Assertion failure: ownerContext().context() == nullptr, at js/src/gc/ZoneGroup.cpp:64 or Crash [@ js::AutoGeckoProfilerEntry::AutoGeckoProfilerEntry] with evalInCooperativeThread and Debugger

RESOLVED FIXED in Firefox 54

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla54
x86
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox51 unaffected, firefox52 unaffected, firefox53 unaffected, firefox54 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(1 attachment)

Reporter

Description

2 years ago
The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off):

var dbg = new Debugger;
dbg.onNewGlobalObject = function(global) {};
evalInCooperativeThread("var x = 3");


Backtrace:

 received signal SIGSEGV, Segmentation fault.
#0  0x089f1736 in js::ZoneGroup::enter (this=0xf7983000) at js/src/gc/ZoneGroup.cpp:64
#1  0x0855b1e1 in JSContext::enterZoneGroup (group=0xf7983000, this=0xf7953000) at js/src/jscntxtinlines.h:518
#2  JSContext::enterCompartment (this=0xf7953000, c=0xf7946000, maybeLock=0x0) at js/src/jscntxtinlines.h:447
#3  0x08659478 in JSContext::enterCompartmentOf<JSObject*> (this=0xf7953000, target=@0xf795280c: 0xf16710d0) at js/src/jscntxtinlines.h:458
#4  0x086d359a in js::AutoCompartment::AutoCompartment<JSObject*> (target=@0xf795280c: 0xf16710d0, cx=<optimized out>, this=0xf11fefb0) at js/src/jscompartmentinlines.h:43
#5  mozilla::Maybe<js::AutoCompartment>::emplace<JSContext*&, JSObject*>(JSContext*&, JSObject*&&) (this=this@entry=0xf11fefac) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Maybe.h:461
#6  0x086f6cdf in js::Debugger::fireNewGlobalObject (this=0xf7952800, cx=0xf7953000, global=..., vp=...) at js/src/vm/Debugger.cpp:2165
#7  0x086f72c5 in js::Debugger::slowPathOnNewGlobalObject (cx=0xf7953000, global=...) at js/src/vm/Debugger.cpp:2239
#8  0x0854123f in js::Debugger::onNewGlobalObject (global=..., cx=0xf7953000) at js/src/vm/Debugger.h:1767
#9  JS_FireOnNewGlobalObject (cx=0xf7953000, global=...) at js/src/jsapi.cpp:1897
#10 0x08096091 in NewGlobalObject (cx=0xf7953000, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:7455
#11 0x0809c99b in WorkerMain (arg=0xf1237790) at js/src/shell/js.cpp:3527
[...]
#15 0xf7cd94ce in clone () from /lib32/libc.so.6
eax	0x0	0
ebx	0x8cf7ff4	147816436
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0xf7983000	-141021184
edi	0xf7953000	-141217792
ebp	0xf11feea8	4045401768
esp	0xf11fee90	4045401744
eip	0x89f1736 <js::ZoneGroup::enter()+326>
=> 0x89f1736 <js::ZoneGroup::enter()+326>:	movl   $0x0,0x0
   0x89f1740 <js::ZoneGroup::enter()+336>:	ud2
Reporter

Comment 1

2 years ago
Still crashes, NI from bhackett.
Crash Signature: [@ js::AutoGeckoProfilerEntry::AutoGeckoProfilerEntry]
Flags: needinfo?(bhackett1024)
Summary: Assertion failure: ownerContext().context() == nullptr, at js/src/gc/ZoneGroup.cpp:64 with evalInCooperativeThread and Debugger → Assertion failure: ownerContext().context() == nullptr, at js/src/gc/ZoneGroup.cpp:64 or Crash [@ js::AutoGeckoProfilerEntry::AutoGeckoProfilerEntry] with evalInCooperativeThread and Debugger
Assignee

Comment 2

2 years ago
Posted patch patchSplinter Review
Bug 1335095 added some checks that debuggers can only debug things in their own zone group, but we don't have ways to ensure that is the case and the API has multiple ways of permitting debuggers to observe behavior / debug content anywhere in the runtime.  Fixing this will require API changes and it seems best for now (and maybe for good) to ensure that only one thread is operating at a time while debuggers are in use.  This allows the debugger to have arbitrary cross zone group edges and to enter whatever groups it wants without fear of conflicts with another thread.  I talked to Bill and an API like this shouldn't cause problems for Quantum DOM, which will have facilities for ensuring single threaded execution anyways when executing unlabeled runnables.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8841220 - Flags: review?(jdemooij)
Assignee

Updated

2 years ago
Duplicate of this bug: 1342042
Assignee

Updated

2 years ago
Blocks: 1341317
Comment on attachment 8841220 [details] [diff] [review]
patch

Review of attachment 8841220 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/vm/Runtime.cpp
@@ +406,5 @@
> +
> +void
> +JSRuntime::endSingleThreadedExecution(JSContext* cx)
> +{
> +    if (--singleThreadedExecutionRequired_ == 0) {

MOZ_ASSERT(singleThreadedExecutionRequired_ > 0); before this.

Also please assert singleThreadedExecutionRequired_ == 0 and !startingSingleThreadedExecution_ when we destroy the runtime? These asserts are great to catch unbalanced calls.
Attachment #8841220 - Flags: review?(jdemooij) → review+
Reporter

Comment 5

2 years ago
NI on bhackett to land this, this and other bugs with evalInCooperativeThread are causing major problems in fuzzing.
Flags: needinfo?(bhackett1024)

Comment 6

2 years ago
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e297bafab4ae
Require runtimes to be single threaded when using a Debugger, r=jandem.

Comment 7

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/e297bafab4ae
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Assignee

Updated

2 years ago
Flags: needinfo?(bhackett1024)
Depends on: 1412298
You need to log in before you can comment on or make changes to this bug.