Assertion failure: CurrentThreadCanAccessRuntime(rt), at /js/src/jsgc.cpp:2141

RESOLVED FIXED in Firefox 33

Status

()

Core
JavaScript: GC
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: schien, Unassigned)

Tracking

({regression})

unspecified
mozilla33
x86
Mac OS X
regression
Points:
---

Firefox Tracking Flags

(firefox32 unaffected, firefox33 fixed, firefox-esr24 unaffected, firefox-esr31 unaffected)

Details

(Whiteboard: [adv-main33+])

Attachments

(1 attachment)

Encounter this while executing mochitest on b2g-desktop debug build.

https://tbpl.mozilla.org/php/getParsedLog.php?id=41355834&tree=Try&full=1#error2

06:54:12     INFO -   0  libxul.so!js::gc::GCRuntime::triggerGC(JS::gcreason::Reason) [jsgc.cpp:7e27d78d3629 : 2141 + 0x18]
06:54:12     INFO -      eip = 0xb55fed91   esp = 0xb11cf1b0   ebp = 0xb11cf1d8   ebx = 0xb6bd4ca4
06:54:12     INFO -      esi = 0x00000000   edi = 0xafec71c0   eax = 0x00000000   ecx = 0xb759d8ac
06:54:12     INFO -      edx = 0x00000000   efl = 0x00210282
06:54:12     INFO -      Found by: given as instruction pointer in context
06:54:12     INFO -   1  libxul.so!js::gc::GCRuntime::onTooMuchMalloc() [jsgc.cpp:7e27d78d3629 : 1514 + 0xc]
06:54:12     INFO -      eip = 0xb56075ca   esp = 0xb11cf1e0   ebp = 0xb11cf1f8   ebx = 0xb6bd4ca4
06:54:12     INFO -      esi = 0xafec7c60   edi = 0x0004d316
06:54:12     INFO -      Found by: call frame info
06:54:12     INFO -   2  libxul.so!js::ScriptSource::ensureOwnsSource(js::ExclusiveContext*) [jscntxt.h:7e27d78d3629 : 274 + 0x14]
06:54:12     INFO -      eip = 0xb56b9c22   esp = 0xb11cf200   ebp = 0xb11cf238   ebx = 0xb6bd4ca4
06:54:12     INFO -      esi = 0x9c4693a0   edi = 0x0004d316
06:54:12     INFO -      Found by: call frame info
06:54:12     INFO -   3  libxul.so!js::frontend::CompileScript(js::ExclusiveContext*, js::LifoAlloc*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JSString*, unsigned int, js::SourceCompressionTask*) [BytecodeCompiler.cpp:7e27d78d3629 : 256 + 0x30]
06:54:12     INFO -      eip = 0xb5884181   esp = 0xb11cf240   ebp = 0xb11d0228   ebx = 0xb6bd4ca4
06:54:12     INFO -      esi = 0x9c4693a0   edi = 0xa72c3a00
06:54:12     INFO -      Found by: call frame info
06:54:12     INFO -   4  libxul.so!js::HelperThread::handleParseWorkload() [HelperThreads.cpp:7e27d78d3629 : 907 + 0x41]
06:54:12     INFO -      eip = 0xb5759d68   esp = 0xb11d0230   ebp = 0xb11d0298   ebx = 0xb6bd4ca4
06:54:12     INFO -      esi = 0xb71b9540   edi = 0x9cbf9200
06:54:12     INFO -      Found by: call frame info
06:54:12     INFO -   5  libxul.so!js::HelperThread::threadLoop() [HelperThreads.cpp:7e27d78d3629 : 1089 + 0xa]
06:54:12     INFO -      eip = 0xb575a300   esp = 0xb11d02a0   ebp = 0xb11d02e8   ebx = 0xb6bd4ca4
06:54:12     INFO -      esi = 0xb105be00   edi = 0x00000000
06:54:12     INFO -      Found by: call frame info
Making this s-s as a precaution.
Group: core-security
Flags: needinfo?(bhackett1024)
Created attachment 8438435 [details] [diff] [review]
patch

I think this is a regression from bug 988486, rev 18eea9cb1c46.  JSRuntime::onTooMuchMalloc checks it is on the main thread before triggering a GC, but GCRuntime::onTooMuchMalloc doesn't.  This fix puts the thread check in a better place.
Attachment #8438435 - Flags: review?(wmccloskey)
Flags: needinfo?(bhackett1024)
Oh, and there isn't anything obviously dangerous here we could be racing on (mainly scheduling GCs in each zone) but I don't know for sure.
Comment on attachment 8438435 [details] [diff] [review]
patch

Review of attachment 8438435 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsgc.cpp
@@ +2144,5 @@
>          ForkJoinContext::current()->requestGC(reason);
>          return true;
>      }
>  
> +    /* Don't trigger GCs from off the main thread. */

Please say in the comment that this should only happen through onTooMuchMalloc.
Attachment #8438435 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/000b317ce64f
https://hg.mozilla.org/mozilla-central/rev/000b317ce64f
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox32: --- → ?
status-firefox33: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
status-firefox-esr24: --- → wontfix
Whiteboard: [adv-main33+]
Blocks: 988486
Group: core-security
status-firefox32: ? → unaffected
status-firefox-esr24: wontfix → unaffected
status-firefox-esr31: --- → unaffected
Keywords: regression
You need to log in before you can comment on or make changes to this bug.