Closed
Bug 1336893
Opened 9 years ago
Closed 9 years ago
Assertion failure: ++nwrites <= 2, at js/src/threading/ProtectedData.h:318
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | fixed |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
32.20 KB,
text/plain
|
Details | |
|
831 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision f8d696a34c17 (build with --32 --enable-debug --enable-simulator=arm, run with --fuzzing-safe --no-threads --no-ion):
// jsfunfuzz-generated
for (var i = 0; i < 9; ++i) {
Object.getOwnPropertyNames(this);
}
// Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1219905.js
var g = newGlobal();
g.parent = function(){};
g.eval("new Debugger(parent).onExceptionUnwind = function() {}");
oomTest(() => l);
Backtrace:
0 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00275626 js::jit::JitRuntime::debugTrapHandler(JSContext*) + 406 (ProtectedData.h:318)
1 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00adc2b7 js::jit::BaselineCompiler::emitDebugTrap() + 231 (BaselineCompiler.cpp:823)
2 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00ad7d7a js::jit::BaselineCompiler::emitBody() + 954 (BaselineCompiler.cpp:1013)
3 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00ad660d js::jit::BaselineCompiler::compile() + 509 (BaselineCompiler.cpp:119)
4 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x001d98b6 js::jit::BaselineCompile(JSContext*, JSScript*, bool) + 342 (BaselineJIT.cpp:298)
/snip
For detailed crash information, see attachment.
| Reporter | ||
Comment 1•9 years ago
|
||
| Reporter | ||
Comment 2•9 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d2758f635f72
user: Brian Hackett
date: Thu Feb 02 12:12:43 2017 -0700
summary: Bug 1325050 - Structure reorganization for multithreaded runtimes, r=jandem,jonco,h4writer,luke,lhansen,nbp.
Brian, is bug 1325050 a likely regressor?
Blocks: 1325050
Flags: needinfo?(bhackett1024)
| Assignee | ||
Comment 3•9 years ago
|
||
Relax write-once protected data checks to ignore assignments that do not change a location's value (e.g. overwriting null with null). I didn't add the test because it is crashing without --fuzzing-safe at a cx->isExceptionPending() assert in OOMTest (this seems to be an expected behavior).
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8834375 -
Flags: review?(jdemooij)
Updated•9 years ago
|
Attachment #8834375 -
Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d6c7252fb769
Tolerate redundant writes in WriteOnceData checks, r=jandem.
Comment 5•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•9 years ago
|
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•