Closed Bug 1296016 Opened 8 years ago Closed 8 years ago

Assertion failure: CurrentThreadCanAccessRuntime(this), at js/src/jscntxt.h:829

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox48 --- unaffected
firefox49 --- unaffected
firefox50 --- unaffected
firefox51 --- fixed

People

(Reporter: decoder, Assigned: jonco)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision fe895421dfbe (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe): offThreadCompileScript(``); evalInWorker(` newGlobal[4] | runOffThreadScript(true, true) ^ (this) `); Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff01ff700 (LWP 8420)] 0x0000000000947300 in JSRuntime::contextFromMainThread (this=0x7ffff695f1e8) at js/src/jscntxt.h:829 #0 0x0000000000947300 in JSRuntime::contextFromMainThread (this=0x7ffff695f1e8) at js/src/jscntxt.h:829 #1 0x000000000093b062 in JSCompartment::contextFromMainThread (this=0x7ffff6939800) at js/src/jscompartment.h:387 #2 js::gc::MergeCompartments (source=0x7ffff6939800, target=target@entry=0x7ffff693d800) at js/src/jsgc.cpp:6600 #3 0x0000000000a8d609 in js::GlobalHelperThreadState::mergeParseTaskCompartment (this=this@entry=0x7ffff694f800, cx=cx@entry=0x7ffff69c4000, parseTask=0x7ffff0224730, global=..., global@entry=..., dest=0x7ffff693d800) at js/src/vm/HelperThreads.cpp:1276 #4 0x0000000000a98c7a in js::GlobalHelperThreadState::finishParseTask (this=0x7ffff694f800, cx=cx@entry=0x7ffff69c4000, kind=kind@entry=js::ParseTaskKind::Script, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1140 #5 0x0000000000a98fde in js::GlobalHelperThreadState::finishScriptParseTask (this=<optimized out>, cx=cx@entry=0x7ffff69c4000, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1179 #6 0x00000000008c02dd in JS::FinishOffThreadScript (cx=cx@entry=0x7ffff69c4000, token=<optimized out>) at js/src/jsapi.cpp:4075 #7 0x0000000000452ea6 in runOffThreadScript (cx=cx@entry=0x7ffff69c4000, argc=<optimized out>, vp=0x7ffff0290098) at js/src/shell/js.cpp:3957 #8 0x0000000000ae1d19 in js::CallJSNative (cx=cx@entry=0x7ffff69c4000, native=0x452da0 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #21 0x00007ffff6c38b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
The off thread compilation state is currently stored in a global variable so it is shared between the main context and worker contexts. The patch moves it to the shell context instead.
Assignee: nobody → jcoppeard
Attachment #8783959 - Flags: review?(jdemooij)
Comment on attachment 8783959 [details] [diff] [review] bug1296016-shell-off-thread-state Review of attachment 8783959 [details] [diff] [review]: ----------------------------------------------------------------- Nice!
Attachment #8783959 - Flags: review?(jdemooij) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/4ae164556a2d Store shell off thread compilation state in ShellContext r=jandem
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Depends on: 1411947
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: