Closed
Bug 1341321
Opened 7 years ago
Closed 7 years ago
Assertion failure: ownerContext().context() == nullptr, at js/src/gc/ZoneGroup.cpp:64 or Crash [@ js::AutoGeckoProfilerEntry::AutoGeckoProfilerEntry] with evalInCooperativeThread and Debugger
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | fixed |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
21.34 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d84beb192e57 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --ion-offthread-compile=off): var dbg = new Debugger; dbg.onNewGlobalObject = function(global) {}; evalInCooperativeThread("var x = 3"); Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x089f1736 in js::ZoneGroup::enter (this=0xf7983000) at js/src/gc/ZoneGroup.cpp:64 #1 0x0855b1e1 in JSContext::enterZoneGroup (group=0xf7983000, this=0xf7953000) at js/src/jscntxtinlines.h:518 #2 JSContext::enterCompartment (this=0xf7953000, c=0xf7946000, maybeLock=0x0) at js/src/jscntxtinlines.h:447 #3 0x08659478 in JSContext::enterCompartmentOf<JSObject*> (this=0xf7953000, target=@0xf795280c: 0xf16710d0) at js/src/jscntxtinlines.h:458 #4 0x086d359a in js::AutoCompartment::AutoCompartment<JSObject*> (target=@0xf795280c: 0xf16710d0, cx=<optimized out>, this=0xf11fefb0) at js/src/jscompartmentinlines.h:43 #5 mozilla::Maybe<js::AutoCompartment>::emplace<JSContext*&, JSObject*>(JSContext*&, JSObject*&&) (this=this@entry=0xf11fefac) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/32/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Maybe.h:461 #6 0x086f6cdf in js::Debugger::fireNewGlobalObject (this=0xf7952800, cx=0xf7953000, global=..., vp=...) at js/src/vm/Debugger.cpp:2165 #7 0x086f72c5 in js::Debugger::slowPathOnNewGlobalObject (cx=0xf7953000, global=...) at js/src/vm/Debugger.cpp:2239 #8 0x0854123f in js::Debugger::onNewGlobalObject (global=..., cx=0xf7953000) at js/src/vm/Debugger.h:1767 #9 JS_FireOnNewGlobalObject (cx=0xf7953000, global=...) at js/src/jsapi.cpp:1897 #10 0x08096091 in NewGlobalObject (cx=0xf7953000, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:7455 #11 0x0809c99b in WorkerMain (arg=0xf1237790) at js/src/shell/js.cpp:3527 [...] #15 0xf7cd94ce in clone () from /lib32/libc.so.6 eax 0x0 0 ebx 0x8cf7ff4 147816436 ecx 0xf7da4864 -136689564 edx 0x0 0 esi 0xf7983000 -141021184 edi 0xf7953000 -141217792 ebp 0xf11feea8 4045401768 esp 0xf11fee90 4045401744 eip 0x89f1736 <js::ZoneGroup::enter()+326> => 0x89f1736 <js::ZoneGroup::enter()+326>: movl $0x0,0x0 0x89f1740 <js::ZoneGroup::enter()+336>: ud2
Updated•7 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
Reporter | ||
Comment 1•7 years ago
|
||
Still crashes, NI from bhackett.
Crash Signature: [@ js::AutoGeckoProfilerEntry::AutoGeckoProfilerEntry]
Flags: needinfo?(bhackett1024)
Summary: Assertion failure: ownerContext().context() == nullptr, at js/src/gc/ZoneGroup.cpp:64 with evalInCooperativeThread and Debugger → Assertion failure: ownerContext().context() == nullptr, at js/src/gc/ZoneGroup.cpp:64 or Crash [@ js::AutoGeckoProfilerEntry::AutoGeckoProfilerEntry] with evalInCooperativeThread and Debugger
Assignee | ||
Comment 2•7 years ago
|
||
Bug 1335095 added some checks that debuggers can only debug things in their own zone group, but we don't have ways to ensure that is the case and the API has multiple ways of permitting debuggers to observe behavior / debug content anywhere in the runtime. Fixing this will require API changes and it seems best for now (and maybe for good) to ensure that only one thread is operating at a time while debuggers are in use. This allows the debugger to have arbitrary cross zone group edges and to enter whatever groups it wants without fear of conflicts with another thread. I talked to Bill and an API like this shouldn't cause problems for Quantum DOM, which will have facilities for ensuring single threaded execution anyways when executing unlabeled runnables.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8841220 -
Flags: review?(jdemooij)
Comment 4•7 years ago
|
||
Comment on attachment 8841220 [details] [diff] [review] patch Review of attachment 8841220 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/vm/Runtime.cpp @@ +406,5 @@ > + > +void > +JSRuntime::endSingleThreadedExecution(JSContext* cx) > +{ > + if (--singleThreadedExecutionRequired_ == 0) { MOZ_ASSERT(singleThreadedExecutionRequired_ > 0); before this. Also please assert singleThreadedExecutionRequired_ == 0 and !startingSingleThreadedExecution_ when we destroy the runtime? These asserts are great to catch unbalanced calls.
Attachment #8841220 -
Flags: review?(jdemooij) → review+
Reporter | ||
Comment 5•7 years ago
|
||
NI on bhackett to land this, this and other bugs with evalInCooperativeThread are causing major problems in fuzzing.
Flags: needinfo?(bhackett1024)
Pushed by bhackett@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/e297bafab4ae Require runtimes to be single threaded when using a Debugger, r=jandem.
Comment 7•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/e297bafab4ae
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(bhackett1024)
You need to log in
before you can comment on or make changes to this bug.
Description
•