Closed Bug 1287063 Opened 3 years ago Closed 3 years ago

Crash [@ js::EnqueuePendingParseTasksAfterGC] or Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:313

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla50
Tracking Status
firefox49 --- unaffected
firefox-esr45 --- unaffected
firefox50 --- verified

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update,ignore])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 08f8a5aacd83 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

schedulegc("");
offThreadCompileScript("");


Backtrace:

0   js-dbg-64-dm-clang-darwin-08f8a5aacd83	0x000000010e95683b js::CancelOffThreadParses(JSRuntime*) + 1163 (HelperThreads.cpp:313)
1   js-dbg-64-dm-clang-darwin-08f8a5aacd83	0x000000010e9e1a7c JSRuntime::destroyRuntime() + 396 (GCRuntime.h:1380)
2   js-dbg-64-dm-clang-darwin-08f8a5aacd83	0x000000010e73aee0 JSContext::~JSContext() + 32 (jscntxt.cpp:886)
3   js-dbg-64-dm-clang-darwin-08f8a5aacd83	0x000000010e72344a js::DestroyContext(JSContext*) + 282 (Utility.h:256)
4   js-dbg-64-dm-clang-darwin-08f8a5aacd83	0x000000010e11e097 main + 13367 (js.cpp:7540)
/snip

For detailed crash information, see attachment.

Crashes [@ js::EnqueuePendingParseTasksAfterGC] on opt builds.

Setting s-s because this seems closely related to bug 1285186. I've tested that this still seems to occur on m-i rev 5a9c26f8bb9d, which seems to contain the fix in that bug, so this issue might not yet be fully resolved.
Assigning sec-high because bug 1285186 is sec-high.

Jan, you were fixing bug 1285186, do you mind looking at this too?
Flags: needinfo?(jdemooij)
Keywords: sec-high
Attached patch PatchSplinter Review
As discussed, this removes the isGCScheduled check from activeGCInAtomsZone, as it will usually be false.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8771446 - Flags: review?(jcoppeard)
Attachment #8771446 - Flags: review?(jcoppeard) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ed8e23b5e0c7).
https://hg.mozilla.org/mozilla-central/rev/be09c9391d44
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: javascript-core-security → core-security-release
Blocks: 1283169
Group: core-security-release
Keywords: regression
You need to log in before you can comment on or make changes to this bug.