Closed Bug 1392427 Opened 7 years ago Closed 7 years ago

JS engine signal handler crashes when invoked on a thread that doesn't own its JSContext

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla57
Tracking Flags:
Tracking Status
firefox57 --- fixed

People

(Reporter: billm, Assigned: bhackett1024)

Details

Attachments

(1 file)

patch
1.81 KB, patch
luke
: review+
Details | Diff | Splinter Review 
It's possible that a thread that has called YieldCooperativeContext() might crash. In this case, we can end up here:
http://searchfox.org/mozilla-central/rev/b258e6864ee3e809d40982bc5d0d5aff66a20780/js/src/wasm/WasmSignalHandlers.cpp#1344

That accesses a ThreadLocal field on the JSContext (activation_), which calls CurrentThreadCanAccessRuntime, which asserts:
http://searchfox.org/mozilla-central/rev/b258e6864ee3e809d40982bc5d0d5aff66a20780/js/src/threading/ProtectedData.cpp#47

If we segfault on a thread that doesn't own the current JSContext, we probably should just leave the signal handler. Brian, can you take a look at this?
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
Sorry for the delay.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8901363 - Flags: review?(luke)
Attachment #8901363 - Flags: review?(luke) → review+
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8ee0053733f8
Don't try to handle wasm faults on threads that are not their runtime's active thread, r=luke.
https://hg.mozilla.org/mozilla-central/rev/8ee0053733f8
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: