Assertion failure: state != RUNNING, at js/src/shell/js.cpp:400

RESOLVED FIXED in Firefox 60

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gkw, Assigned: jonco)

Tracking

(Blocks 2 bugs, {assertion, jsbugmon, testcase})

Trunk
mozilla60
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox58 unaffected, firefox59 unaffected, firefox60 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

The following testcase crashes on mozilla-central revision 32b850fa28ae (build with --enable-debug, run with --fuzzing-safe --no-baseline --no-ion):

// jsfunfuzz-generated
with(options('strict')) {}
// Adapted from randomly chosen test: js/src/jit-test/tests/gc/oomInOffTheadCompile.js
evaluate(`
    oomTest(() => {
        offThreadCompileScript("");
    });`, {
    compileAndGo: true
})

Backtrace:

#0  js::shell::OffThreadJob::~OffThreadJob (this=0x7ffffb68c3d0, __in_chrg=<optimized out>) at /home/winworklin/trees/mozilla-central/js/src/shell/js.cpp:400
#1  js_delete<js::shell::OffThreadJob> (p=0x7ffffb68c3d0)
    at /home/winworklin/shell-cache/js-dbg-64-linux-32b850fa28ae/objdir-js/dist/include/js/Utility.h:540
#2  JS::DeletePolicy<js::shell::OffThreadJob>::operator() (this=<optimized out>, ptr=0x7ffffb68c3d0)
    at /home/winworklin/shell-cache/js-dbg-64-linux-32b850fa28ae/objdir-js/dist/include/js/Utility.h:642
#3  mozilla::UniquePtr<js::shell::OffThreadJob, JS::DeletePolicy<js::shell::OffThreadJob> >::reset (aPtr=0x0, this=<synthetic pointer>)
    at /home/winworklin/shell-cache/js-dbg-64-linux-32b850fa28ae/objdir-js/dist/include/mozilla/UniquePtr.h:343
#4  mozilla::UniquePtr<js::shell::OffThreadJob, JS::DeletePolicy<js::shell::OffThreadJob> >::~UniquePtr (this=<synthetic pointer>, __in_chrg=<optimized out>)
    at /home/winworklin/shell-cache/js-dbg-64-linux-32b850fa28ae/objdir-js/dist/include/mozilla/UniquePtr.h:288
#5  NewOffThreadJob(JSContext *, js::shell::ScriptKind, <unknown type in /home/winworklin/shell-cache/js-dbg-64-linux-32b850fa28ae/js-dbg-64-linux-32b850fa28ae, CU 0x0, DIE 0x23b826>) (cx=0x7ffffd416000, kind=kind@entry=js::shell::ScriptKind::Script, 
    source=source@entry=<unknown type in /home/winworklin/shell-cache/js-dbg-64-linux-32b850fa28ae/js-dbg-64-linux-32b850fa28ae, CU 0x0, DIE 0x23b826>)
    at /home/winworklin/trees/mozilla-central/js/src/shell/js.cpp:269
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/467d285e001c
user:        Jon Coppeard
date:        Tue Jan 23 10:36:35 2018 +0000
summary:     Bug 1431353 - Regoranise the shell interface to off-thread parsing to allow concurrent off-thread parse jobs r=luke

Jon, is bug 1431353 a likely regressor?
Blocks: 1431353
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
We just need to cancel the job if we fail to add it to the context's job list so that the states are as expected.
Attachment #8945401 - Flags: review?(luke)
Attachment #8945401 - Flags: review?(luke) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dba07e79c9a9
Cancel off thread job if we fail to append it to job list r=luke
https://hg.mozilla.org/mozilla-central/rev/dba07e79c9a9
https://hg.mozilla.org/mozilla-central/rev/2115f173c005
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in before you can comment on or make changes to this bug.