Closed
Bug 1296016
Opened 8 years ago
Closed 8 years ago
Assertion failure: CurrentThreadCanAccessRuntime(this), at js/src/jscntxt.h:829
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla51
Tracking | Status | |
---|---|---|
firefox48 | --- | unaffected |
firefox49 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | fixed |
People
(Reporter: decoder, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
9.24 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision fe895421dfbe (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe):
offThreadCompileScript(``);
evalInWorker(`
newGlobal[4]
| runOffThreadScript(true, true) ^ (this)
`);
Backtrace:
received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff01ff700 (LWP 8420)]
0x0000000000947300 in JSRuntime::contextFromMainThread (this=0x7ffff695f1e8) at js/src/jscntxt.h:829
#0 0x0000000000947300 in JSRuntime::contextFromMainThread (this=0x7ffff695f1e8) at js/src/jscntxt.h:829
#1 0x000000000093b062 in JSCompartment::contextFromMainThread (this=0x7ffff6939800) at js/src/jscompartment.h:387
#2 js::gc::MergeCompartments (source=0x7ffff6939800, target=target@entry=0x7ffff693d800) at js/src/jsgc.cpp:6600
#3 0x0000000000a8d609 in js::GlobalHelperThreadState::mergeParseTaskCompartment (this=this@entry=0x7ffff694f800, cx=cx@entry=0x7ffff69c4000, parseTask=0x7ffff0224730, global=..., global@entry=..., dest=0x7ffff693d800) at js/src/vm/HelperThreads.cpp:1276
#4 0x0000000000a98c7a in js::GlobalHelperThreadState::finishParseTask (this=0x7ffff694f800, cx=cx@entry=0x7ffff69c4000, kind=kind@entry=js::ParseTaskKind::Script, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1140
#5 0x0000000000a98fde in js::GlobalHelperThreadState::finishScriptParseTask (this=<optimized out>, cx=cx@entry=0x7ffff69c4000, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1179
#6 0x00000000008c02dd in JS::FinishOffThreadScript (cx=cx@entry=0x7ffff69c4000, token=<optimized out>) at js/src/jsapi.cpp:4075
#7 0x0000000000452ea6 in runOffThreadScript (cx=cx@entry=0x7ffff69c4000, argc=<optimized out>, vp=0x7ffff0290098) at js/src/shell/js.cpp:3957
#8 0x0000000000ae1d19 in js::CallJSNative (cx=cx@entry=0x7ffff69c4000, native=0x452da0 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#21 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Updated•8 years ago
|
status-firefox48:
--- → unaffected
status-firefox49:
--- → unaffected
status-firefox50:
--- → unaffected
Assignee | ||
Comment 1•8 years ago
|
||
The off thread compilation state is currently stored in a global variable so it is shared between the main context and worker contexts. The patch moves it to the shell context instead.
Assignee: nobody → jcoppeard
Attachment #8783959 -
Flags: review?(jdemooij)
Comment 2•8 years ago
|
||
Comment on attachment 8783959 [details] [diff] [review]
bug1296016-shell-off-thread-state
Review of attachment 8783959 [details] [diff] [review]:
-----------------------------------------------------------------
Nice!
Attachment #8783959 -
Flags: review?(jdemooij) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4ae164556a2d
Store shell off thread compilation state in ShellContext r=jandem
Comment 4•8 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•