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

evalInWorker("try { newGlobal({principal : 5}); } catch (e) {}");



Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff30ff700 (LWP 63896)]
0x0000000000000000 in ?? ()
#0  0x0000000000000000 in ?? ()
#1  0x0000000000911a87 in sweepCompartments (keepAtleastOne=false, destroyingRuntime=true, fop=0x7ffff30fe8d0, this=0x7ffff328f000) at js/src/jsgc.cpp:3763
#2  js::gc::GCRuntime::sweepZones (this=0x7ffff69b5420, fop=0x7ffff30fe8d0, destroyingRuntime=true) at js/src/jsgc.cpp:3805
#3  0x0000000000923f17 in js::gc::GCRuntime::endSweepPhase (this=this@entry=0x7ffff69b5420, destroyingRuntime=destroyingRuntime@entry=true) at js/src/jsgc.cpp:5644
#4  0x0000000000925aa7 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff69b5420, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6151
#5  0x0000000000926890 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff69b5420, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6342
#6  0x0000000000926dc1 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff69b5420, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6448
#7  0x0000000000926ff3 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff69b5420, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_RUNTIME) at js/src/jsgc.cpp:6506
#8  0x0000000000adb42f in JSRuntime::~JSRuntime (this=0x7ffff69b5000, __in_chrg=<optimized out>) at js/src/vm/Runtime.cpp:416
#9  0x00000000008bfcb6 in js_delete<JSRuntime> (p=0x7ffff69b5000) at js/src/debug64/dist/include/js/Utility.h:370
#10 JS_DestroyRuntime (rt=0x7ffff69b5000) at js/src/jsapi.cpp:481
#11 0x000000000048e1c1 in WorkerMain (arg=0x7ffff699d860) at js/src/shell/js.cpp:2812
#12 0x0000000000aac5f1 in nspr::Thread::ThreadRoutine (arg=0x7ffff699d880) at js/src/vm/PosixNSPR.cpp:45
#13 0x00007ffff7bc4182 in start_thread (arg=0x7ffff30ff700) at pthread_create.c:312
#14 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
rax	0x0	0
rbx	0x7ffff328f000	140737272934400
rcx	0x7ffff328f708	140737272936200
rdx	0x7ffff30ffa40	140737271298624
rsi	0x7ffff328de20	140737272929824
rdi	0x7ffff328de20	140737272929824
rbp	0x7ffff30fe7e0	140737271293920
rsp	0x7ffff30fe708	140737271293704
r8	0x0	0
r9	0x11000	69632
r10	0x7ffff3200f08	140737272352520
r11	0x7ffff6a00121	140737331069217
r12	0x7ffff328f710	140737272936208
r13	0x7ffff69b5000	140737330761728
r14	0x7ffff328f710	140737272936208
r15	0x7ffff693f800	140737330280448
rip	0x0	0
=> 0x0:
runtime->destroyPrincipals is nullptr here.
Quite right! I think this is what's called for?
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Attachment #8710771 - Flags: review?(bbouvier)
Comment on attachment 8710771 [details] [diff] [review]
init_principals_destroyer_in_shell_worker-v0.diff

Review of attachment 8710771 [details] [diff] [review]:
-----------------------------------------------------------------

Yes, seems legit, thank you.
Attachment #8710771 - Flags: review?(bbouvier) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
https://hg.mozilla.org/integration/mozilla-inbound/rev/18d66f1eb5cdef3833b62efb0c5b62d5b2917079
Bug 1240532 - Init the principals destroyer in the shell's WorkerMain; r=bbouvier
https://hg.mozilla.org/mozilla-central/rev/18d66f1eb5cd
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Too late to uplift to beta 46. But it is fixed in 47.
status-firefox46: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: