Closed Bug 1414840 Opened 2 years ago Closed 2 years ago

Assertion failure: CurrentThreadCanAccessRuntime(cx->runtime()), at js/src/threading/ProtectedData.cpp:47 with evalInCooperativeThread

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- fixed

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 4e6df5159df3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --cpu-count=2 --ion-check-range-analysis --ion-offthread-compile=off):

try {
    function enterFunc(funcName) {}
    test();
    function test()
    enterFunc(new ArrayBuffer(512 * 1024) << (this) < (this) == (this) == (1) & test());
} catch (exc) {}
evalInCooperativeThread("");


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x086d1b0e in js::CheckThreadLocal::check (this=0xf791d074) at js/src/threading/ProtectedData.cpp:47
#0  0x086d1b0e in js::CheckThreadLocal::check (this=0xf791d074) at js/src/threading/ProtectedData.cpp:47
#1  0x085cba2a in js::ProtectedData<js::CheckThreadLocal, js::HelperThread*>::ref (this=0xf791d070) at js/src/threading/ProtectedData.h:109
#2  0x0807601b in js::ProtectedData<js::CheckThreadLocal, js::HelperThread*>::operator js::HelperThread* const& (this=0xf791d070) at js/src/threading/ProtectedData.h:81
#3  JSContext::helperThread (this=0xf791d000) at js/src/jscntxt.h:226
#4  js::ReportOutOfMemory (cx=0xf791d000) at js/src/jscntxt.cpp:367
#5  0x080ac950 in EvalInThread (cx=0xf791d000, argc=<optimized out>, vp=<optimized out>, cooperative=true) at js/src/shell/js.cpp:3752
#6  0x0818e579 in js::CallJSNative (cx=0xf791d000, native=0x80accb0 <EvalInCooperativeThread(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
#7  0x0818355d in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472
#8  0x0818391f in InternalCall (cx=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:521
#9  0x08177754 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:527
#10 Interpret (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:3061
[...]
#20 main (argc=6, argv=0xffffcda4, envp=0xffffcdc0) at js/src/shell/js.cpp:8962
eax	0x0	0
ebx	0x8db3ff4	148586484
ecx	0xf7da4864	-136689564
edx	0x0	0
esi	0x8db3ff4	148586484
edi	0x0	0
ebp	0xffffc088	4294951048
esp	0xffffc080	4294951040
eip	0x86d1b0e <js::CheckThreadLocal::check() const+190>
=> 0x86d1b0e <js::CheckThreadLocal::check() const+190>:	movl   $0x0,0x0
   0x86d1b18 <js::CheckThreadLocal::check() const+200>:	ud2
Flags: needinfo?(bhackett1024)
Priority: -- → P1
Attached patch patchSplinter Review
This should fix the problem.  The shell harness tries to recover from OOM if spawning a new cooperative thread fails, but at this point the running thread has already yielded control of the runtime.  It seems better to just crash if this operation fails.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8934168 - Flags: review?(jdemooij)
Attachment #8934168 - Flags: review?(jdemooij) → review+
Pushed by bhackett@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dccbf5550854
Don't try to recover from OOM when creating cooperative threads in the shell, r=jandem.
https://hg.mozilla.org/mozilla-central/rev/dccbf5550854
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.