Crash [@ js::gc::Cell::address] or Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437

RESOLVED FIXED in Firefox 54

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: gkw, Assigned: jonco)

Tracking

(Blocks 2 bugs, 4 keywords)

Trunk
mozilla54
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 unaffected, firefox53 unaffected, firefox54 fixed)

Details

(Whiteboard: [jsbugmon:], crash signature)

Attachments

(3 attachments)

The following testcase crashes on mozilla-central revision 0a7831d838f7 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

See attachment.

Backtrace:

0   js-dbg-64-dm-clang-darwin-0a7831d838f7	0x00000001039d240d js::CancelOffThreadParses(JSRuntime*) + 845 (HelperThreads.cpp:437)
1   js-dbg-64-dm-clang-darwin-0a7831d838f7	0x0000000103a21938 JSRuntime::destroyRuntime() + 232 (Runtime.cpp:286)
2   js-dbg-64-dm-clang-darwin-0a7831d838f7	0x00000001037ba536 js::DestroyContext(JSContext*) + 294 (atomic:848)
/snip

For detailed crash information, see attachment.

Setting s-s as a start because this is a gc assert, however it might just be related to the off thread parsing stuff.
Posted file Testcase
There are crashes [@ js::gc::Cell::address] on opt builds that eventually reduce to this assert for debug builds.
Crash Signature: [@ js::gc::Cell::address]
Summary: Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437 → Crash [@ js::gc::Cell::address] or Assertion failure: !waitingOnGC[i]->runtimeMatches(rt), at js/src/vm/HelperThreads.cpp:437
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/67160e6118d1
user:        Jon Coppeard
date:        Wed Feb 08 13:35:49 2017 +0000
summary:     Bug 1337450 - Simplify GC resets and aborts r=sfink

Jon, is bug 1337450 a likely regressor?
Blocks: 1337450
Flags: needinfo?(jcoppeard)
Keywords: sec-high
Component: JavaScript Engine → JavaScript: GC
Yes, bug 1337450 caused this because IsDeterministicGCReason() doesn't recognise the ABORT_GC reason I added.

This bug is only present when the engine is built with --enable-more-deterministic so it's not a security issue.
Group: javascript-core-security
Flags: needinfo?(jcoppeard)
Keywords: sec-high
Patch to add ABORT_GC to the list of deterministic GC reasons, otherwise GCRuntime::checkIfGCAllowedInCurrentState() won't allow abort GCs to happen if deterministicgc(true) is called.

I tidied this up to make it clearer what is and is not considered deterministic.
Assignee: nobody → jcoppeard
Attachment #8838634 - Flags: review?(sphink)
Attachment #8838634 - Flags: review?(sphink) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/58594006a6fa
Make ABORT_GC a deterministic GC reason r=sfink
https://hg.mozilla.org/mozilla-central/rev/58594006a6fa
https://hg.mozilla.org/mozilla-central/rev/9c5f58a4c7dd
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.