Closed
Bug 1414310
Opened 7 years ago
Closed 7 years ago
js::Thread is used after engine shutdown
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | fixed |
People
(Reporter: jonco, Assigned: jonco)
Details
Attachments
(4 files)
|
6.68 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
|
7.36 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
|
7.56 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
|
4.81 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
I found in bug 1410132 that we have some use of js::Thread after JS_Shutdown() has been called. We should fix this and assert that no one is calling these APIs before initialisation or after shutdown of the JS engine.
|
||
Comment 1•7 years ago
|
||
Jon, can you take this?
|
Assignee | |
Comment 3•7 years ago
|
||
Add an internal version of JS_IsInitialized that we can use to check threading APIs are not used before initialization or after shutdown. This returns false after shutdown (unlike JS_IsInitialized) and also returns true during initialization. Add assertions in mutex and threading code.
Attachment #8926467 -
Flags: review?(luke)
|
|
Assignee | |
Comment 4•7 years ago
|
||
Patch to destroy the mach exception handing thread during shutdown rather than when global data is destroyed.
Attachment #8926470 -
Flags: review?(jdemooij)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Patch to destroy shell off thread compilation state (which includes a mutex in js::Monitor) before shutdown.
Attachment #8926473 -
Flags: review?(sphink)
|
|
Assignee | |
Comment 6•7 years ago
|
||
Patch to destroy shell buffer stream state before shutdown.
Attachment #8926474 -
Flags: review?(sphink)
|
||
Comment 7•7 years ago
|
||
Comment on attachment 8926470 [details] [diff] [review] bug1414310-mach-exception-handler Ah, I had no idea that js::Thread has this requirement/limitation.
|
||
Comment 8•7 years ago
|
||
Comment on attachment 8926473 [details] [diff] [review] bug1414310-shell-off-thread-state Review of attachment 8926473 [details] [diff] [review]: ----------------------------------------------------------------- I am starting to wonder if it would be better to replace all of these ScopeExit things with runtimeMain(), contextMain(), etc. main() { create runtime; status = runtimeMain(rt); destroy runtime; } runtimeMain() { create context and associated things status = contextMain(cx); destroy cx; } But it's not a big deal, we may as well continue on for now.
Attachment #8926473 -
Flags: review?(sphink) → review+
|
|
||
Comment 9•7 years ago
|
||
Comment on attachment 8926474 [details] [diff] [review] bug1414310-shell-buffer-stream-state Review of attachment 8926474 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/shell/js.cpp @@ +8935,5 @@ > + return 1; > + auto shutdownBufferStreams = MakeScopeExit([] { > + ShutdownBufferStreams(); > + js_delete(bufferStreamState); > + }); Oh. The previous thing didn't work? Or it interacted badly with your changes? r=me regardless. Whatever works.
Attachment #8926474 -
Flags: review?(sphink) → review+
|
||
Comment 10•7 years ago
|
||
Comment on attachment 8926467 [details] [diff] [review] bug1414310-init-assertions Review of attachment 8926467 [details] [diff] [review]: ----------------------------------------------------------------- Good idea
Attachment #8926467 -
Flags: review?(luke) → review+
|
||
Comment 11•7 years ago
|
||
Comment on attachment 8926470 [details] [diff] [review] bug1414310-mach-exception-handler Review of attachment 8926470 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/Initialization.cpp @@ +109,5 @@ > js::gc::InitMemorySubsystem(); // Ensure gc::SystemPageSize() works. > > RETURN_IF_FAIL(js::jit::InitProcessExecutableMemory()); > > + RETURN_IF_FAIL(js::MemoryProtectionExceptionHandler::install()); Good catch.
Attachment #8926470 -
Flags: review?(jdemooij) → review+
|
||
Comment 12•7 years ago
|
||
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b86c252b68fa Assert that JS threading APIs are only used between JS_Initialize and JS_Shutdown r=luke https://hg.mozilla.org/integration/mozilla-inbound/rev/d41ed6f635b6 Destroy mach exception handler thread on JS_ShutDown r=jandem https://hg.mozilla.org/integration/mozilla-inbound/rev/7b993d1dbe5f Destroy shell off thread state before calling JS_ShutDown r=sfink https://hg.mozilla.org/integration/mozilla-inbound/rev/94d45591fe60 Destroy shell buffer stream state before calling JS_ShutDown r=sfink
|
||
Comment 13•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b86c252b68fa https://hg.mozilla.org/mozilla-central/rev/d41ed6f635b6 https://hg.mozilla.org/mozilla-central/rev/7b993d1dbe5f https://hg.mozilla.org/mozilla-central/rev/94d45591fe60
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in
before you can comment on or make changes to this bug.
Description
•