Closed Bug 1412298 Opened 2 years ago Closed 2 years ago

Crash [@ JS_NewGlobalObject] or Crash [@ JSRuntime::isSelfHostingCompartment] Assertion failure: childRuntimeCount == 0, at vm/Runtime.cpp:277

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [fuzzblocker] [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision d734e6acf777 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --disable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --disable-oom-functions --ion-extra-checks --ion-eager):

evalInCooperativeThread(`
      const dbg = new Debugger();
      evalInWorker("");
`);


Backtrace:

Program terminated with signal SIGSEGV, Segmentation fault.

#0  JS_NewGlobalObject (cx=cx@entry=0x7f6a5624a000, clasp=clasp@entry=0x1af58e0 <global_class>, principals=principals@entry=0x0, hookOption=hookOption@entry=JS::DontFireOnNewGlobalHook, options=...) at js/src/jsapi.cpp:1968
#1  0x000000000045e80f in NewGlobalObject (cx=cx@entry=0x7f6a5624a000, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:7938
#2  0x000000000045f81f in WorkerMain (arg=0x7f6a5601b6a0) at js/src/shell/js.cpp:3597
#3  0x0000000000464e1a in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7f6a57a1e1f0) at js/src/threading/Thread.h:239
#4  js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7f6a57a1e1f0) at js/src/threading/Thread.h:232
#5  0x00007f6a58d0c6fa in start_thread (arg=0x7f6a55dde700) at pthread_create.c:333
#6  0x00007f6a57d83b5d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x1b6bb40	28752704
rbx	0x7f6a5624a000	140094688501760
rcx	0x1	1
rdx	0xe2b628	14857768
rsi	0x1af58e0	28268768
rdi	0x7f6a5624a000	140094688501760
rbp	0x7f6a5624a020	140094688501792
rsp	0x7f6a55dddc08	140094683864072
r8	0x7f6a55ddddc0	140094683864512
r9	0x7f6a57a25000	140094713516032
r10	0x1	1
r11	0x206	518
r12	0x7f6a55ddddc0	140094683864512
r13	0x7f6a5601b6a0	140094686213792
r14	0xf	15
r15	0x33	51
rip	0x8008b1 <JS_NewGlobalObject(JSContext*, JSClass const*, JSPrincipals*, JS::OnNewGlobalHookOption, JS::CompartmentOptions const&)+49>
=> 0x8008b1 <JS_NewGlobalObject(JSContext*, JSClass const*, JSPrincipals*, JS::OnNewGlobalHookOption, JS::CompartmentOptions const&)+49>:	movl   $0x0,0x0
   0x8008bc <JS_NewGlobalObject(JSContext*, JSClass const*, JSPrincipals*, JS::OnNewGlobalHookOption, JS::CompartmentOptions const&)+60>:	ud2
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/e297bafab4ae
user:        Brian Hackett
date:        Wed Mar 01 07:15:50 2017 -0700
summary:     Bug 1341321 - Require runtimes to be single threaded when using a Debugger, r=jandem.

This iteration took 219.639 seconds to run.
Brian, is bug 1341321 a likely regressor?
Blocks: 1341321
Flags: needinfo?(bhackett1024)
Attached patch patchSplinter Review
When shutting down, the shell's main thread waits for worker threads to exit, then yields until all other cooperative threads exit.  Since cooperative threads can spawn worker threads --- but not the other way around --- the order of these should be reversed.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8923356 - Flags: review?(jdemooij)
Priority: -- → P3
Priority: P3 → P1
Attachment #8923356 - Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/33134954c638
Wait for cooperative threads before worker threads when shutting down the JS shell, r=jandem.
https://hg.mozilla.org/mozilla-central/rev/33134954c638
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.