Closed Bug 1336866 Opened 7 years ago Closed 7 years ago

Assertion failure: TlsContext.get()->runtime()->gc.currentThreadHasLockedGC(), at js/src/threading/ProtectedData.cpp:70

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
43.89 KB, text/plain
Details
patch
843 bytes, patch
jonco
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision f8d696a34c17 (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

JSON.stringify(this);

Backtrace:

0   js-dbg-64-clang-darwin-f8d696a34c17	0x00000001010e3606 js::CheckGlobalLock<(js::GlobalLock)0, (js::AllowedBackgroundThread)0>::check() const + 102 (ProtectedData.cpp:70)
1   js-dbg-64-clang-darwin-f8d696a34c17	0x0000000101022874 js::gc::MemInfo::ZoneGCHeapGrowthFactorGetter(JSContext*, unsigned int, JS::Value*) + 276 (ProtectedData.h:108)
2   js-dbg-64-clang-darwin-f8d696a34c17	0x0000000100b4c859 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 201 (jscntxtinlines.h:282)
3   js-dbg-64-clang-darwin-f8d696a34c17	0x0000000100b4c513 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 611 (Interpreter.cpp:460)
4   js-dbg-64-clang-darwin-f8d696a34c17	0x0000000100b4d4fa js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) + 154 (Interpreter.cpp:524)
/snip

For detailed crash information, see attachment.

This happens quite often, setting [fuzzblocker].
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/d2758f635f72
user:        Brian Hackett
date:        Thu Feb 02 12:12:43 2017 -0700
summary:     Bug 1325050 - Structure reorganization for multithreaded runtimes, r=jandem,jonco,h4writer,luke,lhansen,nbp.

Brian, is bug 1325050 a likely regressor?
Blocks: 1325050
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review 
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)

        Attachment #8834373 -
        Flags: review?(jcoppeard)

        Attachment #8834373 -
        Flags: review?(jcoppeard) → review+

    
    

    
  
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b37fc0d40d06
Lock GC while getting heap growth factor in testing function, r=jonco.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b37fc0d40d06
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox54:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: