Closed
Bug 1191635
Opened 9 years ago
Closed 9 years ago
Crash [@ js::CurrentThreadCanAccessRuntime] or Crash [@ arena_run_split] with Worker
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.96 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f3b757156f69 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --baseline-eager): evalInWorker(` function dprint(s) { dprint(); } dprint("Hello! Hello! Hello!"); `); Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff45ff700 (LWP 48924)] 0x000000000070bbb0 in js::CurrentThreadCanAccessRuntime (rt=rt@entry=0x7ffff69a8000) at js/src/vm/Runtime.cpp:813 #0 0x000000000070bbb0 in js::CurrentThreadCanAccessRuntime (rt=rt@entry=0x7ffff69a8000) at js/src/vm/Runtime.cpp:813 #1 0x0000000000a7bf57 in runtimeFromMainThread (this=0x7ffff3a1d480) at js/src/gc/Heap.h:1272 #2 js::jit::AssertValidObjectPtr (cx=0x7ffff6998000, obj=0x7ffff3a1d480) at js/src/jit/VMFunctions.cpp:1130 #3 0x00007ffff7fdba51 in ?? () [...] #10 0x0000000000000000 in ?? () rax 0x7ffff695d800 140737330403328 rbx 0x7ffff47c5da0 140737295179168 rcx 0x7ffff6998000 140737330642944 rdx 0x7ffff69a8000 140737330708480 rsi 0x7ffff3a1d480 140737280857216 rdi 0x7ffff69a8000 140737330708480 rbp 0x7ffff3e00010 140737284931600 rsp 0x7ffff3e00000 140737284931584 r8 0x0 0 r9 0x205 517 r10 0xfff9000000000000 -1970324836974592 r11 0x7ffff69a81e8 140737330708968 r12 0x7ffff6998000 140737330642944 r13 0x7ffff69a8000 140737330708480 r14 0x7ffff3a00000 140737280737280 r15 0x7ffff45fca70 140737293306480 rip 0x70bbb0 <js::CurrentThreadCanAccessRuntime(JSRuntime*)+16> => 0x70bbb0 <js::CurrentThreadCanAccessRuntime(JSRuntime*)+16>: callq 0x708c30 <PR_GetCurrentThread()> 0x70bbb5 <js::CurrentThreadCanAccessRuntime(JSRuntime*)+21>: cmp %rax,%rbx Marking s-s due to possibly invalid/racy object pointer.
Comment 1•9 years ago
|
||
I think the test case is infinite recursion, so maybe we're triggering stack overflow code?
Updated•9 years ago
|
Group: core-security → javascript-core-security
Comment 2•9 years ago
|
||
Jandem, could you triage this or find somebody to triage it? Thanks.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 3•9 years ago
|
||
This is a problem with the shell's evalInWorker function.
Group: javascript-core-security
Assignee | ||
Comment 4•9 years ago
|
||
The test is running out of stack space. This patch calls JS_SetNativeStackQuota for the evalInWorker runtime and passes a stack limit to PR_CreateThread, doing both is necessary to fix this bug.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8666096 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 6•9 years ago
|
||
Comment on attachment 8666096 [details] [diff] [review] Patch Review of attachment 8666096 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit-test/tests/basic/evalInWorker-stack-limit.js @@ +3,5 @@ > + function f() { f(); } > + try { f(); } catch(e) {} > + `); > +} catch(e) { > + assertEq(e.toString().contains("--no-threads"), true); I did s/contains/includes/ as |contains| is deprecated.
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 7•9 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/75c2c9a3e09d user: Lars T Hansen date: Wed Feb 25 18:43:51 2015 +0100 summary: Bug 1136584 - Copy JIT options from global settings. r=bhackett This iteration took 193.919 seconds to run.
Updated•9 years ago
|
Attachment #8666096 -
Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/137ce8c2f14c
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in
before you can comment on or make changes to this bug.
Description
•