Closed
Bug 1433013
Opened 6 years ago
Closed 6 years ago
Hit MOZ_CRASH(Invalid ParseTask token) at js/src/vm/HelperThreads.cpp:1557
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla60
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
Details
(Keywords: bugmon, crash, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
28.12 KB,
text/plain
|
Details | |
|
2.57 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 32b850fa28ae (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):
// jsfunfuzz-generated
offThreadCompileScript("");
// Adapted from randomly chosen test: js/src/jit-test/tests/basic/cooperative-threading-interrupt.js
evalInCooperativeThread("");
// jsfunfuzz-generated
runOffThreadScript();
This seemingly crashes opt shells as well, but likely merely at null.
Backtrace:
#0 0x000055ec4ef98e4b in js::GlobalHelperThreadState::removeFinishedParseTask (this=this@entry=0x7f1e38606400, kind=kind@entry=js::ParseTaskKind::Script, token=0x7f1e369ea800, token@entry=0x0) at js/src/vm/HelperThreads.cpp:1557
#1 0x000055ec4efa50ab in js::GlobalHelperThreadState::finishParseTask<js::GlobalHelperThreadState::finishParseTask(JSContext*, js::ParseTaskKind, void*)::<lambda(js::ParseTask*)> > (finishCallback=..., token=0x0, kind=js::ParseTaskKind::Script, cx=0x7f1e38616000, this=0x7f1e38606400) at js/src/vm/HelperThreads.cpp:1566
#2 js::GlobalHelperThreadState::finishParseTask (this=0x7f1e38606400, cx=0x7f1e38616000, kind=kind@entry=js::ParseTaskKind::Script, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1616
#3 0x000055ec4efa55c3 in js::GlobalHelperThreadState::finishScriptParseTask (this=<optimized out>, cx=<optimized out>, token=<optimized out>) at js/src/vm/HelperThreads.cpp:1676
#4 0x000055ec4e8116c3 in runOffThreadScript (cx=0x7f1e38616000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:4761
#5 0x000055ec4e93d8dd in js::CallJSNative (cx=0x7f1e38616000, native=0x55ec4e811630 <runOffThreadScript(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/467d285e001c user: Jon Coppeard date: Tue Jan 23 10:36:35 2018 +0000 summary: Bug 1431353 - Regoranise the shell interface to off-thread parsing to allow concurrent off-thread parse jobs r=luke Jon, is bug 1431353 a likely regressor?
Flags: needinfo?(jcoppeard)
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 3•6 years ago
|
||
The problem here is that I was cancelling all parse tasks for the runtime when a worker thread terminates. This changes it to just wait for the takes associated with the current context (there's not API to specifically cancel jobs per context).
Attachment #8945397 -
Flags: review?(luke)
|
|
||
Updated•6 years ago
|
Attachment #8945397 -
Flags: review?(luke) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/df2586dc442d Only cancel off-thread jobs for the current context when a worker thread exits r=luke
|
||
Comment 5•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/df2586dc442d
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
||
Updated•6 years ago
|
status-firefox58:
--- → unaffected
status-firefox59:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•