Closed
Bug 1285490
Opened 8 years ago
Closed 8 years ago
Crash [@ js::EnqueuePendingParseTasksAfterGC]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
1.21 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 4764b9f8e6d4 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug --without-intl-api --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off): gczeal(4); offThreadCompileScript(` `); Backtrace: ==23678==ERROR: AddressSanitizer: SEGV on unknown address 0x000ffffc (pc 0x097f43b2 bp 0xfff8bee8 sp 0xfff8bdc0 T0) ==23678==The signal is caused by a READ memory access. #0 0x97f43b1 in js::EnqueuePendingParseTasksAfterGC(JSRuntime*) js/src/gc/Heap.h:1147:34 #1 0x92ac04c in js::AutoEnqueuePendingParseTasksAfterGC::~AutoEnqueuePendingParseTasksAfterGC() js/src/jsgc.cpp:6334:9 #2 0x92ac04c in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/jsgc.cpp:6329 #3 0x9278fdc in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) js/src/jsgc.cpp:6356:5 #4 0x99711e9 in JSRuntime::destroyRuntime() js/src/vm/Runtime.cpp:436:9 #5 0x9181378 in JSContext::~JSContext() js/src/jscntxt.cpp:896:5 #6 0x9178686 in void js_delete_poison<JSContext>(JSContext const*) dist/include/js/Utility.h:392:9 #7 0x9178686 in js::DestroyContext(JSContext*) js/src/jscntxt.cpp:135 #8 0x90fc5f0 in JS_DestroyRuntime(JSRuntime*) js/src/jsapi.cpp:464:5 #9 0x81c8a34 in main js/src/shell/js.cpp:7459:5 #10 0xf72fb636 in __libc_start_main (/lib32/libc.so.6+0x18636) #11 0x80abba8 in _start (/home/ubuntu/mozilla-central/js/src/dist/bin/js+0x80abba8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV js/src/gc/Heap.h:1147:34 in js::EnqueuePendingParseTasksAfterGC(JSRuntime*) ==23678==ABORTING I thought this bug was fixed but apparently it's not. Marking s-s and fuzzblocker because it involves GC and is highly frequent.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
Comment 1•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0ca871e39a20 user: Jan de Mooij date: Wed Jun 22 09:47:52 2016 +0200 summary: Bug 1279295 - Create the runtime's JSContext when we create the runtime. r=luke This iteration took 177.249 seconds to run.
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 2•8 years ago
|
||
Here's the patch, as discussed, to make off-thread parsing not be blocked on the pre-barrier verifier.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8769306 -
Flags: review?(terrence)
Assignee | ||
Updated•8 years ago
|
Group: javascript-core-security
Updated•8 years ago
|
Attachment #8769306 -
Flags: review?(terrence) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0dd733f54a0d Fix activeGCInAtomsZone to handle the pre-barrier verifier correctly. r=terrence
Comment 4•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/0dd733f54a0d
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Comment 5•8 years ago
|
||
This is still reproducible in low volume on Fx50, based on the last 3 months of crash data. SIGNATURE | js::EnqueuePendingParseTasksAfterGC ------------------------------------------------- CRASH STATS | http://tinyurl.com/jazmcxa ------------------------------------------------- OVERVIEW | 0 crashes on nightly 52 | 0 crashes on nightly 51 | 0 crashes on aurora 51 | 0 crashes on nightly 50 | 0 crashes on aurora 50 | 3 crashes on beta 50 ------------------------------------------------- LAST CRASH | 2016-09-24 (on 50.0b1)
You need to log in
before you can comment on or make changes to this bug.
Description
•