Closed Bug 1206539 Opened 9 years ago Closed 9 years ago

Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at ../../dist/include/js/HeapAPI.h:134

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox43 --- affected

People

(Reporter: decoder, Assigned: lth)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])

The following testcase crashes on mozilla-central revision ccd6b5f5e544 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis --ion-extra-checks): var lfcode = new Array(); lfcode.push = loadFile; lfcode.push("oomAfterAllocations(50, 4)"); lfcode.push("var array = [4, 3, 2, 1];"); lfcode.push(""); lfcode.push(""); function loadFile(lfVarx) { var lfGlobal = newGlobal(); lfGlobal.offThreadCompileScript(lfVarx); lfGlobal.runOffThreadScript(); } Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff60c5700 (LWP 4291)] 0x000000000043d6ae in JS::shadow::Zone::runtimeFromMainThread (this=<optimized out>) at ../../dist/include/js/HeapAPI.h:134 #0 0x000000000043d6ae in JS::shadow::Zone::runtimeFromMainThread (this=<optimized out>) at ../../dist/include/js/HeapAPI.h:134 #1 0x0000000000635264 in runtimeFromMainThread (this=0x7ffff4703000, this@entry=0x0) at js/src/gc/Zone.h:137 #2 JS::Zone::onOutOfMemory (this=this@entry=0x7ffff4703000, allocFunc=allocFunc@entry=js::Malloc, nbytes=nbytes@entry=2, reallocPtr=reallocPtr@entry=0x0) at js/src/gc/Zone.h:137 #3 0x0000000000bb3dcd in pod_malloc<char16_t> (numElems=<optimized out>, this=0x7ffff4703000) at js/src/vm/MallocProvider.h:72 #4 js::ScriptSource::ensureOwnsSource (this=0x7ffff6922b20, cx=<optimized out>) at js/src/jsscript.cpp:1861 #5 0x0000000000bb3e99 in js::ScriptSource::setSourceCopy (this=<optimized out>, cx=<optimized out>, srcBuf=..., argumentsNotIncluded=<optimized out>, task=<optimized out>) at js/src/jsscript.cpp:1914 #6 0x00000000005f3350 in BytecodeCompiler::maybeCompressSource (this=this@entry=0x7ffff60c3df0) at js/src/frontend/BytecodeCompiler.cpp:208 #7 0x00000000005f8d4f in BytecodeCompiler::createSourceAndParser (this=0x7ffff60c3df0) at js/src/frontend/BytecodeCompiler.cpp:254 #8 0x00000000006247b6 in BytecodeCompiler::compileScript (this=this@entry=0x7ffff60c3df0, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:540 #9 0x0000000000624fcb in js::frontend::CompileScript (cx=<optimized out>, alloc=alloc@entry=0x7ffff69e2958, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=source_@entry=0x0, extraSct=extraSct@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x7ffff69e29c8) at js/src/frontend/BytecodeCompiler.cpp:807 #10 0x0000000000665563 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff6933430) at js/src/vm/HelperThreads.cpp:1272 #11 0x0000000000665ab0 in js::HelperThread::threadLoop (this=0x7ffff6933430) at js/src/vm/HelperThreads.cpp:1463 #12 0x00000000006b7b31 in nspr::Thread::ThreadRoutine (arg=0x7ffff6931120) at js/src/vm/PosixNSPR.cpp:45 #13 0x00007ffff7bc4182 in start_thread (arg=0x7ffff60c5700) at pthread_create.c:312 #14 0x00007ffff6cb3fbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 rax 0x0 0 rbx 0x7ffff4703000 140737294381056 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7ffff60c3910 140737321384208 rsp 0x7ffff60c3910 140737321384208 r8 0x7ffff60c5700 140737321391872 r9 0x656363416e614364 7305792153200968548 r10 0x7ffff60c36d0 140737321383632 r11 0x7ffff6c27960 140737333328224 r12 0x0 0 r13 0x2 2 r14 0x0 0 r15 0x2 2 rip 0x43d6ae <JS::shadow::Zone::runtimeFromMainThread() const+28> => 0x43d6ae <JS::shadow::Zone::runtimeFromMainThread() const+28>: movl $0x86,0x0 0x43d6b9 <JS::shadow::Zone::runtimeFromMainThread() const+39>: callq 0x496780 <abort()>
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150911071052" and the hash "9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c". The "bad" changeset has the timestamp "20150911071250" and the hash "9c1c2581ad6501c9a8a36920043856d46ec19c20". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9394c5f63b56b784dcdb9f70fa0b7f428bdf4d8c&tochange=9c1c2581ad6501c9a8a36920043856d46ec19c20
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 031db40e2b55).
Assignee: nobody → lhansen
Does not repro locally on MBP, crashes reliably in off-thread parser in CrashAtUnhandlableOOM instead. Does not repro with --no-threads or without a thread count either.
The offending code has been fixed: it no longer calls runtimeFromMainThread, but runtimeFromAnyThread.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.