Closed
Bug 1204866
Opened 9 years ago
Closed 9 years ago
Assertion failure: !numExclusiveThreads, at js/src/vm/Runtime.cpp:415 or Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at js/HeapAPI.h:134 with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: decoder, Assigned: h4writer)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:])
Attachments
(1 file)
|
952 bytes,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 9ed17db42e3e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2):
oomAfterAllocations(10, 4);
var lfGlobal = newGlobal();
lfGlobal.offThreadCompileScript("");
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000720484 in JSRuntime::~JSRuntime (this=0x7ffff693c000, __in_chrg=<optimized out>) at js/src/vm/Runtime.cpp:415
#0 0x0000000000720484 in JSRuntime::~JSRuntime (this=0x7ffff693c000, __in_chrg=<optimized out>) at js/src/vm/Runtime.cpp:415
#1 0x0000000000aee806 in js_delete<JSRuntime> (p=0x7ffff693c000) at ../../dist/include/js/Utility.h:306
#2 JS_DestroyRuntime (rt=0x7ffff693c000) at js/src/jsapi.cpp:691
#3 0x000000000047a3d6 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6491
rax 0x0 0
rbx 0x7ffff693c000 140737330266112
rcx 0x7ffff6ca53cd 140737333842893
rdx 0x0 0
rsi 0x7ffff6f7a9d0 140737336814032
rdi 0x7ffff6f791c0 140737336807872
rbp 0x7fffffffd850 140737488345168
rsp 0x7fffffffd7a0 140737488344992
r8 0x7ffff7fe0780 140737354008448
r9 0x6372732f736a2f6c 7165916604736876396
r10 0x7fffffffd560 140737488344416
r11 0x7ffff6c27960 140737333328224
r12 0x7ffff693c408 140737330267144
r13 0x0 0
r14 0x7ffff693c000 140737330266112
r15 0x7ffff6930158 140737330217304
rip 0x720484 <JSRuntime::~JSRuntime()+1700>
=> 0x720484 <JSRuntime::~JSRuntime()+1700>: movl $0x19f,0x0
0x72048f <JSRuntime::~JSRuntime()+1711>: callq 0x49b340 <abort()>
The second assertion is an OOM that I have been seeing for a long time but I could never reproduce it properly. Not sure if this instance is the same issue but it happens fairly frequently (marking fuzzblocker). The issue is also still intermittent, you might need to run it multiple times.
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → hv1989
|
|
Assignee | |
Comment 1•9 years ago
|
||
Attachment #8661248 -
Flags: review?(bhackett1024)
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
||
Comment 3•9 years ago
|
||
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150911071052" and the hash "9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c". The "bad" changeset has the timestamp "20150911071250" and the hash "9c1c2581ad6501c9a8a36920043856d46ec19c20". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c&tochange=9c1c2581ad6501c9a8a36920043856d46ec19c20
|
||
Updated•9 years ago
|
Attachment #8661248 -
Flags: review?(bhackett1024) → review+
|
|
||
Updated•9 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:]
|
|
||
Comment 4•9 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
https://hg.mozilla.org/mozilla-central/rev/132419105b7d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in
before you can comment on or make changes to this bug.
Description
•