Closed Bug 1341283 Opened 7 years ago Closed 7 years ago

Assertion failure: !activeContext() || gc.canChangeActiveContext(activeContext()), at js/src/vm/Runtime.cpp:339 with evalInCooperativeThread and Interrupt

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe):

gczeal(4);
evalInCooperativeThread('\
  for (var i = 0; i < 10; i++) {\
     interruptIf(true);\
  }\
');


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0879e5b0 in JSRuntime::setActiveContext (this=0xf793d000, cx=0x0) at js/src/vm/Runtime.cpp:339
#0  0x0879e5b0 in JSRuntime::setActiveContext (this=0xf793d000, cx=0x0) at js/src/vm/Runtime.cpp:339
#1  0x08566bd8 in js::YieldCooperativeContext (cx=0xf7941800) at js/src/jscntxt.cpp:197
#2  0x0852a199 in JS_YieldCooperativeContext (cx=0xf7941800) at js/src/jsapi.cpp:486
#3  0x0809a693 in CooperativeBeginWait (cx=0xf7941800) at js/src/shell/js.cpp:3386
#4  EvalInThread (cx=0xf7941800, argc=<optimized out>, vp=<optimized out>, cooperative=true) at js/src/shell/js.cpp:3633
#5  0x0816ea10 in js::CallJSNative (cx=0xf7941800, native=0x809aa60 <EvalInCooperativeThread(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:281
[...]
#19 0x08078203 in main (argc=3, argv=0xffffd8e4, envp=0xffffd8f4) at js/src/shell/js.cpp:8320
eax	0x0	0
ebx	0x0	0
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xf793d000	-141307904
edi	0x8cf7ff4	147816436
ebp	0xffffcbf8	4294953976
esp	0xffffcbe0	4294953952
eip	0x879e5b0 <JSRuntime::setActiveContext(JSContext*)+192>
=> 0x879e5b0 <JSRuntime::setActiveContext(JSContext*)+192>:	movl   $0x0,0x0
   0x879e5ba <JSRuntime::setActiveContext(JSContext*)+202>:	ud2
Likely duplicate to bug 1339944.
Depends on: 1339944
No longer depends on: 1339944
Attached patch patchSplinter Review
We don't want cooperative multithreading to conflict with GC settings that prevent changing the active context (this was, yeah, pretty forseeable...).  I think the only GC setting that can change dynamically and prevent active context changes is the tracer used in the pre barrier verifier.
Assignee: nobody → bhackett1024
Attachment #8839705 - Flags: review?(jcoppeard)
Attachment #8839705 - Flags: review?(jcoppeard) → review+
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3c365d2e8202
Avoid conflicts between GC zeal behavior and cooperative multithreading context switches, r=jonco.
https://hg.mozilla.org/mozilla-central/rev/3c365d2e8202
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
You need to log in before you can comment on or make changes to this bug.