Closed Bug 1339944 Opened 6 years ago Closed 6 years ago

Assertion failure: cx->runtime()->activeContextChangeProhibited() || !cx->runtime()->gc.canChangeActiveContext(cx), at js/src/vm/Stack.cpp:1731

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:])

Attachments

(3 files)

Detailed Crash Information
16.06 KB, text/plain
Details
Testcase
2.60 MB, text/plain
Details
patch
724 bytes, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision ec3ef9f77a52 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

See attachment.

Backtrace:

#0  js::ActivationIterator::ActivationIterator (this=0x7ffe4670dcc0, cx=0x7f0c06b4b000, target=...) at js/src/vm/Stack.cpp:1730
#1  0x000000000069a9fb in js::jit::JitActivationIterator::JitActivationIterator (target=..., cx=<optimized out>, this=0x7ffe4670dcc0) at js/src/vm/Stack.h:1645
#2  js::jit::InvalidateAll (fop=fop@entry=0x7f0c06b271d0, zone=zone@entry=0x7f0c05c31000) at js/src/jit/Ion.cpp:3208
#3  0x0000000000de9ebb in JS::Zone::discardJitCode (this=0x7f0c05c31000, fop=0x7f0c06b271d0, discardBaselineCode=discardBaselineCode@entry=false) at js/src/gc/Zone.cpp:235
#4  0x0000000000c18a2a in js::AutoClearTypeInferenceStateOnOOM::~AutoClearTypeInferenceStateOnOOM (this=0x7ffe4670de88, __in_chrg=<optimized out>) at js/src/vm/TypeInference.cpp:4603
/snip

For detailed crash information, see attachment.

This testcase when reduced seems fragile, so filing this while it is fairly reproducible.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/fe2fedb64403
user:        Brian Hackett
date:        Thu Feb 09 05:41:31 2017 -0700
summary:     Bug 1335095 - Allow cooperating JSContexts to iterate over each others' activations, r=jandem.

Brian, is bug 1335095 a likely regressor?
Blocks: 1335095
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Attached patch patchSplinter Review 
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)

        Attachment #8839116 -
        Flags: review?(jdemooij)

        Attachment #8839116 -
        Flags: review?(jdemooij) → review+

    
    

    
  
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ebbc022b8f6
Prohibit context switches while handling OOM during type inference operations, r=jandem.

    
    

    
  
Probably the same as bug 1341283 but that bug has a simple test case.

    
    

    
  
Bug 1341283 is actually a separate issue.
No longer blocks: 1341283

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/3ebbc022b8f6
Status: NEW → RESOLVED
Closed: 6 years ago

          status-firefox54:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54

          You need to log in
          before you can comment on or make changes to this bug.