Closed
Bug 1287399
Opened 9 years ago
Closed 9 years ago
Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at dist/include/js/HeapAPI.h:145
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox47 | --- | unaffected |
| firefox48 | --- | unaffected |
| firefox49 | --- | unaffected |
| firefox50 | --- | fixed |
People
(Reporter: decoder, Assigned: terrence)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
3.55 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 711963e8daa3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):
var lfGlobal = newGlobal();
gczeal(4);
for (lfLocal in this) {}
lfGlobal.offThreadCompileScript(`
var desc = {
value: 'bar',
value: false,
};
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000000000cd1ad8 in JS::shadow::Zone::runtimeFromMainThread (this=this@entry=0x7ffff6988000) at dist/include/js/HeapAPI.h:145
#1 js::RuntimeFromMainThreadIsHeapMajorCollecting (shadowZone=shadowZone@entry=0x7ffff6988000) at js/src/gc/Barrier.cpp:46
#2 0x00000000004a781a in js::gc::TenuredCell::writeBarrierPre (thing=0x7fffeee3f280) at js/src/gc/Heap.h:1317
#3 0x0000000000464561 in js::DispatchTyped<js::PreBarrierFunctor<JS::Value>>(js::PreBarrierFunctor<JS::Value>, JS::Value const&) (f=..., val=...) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/js/Value.h:1912
#4 0x00000000004bf8ba in js::InternalBarrierMethods<JS::Value>::preBarrier (v=...) at js/src/gc/Barrier.h:290
#5 js::WriteBarrieredBase<JS::Value>::pre (this=<optimized out>) at js/src/gc/Barrier.h:379
#6 js::HeapSlot::set (v=..., slot=0, kind=js::HeapSlot::Slot, owner=0x7fffeee4c0d0, this=<optimized out>) at js/src/gc/Barrier.h:692
#7 js::NativeObject::setSlot (this=0x7fffeee4c0d0, slot=0, value=...) at js/src/vm/NativeObject.h:827
#8 0x0000000000ad4e45 in js::NativeObject::setSlotWithType (overwriting=false, value=..., shape=0x7fffeee58ad8, cx=0x7ffff303a730, this=0x7fffeee4c0d0) at js/src/vm/NativeObject-inl.h:281
#9 UpdateShapeTypeAndValue (cx=cx@entry=0x7ffff303a730, obj=obj@entry=..., shape=shape@entry=..., value=...) at js/src/vm/NativeObject.cpp:1050
#10 0x0000000000ad6916 in AddOrChangeProperty (cx=cx@entry=0x7ffff303a730, obj=obj@entry=..., id=id@entry=..., desc=...) at js/src/vm/NativeObject.cpp:1169
#11 0x0000000000ad8160 in js::NativeDefineProperty (cx=cx@entry=0x7ffff303a730, obj=..., id=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1387
#12 0x0000000000ad8bdb in js::NativeDefineProperty (cx=cx@entry=0x7ffff303a730, obj=..., obj@entry=..., id=..., id@entry=..., value=..., value@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, attrs=1, result=...) at js/src/vm/NativeObject.cpp:1550
#13 0x0000000000ad931e in js::NativeDefineProperty (getter=0x0, setter=0x0, attrs=1, value=..., id=..., obj=..., cx=0x7ffff303a730) at js/src/vm/NativeObject.cpp:1587
#14 AddPlainObjectProperties (cx=cx@entry=0x7ffff303a730, obj=..., obj@entry=..., properties=properties@entry=0x7ffff69b55c0, nproperties=nproperties@entry=2) at js/src/vm/ObjectGroup.cpp:1152
#15 0x0000000000ad94ec in js::NewPlainObjectWithProperties (cx=cx@entry=0x7ffff303a730, properties=0x7ffff69b55c0, nproperties=nproperties@entry=2, newKind=<optimized out>) at js/src/vm/ObjectGroup.cpp:1165
#16 0x0000000000ad998b in js::ObjectGroup::newPlainObject (cx=cx@entry=0x7ffff303a730, properties=0x7ffff69b55c0, nproperties=2, newKind=newKind@entry=js::SingletonObject) at js/src/vm/ObjectGroup.cpp:1176
#17 0x0000000000cae24c in js::frontend::ParseNode::getConstantValue (this=this@entry=0x7ffff69ad2c8, cx=0x7ffff303a730, allowObjects=allowObjects@entry=js::frontend::ParseNode::AllowObjects, vp=..., vp@entry=..., compare=compare@entry=0x0, ncompare=ncompare@entry=0, newKind=js::SingletonObject) at js/src/frontend/BytecodeEmitter.cpp:5045
#18 0x0000000000caeb41 in js::frontend::BytecodeEmitter::emitSingletonInitialiser (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad2c8) at js/src/frontend/BytecodeEmitter.cpp:5067
#19 0x0000000000cc2c6b in js::frontend::BytecodeEmitter::emitObject (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad2c8) at js/src/frontend/BytecodeEmitter.cpp:8199
#20 0x0000000000cb210b in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad2c8, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9065
#21 0x0000000000cb7151 in js::frontend::BytecodeEmitter::emitSingleVariable (this=0x7ffff58a2a00, pn=<optimized out>, binding=0x7ffff69ad290, initializer=0x7ffff69ad2c8, emitOption=js::frontend::InitializeVars) at js/src/frontend/BytecodeEmitter.cpp:4670
#22 0x0000000000cbc101 in js::frontend::BytecodeEmitter::emitVariables (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad258, emitOption=emitOption@entry=js::frontend::InitializeVars) at js/src/frontend/BytecodeEmitter.cpp:4620
#23 0x0000000000cb1ded in js::frontend::BytecodeEmitter::emitTree (this=this@entry=0x7ffff58a2a00, pn=pn@entry=0x7ffff69ad258, emitLineNote=emitLineNote@entry=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9002
#24 0x0000000000cc07be in js::frontend::BytecodeEmitter::emitStatementList (this=0x7ffff58a2a00, pn=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:7209
#25 0x0000000000cb214b in js::frontend::BytecodeEmitter::emitTree (this=0x7ffff58a2a00, pn=0x7ffff69ad220, emitLineNote=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:8836
#26 0x0000000000cb3705 in BytecodeCompiler::compileScript (this=this@entry=0x7ffff58a1d50, scopeChain=..., scopeChain@entry=..., evalCaller=evalCaller@entry=...) at js/src/frontend/BytecodeCompiler.cpp:539
#27 0x0000000000cb3b17 in js::frontend::CompileScript (cx=<optimized out>, alloc=alloc@entry=0x7ffff69f3248, scopeChain=scopeChain@entry=..., enclosingStaticScope=..., enclosingStaticScope@entry=..., evalCaller=evalCaller@entry=..., options=..., srcBuf=..., source_=0x0, extraSct=0x0, sourceObjectOut=0x7ffff69f32f0) at js/src/frontend/BytecodeCompiler.cpp:742
#28 0x0000000000a84f7e in js::ScriptParseTask::parse (this=0x7ffff69f3160) at js/src/vm/HelperThreads.cpp:277
#29 0x0000000000a8aa51 in js::HelperThread::handleParseWorkload (this=this@entry=0x7ffff696ec00, locked=...) at js/src/vm/HelperThreads.cpp:1527
#30 0x0000000000a8d281 in js::HelperThread::threadLoop (this=0x7ffff696ec00) at js/src/vm/HelperThreads.cpp:1717
#31 0x0000000000ab9ab1 in nspr::Thread::ThreadRoutine (arg=0x7ffff69411a0) at js/src/vm/PosixNSPR.cpp:45
#32 0x00007ffff7bc16fa in start_thread (arg=0x7ffff58a3700) at pthread_create.c:333
#33 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax 0x0 0
rbx 0x7ffff6988000 140737330577408
rcx 0x7ffff6c28a2d 140737333332525
rdx 0x0 0
rsi 0x7ffff6ef7770 140737336276848
rdi 0x7ffff6ef6540 140737336272192
rbp 0x7ffff58a0c70 140737312853104
rsp 0x7ffff58a0c60 140737312853088
r8 0x7ffff6ef7770 140737336276848
r9 0x7ffff58a3700 140737312864000
r10 0x58 88
r11 0x7ffff6b9f750 140737332770640
r12 0x7ffff6988000 140737330577408
r13 0x7fffeee4c0f0 140737201357040
r14 0x7ffff58a0fb8 140737312853944
r15 0x7fffeee4c0d0 140737201357008
rip 0xcd1ad8 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+72>
=> 0xcd1ad8 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+72>: movl $0x0,0x0
0xcd1ae3 <js::RuntimeFromMainThreadIsHeapMajorCollecting(JS::shadow::Zone*)+83>: ud2
Not sure if this is a shell-only thing, marking s-s to be safe. This could also be the same issue as bug 1287395 but stacks and test case differ slightly.
|
||
Updated•9 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
||
Comment 1•9 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/0ca871e39a20
user: Jan de Mooij
date: Wed Jun 22 09:47:52 2016 +0200
summary: Bug 1279295 - Create the runtime's JSContext when we create the runtime. r=luke
This iteration took 2.373 seconds to run.
Jan, is bug 1279295 a likely regressor?
Blocks: 1279295
Flags: needinfo?(jdemooij)
|
||
Comment 3•9 years ago
|
||
Hm, Terrence this looks similar to the other bug you fixed in this area last week?
Flags: needinfo?(jdemooij) → needinfo?(terrence)
|
Assignee | |
Comment 4•9 years ago
|
||
Similar, but in the pre-barrier instead of in the read-barrier. I'll take it.
Assignee: nobody → terrence
Flags: needinfo?(terrence)
|
|
Assignee | |
Comment 5•9 years ago
|
||
This is not sec sensitive. The barriers are caused by having the pre-barrier verifier enabled and would not happen outside that configuration.
Group: javascript-core-security
|
|
Assignee | |
Comment 6•9 years ago
|
||
This is really ugly. The pre-barrier verifier captures a full-heap snapshot at the beginning, turns on all barriers and runs the mutator, then collects a second heap snapshot at the end and verifies that the barriers captured a superset of the new required edges. This process turns on barriers for all zones excluding OMT parse zones, but not excluding the atoms zone. Normally we just ensure that we never need barriers when running OMT parse tasks. We can't take that tack here because we verify at all times when we're not GCing, so we'd never be able to do OMT parsing. This would lose us our test coverage in this configuration and I think deadlock us as well -- I don't think that the system currently allows OMT parse tasks to be blocked forever. The only other option I see is to add a nasty check to the barrier itself. Note that the edges we're hitting here are just normal slots that happen to contain atoms, so I don't think blocking higher is going to work.
To summarize, we'd need to substantially re-architect the pre-barrier verifier, the OMT parse task handling, or hack yet one more test into the barrier. I've done the last for now.
|
|
Assignee | |
Comment 7•9 years ago
|
||
Attachment #8772158 -
Flags: review?(jcoppeard)
|
|
Assignee | |
Comment 8•9 years ago
|
||
|
||
Comment 9•9 years ago
|
||
Comment on attachment 8772158 [details] [diff] [review]
fuzz_1287399-v0.diff
Review of attachment 8772158 [details] [diff] [review]:
-----------------------------------------------------------------
It's behind and ifdef so it's not too bad.
Attachment #8772158 -
Flags: review?(jcoppeard) → review+
|
|
Assignee | |
Comment 10•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/41dafbfe894fceca7a2e464edced4d10e1bcdd77
Bug 1287399 - Allow the pre-barrier verifier to work in the presence of OMT parsing; r=jonco
|
||
Comment 11•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
||
Updated•9 years ago
|
status-firefox47:
--- → unaffected
status-firefox48:
--- → unaffected
status-firefox49:
--- → unaffected
Version: Trunk → 50 Branch
|
|
||
Updated•9 years ago
|
Version: 50 Branch → Trunk
You need to log in
before you can comment on or make changes to this bug.
Description
•