1411947 - Crash [@ mozilla::detail::MutexImpl::lock] with evalInCooperativeThread and offThreadCompileScript

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Christian Holler (:decoder)]

The following testcase crashes on mozilla-central revision e56ae7213756 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe):

evalInCooperativeThread(`
startgc(9469, "shrinking");
offThreadCompileScript("");
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xf6360b40 (LWP 12077)]
mozilla::detail::MutexImpl::lock (this=0xf79771f4) at mozglue/misc/Mutex_posix.cpp:74
#0  mozilla::detail::MutexImpl::lock (this=0xf79771f4) at mozglue/misc/Mutex_posix.cpp:74
#1  0x08088317 in js::LockGuard<js::Mutex>::LockGuard (aLock=..., this=<synthetic pointer>) at js/src/threading/LockGuard.h:25
#2  js::AutoLockMonitor::AutoLockMonitor (monitor=..., this=<synthetic pointer>) at js/src/vm/Monitor.h:47
#3  js::shell::OffThreadState::markDone (newToken=0xf51fb890, this=0xf79771f4) at js/src/shell/js.cpp:253
#4  OffThreadCompileScriptCallback (token=0xf51fb890, callbackData=0xf79770b0) at js/src/shell/js.cpp:4460
#5  0x08596dc3 in js::HelperThread::handleParseWorkload (this=0xf795f550, locked=...) at js/src/vm/HelperThreads.cpp:2010
#6  0x08597875 in js::HelperThread::threadLoop (this=0xf795f550) at js/src/vm/HelperThreads.cpp:2304
#7  0x0859a7c9 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::callMain<0u> (this=0xf791e088) at js/src/threading/Thread.h:239
#8  js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start (aPack=0xf791e088) at js/src/threading/Thread.h:232
#9  0xf7fb228a in start_thread (arg=0xf6360b40) at pthread_create.c:333
#10 0xf7cd94ce in clone () from /lib32/libc.so.6
eax	0x8ae06d4	145622740
ebx	0x8adeff4	145616884
ecx	0x0	0
edx	0x87eef04	142536452
esi	0x16	22
edi	0xf79771f4	-141069836
ebp	0xf6360184	4130734468
esp	0xf635fdf0	4130733552
eip	0x80b032c <mozilla::detail::MutexImpl::lock()+76>
=> 0x80b032c <mozilla::detail::MutexImpl::lock()+76>:	movl   $0x0,0x0
   0x80b0336 <mozilla::detail::MutexImpl::lock()+86>:	ud2

Comment 1

[Christian Holler (:decoder)]

Fuzzblocker, this blocks testing evalInCooperativeThread.

Comment 2

[Christian Holler (:decoder)]

See comment 1.

Comment 3

[Jan de Mooij [:jandem]]

The problem seems to be that we create a ShellContext for a cooperative thread, trigger an off-thread parse, then we destroy the ShellContext before the parsing is done. Then we call OffThreadState::markDone and crash.

It seems that maybe OffThreadState shouldn't be in ShellContext but in a new ShellRuntime or something. Or maybe we can pass the context of the first thread?

Comment 4

[Brian Hackett [Laid off!]]

Attachment: patch

There isn't a notion of per-runtime private data AFAICT, and rather than making this code even more complicated it seems better to just back out bug 1296016 and add a filter to OffThreadState so that parses can only be finished on threads associated with the runtime which started them.

Comment 5

[Jan de Mooij [:jandem]]

Comment on attachment 8923423 [details] [diff] [review]
patch

Review of attachment 8923423 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/shell/js.cpp
@@ +208,5 @@
> +
> +  public:
> +    OffThreadState()
> +      : monitor(mutexid::ShellOffThreadState),
> +        state(IDLE),

Please add |runtime(nullptr),| here

Comment 6

[Pulsebot]

Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cc4275f8755c
Move OffThreadState from per-context to global JS shell state, r=jandem.

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/cc4275f8755c