Closed
Bug 1287395
Opened 9 years ago
Closed 9 years ago
Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at dist/include/js/HeapAPI.h:145 with asm.js in off-thread script
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1287399
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,ignore])
The following testcase crashes on mozilla-central revision 711963e8daa3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager):
gczeal(4);
var lfGlobal = newGlobal();
for (lfLocal in this) {}
lfGlobal.offThreadCompileScript(`
function AsmModule(stdlib, foreign, heap) {
"use asm";
function doTest() {}
function test() {}
}
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000000000cd1ad8 in JS::shadow::Zone::runtimeFromMainThread (this=0x7ffff6988000, this@entry=0x0) at dist/include/js/HeapAPI.h:145
#1 js::RuntimeFromMainThreadIsHeapMajorCollecting (shadowZone=shadowZone@entry=0x7ffff6988000) at js/src/gc/Barrier.cpp:46
#2 0x00000000005598a0 in js::gc::TenuredCell::writeBarrierPre (thing=<optimized out>) at js/src/gc/Heap.h:1317
#3 JSString::writeBarrierPre (thing=<optimized out>) at js/src/vm/String.h:526
#4 js::InternalBarrierMethods<JSAtom*>::preBarrier (v=<optimized out>) at js/src/gc/Barrier.h:268
#5 js::WriteBarrieredBase<JSAtom*>::pre (this=<optimized out>) at js/src/gc/Barrier.h:379
#6 js::GCPtr<JSAtom*>::set (v=<synthetic pointer>, this=<optimized out>) at js/src/gc/Barrier.h:464
#7 js::GCPtr<JSAtom*>::operator= (p=<synthetic pointer>, this=<optimized out>) at js/src/gc/Barrier.h:456
#8 JSFunction::setAtom (atom=0x7ffff7e1ce50, this=<optimized out>) at js/src/jsfun.h:327
#9 ParseFunction (m=..., fnOut=fnOut@entry=0x7ffff4a97bf0, line=line@entry=0x7ffff4a97bdc) at js/src/asmjs/AsmJS.cpp:6942
#10 0x0000000000559f6c in CheckFunction (m=...) at js/src/asmjs/AsmJS.cpp:6981
#11 0x000000000055d601 in CheckFunctions (m=...) at js/src/asmjs/AsmJS.cpp:7053
#12 CheckModule (cx=cx@entry=0x7ffff303a730, parser=..., stmtList=stmtList@entry=0x7ffff32f67f8, time=time@entry=0x7ffff4a99c20) at js/src/asmjs/AsmJS.cpp:7262
#13 0x000000000055f759 in js::CompileAsmJS (cx=0x7ffff303a730, parser=..., stmtList=stmtList@entry=0x7ffff32f67f8, validated=validated@entry=0x7ffff4a99d97) at js/src/asmjs/AsmJS.cpp:8527
#14 0x0000000000498d13 in js::frontend::Parser<js::frontend::FullParseHandler>::asmJS (this=this@entry=0x7ffff4a9b3c0, list=list@entry=0x7ffff32f67f8) at js/src/frontend/Parser.cpp:3450
#15 0x00000000004abc40 in js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective (this=this@entry=0x7ffff4a9b3c0, list=list@entry=0x7ffff32f67f8, pn=pn@entry=0x7ffff32f6868, cont=cont@entry=0x7ffff4a99e0b) at js/src/frontend/Parser.cpp:3524
#16 0x00000000004d7b08 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7ffff4a9b3c0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3590
#17 0x00000000004da953 in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=this@entry=0x7ffff4a9b3c0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, kind=kind@entry=js::frontend::Statement, type=type@entry=js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1371
#18 0x00000000004dacf9 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7ffff4a9b3c0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, pn=pn@entry=0x7ffff32f6258, fun=fun@entry=..., kind=kind@entry=js::frontend::Statement) at js/src/frontend/Parser.cpp:3218
#19 0x00000000004a3a65 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7ffff4a9b3c0, inHandling=inHandling@entry=js::frontend::InAllowed, pn=0x7ffff32f6258, fun=..., kind=kind@entry=js::frontend::Statement, generatorKind=generatorKind@entry=js::NotGenerator, inheritedDirectives=..., newDirectives=0x7ffff4a9a4a0) at js/src/frontend/Parser.cpp:3022
#20 0x00000000004ce138 in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=this@entry=0x7ffff4a9b3c0, inHandling=inHandling@entry=js::frontend::InAllowed, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, funName=..., funName@entry=..., kind=kind@entry=js::frontend::Statement, generatorKind=<optimized out>, invoked=js::frontend::Parser<js::frontend::FullParseHandler>::PredictUninvoked, assignmentForAnnexBOut=0x7ffff4a9a628) at js/src/frontend/Parser.cpp:2850
#21 0x00000000004ce4ed in js::frontend::Parser<js::frontend::FullParseHandler>::functionStmt (this=this@entry=0x7ffff4a9b3c0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, defaultHandling=defaultHandling@entry=js::frontend::NameRequired) at js/src/frontend/Parser.cpp:3319
#22 0x00000000004d77dd in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=this@entry=0x7ffff4a9b3c0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName, canHaveDirectives=<optimized out>) at js/src/frontend/Parser.cpp:7549
#23 0x00000000004d7a9c in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=this@entry=0x7ffff4a9b3c0, yieldHandling=yieldHandling@entry=js::frontend::YieldIsName) at js/src/frontend/Parser.cpp:3568
#24 0x00000000004a60e0 in js::frontend::Parser<js::frontend::FullParseHandler>::globalBody (this=0x7ffff4a9b3c0) at js/src/frontend/Parser.cpp:1113
#25 0x0000000000cb345b in BytecodeCompiler::compileScript (this=this@entry=0x7ffff4a9ad50, scopeChain=..., scopeChain@entry=..., evalCaller=..., evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:531
#26 0x0000000000cb3b17 in js::frontend::CompileScript (cx=<optimized out>, alloc=alloc@entry=0x7ffff69f3248, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x0, extraSct=0x0, sourceObjectOut=0x7ffff69f32f0) at js/src/frontend/BytecodeCompiler.cpp:742
#27 0x0000000000a84f7e in js::ScriptParseTask::parse (this=0x7ffff69f3160) at js/src/vm/HelperThreads.cpp:277
#28 0x0000000000a8aa51 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff696fa00, locked=...) at js/src/vm/HelperThreads.cpp:1527
#29 0x0000000000a8d281 in js::HelperThread::threadLoop (this=0x7ffff696fa00) at js/src/vm/HelperThreads.cpp:1717
#30 0x0000000000ab9ab1 in nspr::Thread::ThreadRoutine (arg=0x7ffff6941280) at js/src/vm/PosixNSPR.cpp:45
#31 0x00007ffff7bc16fa in start_thread (arg=0x7ffff4a9c700) at pthread_create.c:333
#32 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x0 0
rbx 0x7ffff6988000 140737330577408
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7ffff4a97650 140737298134608
rsp 0x7ffff4a97640 140737298134592
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff4a9c700 140737298155264
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7ffff4a98150 140737298137424
r13 0x7ffff4a976d0 140737298134736
r14 0x0 0
r15 0x7ffff7e1ce50 140737352158800
rip 0xcd1ad8 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+72>
=> 0xcd1ad8 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+72>: movl $0x0,0x0
0xcd1ae3 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+83>: ud2
Not sure if this only affects the shell, marking s-s for now to be safe.
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/0ca871e39a20
user: Jan de Mooij
date: Wed Jun 22 09:47:52 2016 +0200
summary: Bug 1279295 - Create the runtime's JSContext when we create the runtime. r=luke
This iteration took 0.766 seconds to run.
Jan, is bug 1279295 a likely regressor?
Blocks: 1279295
Flags: needinfo?(jdemooij)
|
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 3•9 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ed8e23b5e0c7).
Terrence, is the patch in bug 1287399 a possible fix for this too? (or is this a dupe?)
Flags: needinfo?(terrence)
|
||
Comment 5•9 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Terrence, is the patch in bug 1287399 a possible fix for this too? (or is
> this a dupe?)
It is a dupe.
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(terrence)
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
|
||
Updated•9 years ago
|
status-firefox50:
affected → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•