Closed Bug 1340010 Opened 4 years ago Closed 4 years ago
Crash [@ js::gc::Cell::address] or Assertion failure: !waiting
On GC[i]->runtime Matches(rt), at js/src/vm/Helper Threads .cpp:437
The following testcase crashes on mozilla-central revision 0a7831d838f7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager): See attachment. Backtrace: 0 js-dbg-64-dm-clang-darwin-0a7831d838f7 0x00000001039d240d js::CancelOffThreadParses(JSRuntime*) + 845 (HelperThreads.cpp:437) 1 js-dbg-64-dm-clang-darwin-0a7831d838f7 0x0000000103a21938 JSRuntime::destroyRuntime() + 232 (Runtime.cpp:286) 2 js-dbg-64-dm-clang-darwin-0a7831d838f7 0x00000001037ba536 js::DestroyContext(JSContext*) + 294 (atomic:848) /snip For detailed crash information, see attachment. Setting s-s as a start because this is a gc assert, however it might just be related to the off thread parsing stuff.
There are crashes [@ js::gc::Cell::address] on opt builds that eventually reduce to this assert for debug builds.
Crash Signature: [@ js::gc::Cell::address]
Summary: Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437 → Crash [@ js::gc::Cell::address] or Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/67160e6118d1 user: Jon Coppeard date: Wed Feb 08 13:35:49 2017 +0000 summary: Bug 1337450 - Simplify GC resets and aborts r=sfink Jon, is bug 1337450 a likely regressor?
Yes, bug 1337450 caused this because IsDeterministicGCReason() doesn't recognise the ABORT_GC reason I added. This bug is only present when the engine is built with --enable-more-deterministic so it's not a security issue.
Patch to add ABORT_GC to the list of deterministic GC reasons, otherwise GCRuntime::checkIfGCAllowedInCurrentState() won't allow abort GCs to happen if deterministicgc(true) is called. I tidied this up to make it clearer what is and is not considered deterministic.
Assignee: nobody → jcoppeard
Attachment #8838634 - Flags: review?(sphink)
Attachment #8838634 - Flags: review?(sphink) → review+
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/58594006a6fa Make ABORT_GC a deterministic GC reason r=sfink
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/9c5f58a4c7dd Fix test bustage r=me
You need to log in before you can comment on or make changes to this bug.