Closed
Bug 1340010
Opened 7 years ago
Closed 7 years ago
Crash [@ js::gc::Cell::address] or Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(4 keywords, Whiteboard: [jsbugmon:])
Crash Data
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 0a7831d838f7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager): See attachment. Backtrace: 0 js-dbg-64-dm-clang-darwin-0a7831d838f7 0x00000001039d240d js::CancelOffThreadParses(JSRuntime*) + 845 (HelperThreads.cpp:437) 1 js-dbg-64-dm-clang-darwin-0a7831d838f7 0x0000000103a21938 JSRuntime::destroyRuntime() + 232 (Runtime.cpp:286) 2 js-dbg-64-dm-clang-darwin-0a7831d838f7 0x00000001037ba536 js::DestroyContext(JSContext*) + 294 (atomic:848) /snip For detailed crash information, see attachment. Setting s-s as a start because this is a gc assert, however it might just be related to the off thread parsing stuff.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Reporter | ||
Comment 3•7 years ago
|
||
There are crashes [@ js::gc::Cell::address] on opt builds that eventually reduce to this assert for debug builds.
Crash Signature: [@ js::gc::Cell::address]
Summary: Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437 → Crash [@ js::gc::Cell::address] or Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437
Updated•7 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 4•7 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Reporter | ||
Comment 5•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/67160e6118d1 user: Jon Coppeard date: Wed Feb 08 13:35:49 2017 +0000 summary: Bug 1337450 - Simplify GC resets and aborts r=sfink Jon, is bug 1337450 a likely regressor?
Blocks: 1337450
Flags: needinfo?(jcoppeard)
Updated•7 years ago
|
Component: JavaScript Engine → JavaScript: GC
Assignee | ||
Comment 6•7 years ago
|
||
Yes, bug 1337450 caused this because IsDeterministicGCReason() doesn't recognise the ABORT_GC reason I added. This bug is only present when the engine is built with --enable-more-deterministic so it's not a security issue.
Group: javascript-core-security
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 7•7 years ago
|
||
Patch to add ABORT_GC to the list of deterministic GC reasons, otherwise GCRuntime::checkIfGCAllowedInCurrentState() won't allow abort GCs to happen if deterministicgc(true) is called. I tidied this up to make it clearer what is and is not considered deterministic.
Assignee: nobody → jcoppeard
Attachment #8838634 -
Flags: review?(sphink)
Updated•7 years ago
|
Attachment #8838634 -
Flags: review?(sphink) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/58594006a6fa Make ABORT_GC a deterministic GC reason r=sfink
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/9c5f58a4c7dd Fix test bustage r=me
Comment 10•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/58594006a6fa https://hg.mozilla.org/mozilla-central/rev/9c5f58a4c7dd
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•