Closed Bug 1336893 Opened 9 years ago Closed 9 years ago

Assertion failure: ++nwrites <= 2, at js/src/threading/ProtectedData.h:318

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision f8d696a34c17 (build with --32 --enable-debug --enable-simulator=arm, run with --fuzzing-safe --no-threads --no-ion): // jsfunfuzz-generated for (var i = 0; i < 9; ++i) { Object.getOwnPropertyNames(this); } // Adapted from randomly chosen test: js/src/jit-test/tests/debug/bug1219905.js var g = newGlobal(); g.parent = function(){}; g.eval("new Debugger(parent).onExceptionUnwind = function() {}"); oomTest(() => l); Backtrace: 0 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00275626 js::jit::JitRuntime::debugTrapHandler(JSContext*) + 406 (ProtectedData.h:318) 1 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00adc2b7 js::jit::BaselineCompiler::emitDebugTrap() + 231 (BaselineCompiler.cpp:823) 2 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00ad7d7a js::jit::BaselineCompiler::emitBody() + 954 (BaselineCompiler.cpp:1013) 3 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x00ad660d js::jit::BaselineCompiler::compile() + 509 (BaselineCompiler.cpp:119) 4 js-dbg-32-clang-armSim-darwin-f8d696a34c17 0x001d98b6 js::jit::BaselineCompile(JSContext*, JSScript*, bool) + 342 (BaselineJIT.cpp:298) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/d2758f635f72 user: Brian Hackett date: Thu Feb 02 12:12:43 2017 -0700 summary: Bug 1325050 - Structure reorganization for multithreaded runtimes, r=jandem,jonco,h4writer,luke,lhansen,nbp. Brian, is bug 1325050 a likely regressor?
Blocks: 1325050
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
Relax write-once protected data checks to ignore assignments that do not change a location's value (e.g. overwriting null with null). I didn't add the test because it is crashing without --fuzzing-safe at a cx->isExceptionPending() assert in OOMTest (this seems to be an expected behavior).
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8834375 - Flags: review?(jdemooij)
Attachment #8834375 - Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d6c7252fb769 Tolerate redundant writes in WriteOnceData checks, r=jandem.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: