Closed Bug 1456494 Opened 2 years ago Closed 2 years ago

Start-up assertion: zone->ownedByCurrentHelperThread(), while creating an HelperThread global.

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox61 --- fixed

People

(Reporter: nbp, Assigned: jandem)

References

Details

Attachments

(1 file)

I reproduced this bug under rr, in this case it failed during the parent process creation, before rendering any window.

Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007f332d3532ab in js::CheckZone<(js::AllowedHelperThread)0>::check (this=0x3240538) at /home/nicolas/mozilla/wksp-5/js/src/threading/ProtectedData.cpp:74
74              MOZ_ASSERT(zone->ownedByCurrentHelperThread());
(rr) bt
#0  0x00007f332d3532ab in js::CheckZone<(js::AllowedHelperThread)0>::check (this=0x3240538) at /home/nicolas/mozilla/wksp-5/js/src/threading/ProtectedData.cpp:74
#1  0x00007f332d91bf7c in js::ProtectedData<js::CheckZone<(js::AllowedHelperThread)0>, mozilla::EnumeratedArray<js::gc::AllocKind, (js::gc::AllocKind)29, js::gc::FreeSpan*> >::ref
 (this=0x3240450) at /home/nicolas/mozilla/wksp-5/js/src/threading/ProtectedData.h:103
#2  0x00007f332d900d22 in js::gc::ArenaLists::freeLists (this=0x3240448) at /home/nicolas/mozilla/wksp-5/js/src/gc/ArenaList.h:226
#3  0x00007f332d8e17bf in js::gc::ArenaLists::ArenaLists (this=0x3240448, rt=0x12447a0, zone=0x32403a0) at /home/nicolas/mozilla/wksp-5/js/src/gc/GC.cpp:3083
#4  0x00007f332d9ab6a3 in JS::Zone::Zone (this=0x32403a0, rt=0x12447a0) at /home/nicolas/mozilla/wksp-5/js/src/gc/Zone.cpp:67
#5  0x00007f332d928267 in js::MallocProvider<JSContext>::new_<JS::Zone, JSRuntime*> (this=0x1249eb0, args#0=@0x7ffd98676508: 0x12447a0)
    at /home/nicolas/mozilla/wksp-5/js/src/vm/MallocProvider.h:187
#6  0x00007f332d8f193f in js::NewCompartment (cx=0x1249eb0, principals=0x0, options=...) at /home/nicolas/mozilla/wksp-5/js/src/gc/GC.cpp:7936
#7  0x00007f332d45dc47 in js::GlobalObject::new_ (cx=0x1249eb0, clasp=0x7f3333db3c80 <parseTaskGlobalClass>, principals=0x0, hookOption=JS::DontFireOnNewGlobalHook, options=...)
    at /home/nicolas/mozilla/wksp-5/js/src/vm/GlobalObject.cpp:500
#8  0x00007f332d2ecf44 in JS_NewGlobalObject (cx=0x1249eb0, clasp=0x7f3333db3c80 <parseTaskGlobalClass>, principals=0x0, hookOption=JS::DontFireOnNewGlobalHook, options=...)
    at /home/nicolas/mozilla/wksp-5/js/src/jsapi.cpp:1943
#9  0x00007f332d462660 in CreateGlobalForOffThreadParse (cx=0x1249eb0, nogc=...) at /home/nicolas/mozilla/wksp-5/js/src/vm/HelperThreads.cpp:714
#10 0x00007f332d46286c in StartOffThreadParseTask (cx=0x1249eb0, task=0x1ce5040, options=...) at /home/nicolas/mozilla/wksp-5/js/src/vm/HelperThreads.cpp:756
#11 0x00007f332d4629dc in js::StartOffThreadParseScript (cx=0x1249eb0, options=...,
    chars=0x3250860 u"/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */\n/* vim: set sts=2 sw=2 et tw=80: */\n/* This Source Code Form is subject to the terms of the M
ozilla Public\n * License, v. 2.0. If a copy o"..., length=60188, callback=0x7f332773b357 <OffThreadScriptLoaderCallback(void*, void*)>, callbackData=0x308be40)
    at /home/nicolas/mozilla/wksp-5/js/src/vm/HelperThreads.cpp:783
#12 0x00007f332d2f63d6 in JS::CompileOffThread (cx=0x1249eb0, options=...,
    chars=0x3250860 u"/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */\n/* vim: set sts=2 sw=2 et tw=80: */\n/* This Source Code Form is subject to the terms of the M
ozilla Public\n * License, v. 2.0. If a copy o"..., length=60188, callback=0x7f332773b357 <OffThreadScriptLoaderCallback(void*, void*)>, callbackData=0x308be40)
    at /home/nicolas/mozilla/wksp-5/js/src/jsapi.cpp:4271
#13 0x00007f332773b4d1 in AsyncScriptCompiler::StartCompile (this=0x308be40, aCx=0x1249eb0) at /home/nicolas/mozilla/wksp-5/js/xpconnect/loader/ChromeScriptLoader.cpp:132
#14 0x00007f332773bbd1 in AsyncScriptCompiler::OnStreamComplete (this=0x308be40, aLoader=0x308cdb0, aContext=0x0, aStatus=nsresult::NS_OK, aLength=60188,
    aBuf=0x3241d30 "/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */\n/* vim: set sts=2 sw=2 et tw=80: */\n/* This Source Code Form is subject to the terms of the Moz
illa Public\n * License, v. 2.0. If a copy o"...) at /home/nicolas/mozilla/wksp-5/js/xpconnect/loader/ChromeScriptLoader.cpp:250
#15 0x00007f33269d5dc9 in nsIncrementalStreamLoader::OnStopRequest (this=0x308cdb0, request=0x308c648, ctxt=0x0, aStatus=nsresult::NS_OK)
    at /home/nicolas/mozilla/wksp-5/netwerk/base/nsIncrementalStreamLoader.cpp:103
#16 0x00007f33269ab238 in nsBaseChannel::OnStopRequest (this=0x308c600, request=0x308ce70, ctxt=0x0, status=nsresult::NS_OK)
    at /home/nicolas/mozilla/wksp-5/netwerk/base/nsBaseChannel.cpp:878
#17 0x00007f33269d946a in nsInputStreamPump::OnStateStop (this=0x308ce70) at /home/nicolas/mozilla/wksp-5/netwerk/base/nsInputStreamPump.cpp:708
#18 0x00007f33269d83ff in nsInputStreamPump::OnInputStreamReady (this=0x308ce70, stream=0x308ca80) at /home/nicolas/mozilla/wksp-5/netwerk/base/nsInputStreamPump.cpp:436
#19 0x00007f332686504d in nsInputStreamReadyEvent::Run (this=0x308c040) at /home/nicolas/mozilla/wksp-5/xpcom/io/nsStreamUtils.cpp:102
#20 0x00007f33268b08a7 in nsThread::ProcessNextEvent (this=0x1179450, aMayWait=false, aResult=0x7ffd9867725f) at /home/nicolas/mozilla/wksp-5/xpcom/threads/nsThread.cpp:1096
#21 0x00007f33268d0ef0 in NS_ProcessNextEvent (aThread=0x1179450, aMayWait=false) at /home/nicolas/mozilla/wksp-5/xpcom/threads/nsThreadUtils.cpp:519
#22 0x00007f3327146199 in mozilla::ipc::MessagePump::Run (this=0x11573d0, aDelegate=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/glue/MessagePump.cpp:97
#23 0x00007f332709ea07 in MessageLoop::RunInternal (this=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/chromium/src/base/message_loop.cc:326
#24 0x00007f332709e99a in MessageLoop::RunHandler (this=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/chromium/src/base/message_loop.cc:319
#25 0x00007f332709e973 in MessageLoop::Run (this=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/chromium/src/base/message_loop.cc:299
#26 0x00007f332a555840 in nsBaseAppShell::Run (this=0x1580cb0) at /home/nicolas/mozilla/wksp-5/widget/nsBaseAppShell.cpp:157
#27 0x00007f332ca62fdf in nsAppStartup::Run (this=0x1580c00) at /home/nicolas/mozilla/wksp-5/toolkit/components/startup/nsAppStartup.cpp:290
#28 0x00007f332cba2ac2 in XREMain::XRE_mainRun (this=0x7ffd98677990) at /home/nicolas/mozilla/wksp-5/toolkit/xre/nsAppRunner.cpp:4834
#29 0x00007f332cba372b in XREMain::XRE_main (this=0x7ffd98677990, argc=4, argv=0x7ffd98678d18, aConfig=...) at /home/nicolas/mozilla/wksp-5/toolkit/xre/nsAppRunner.cpp:4979
#30 0x00007f332cba3a20 in XRE_main (argc=4, argv=0x7ffd98678d18, aConfig=...) at /home/nicolas/mozilla/wksp-5/toolkit/xre/nsAppRunner.cpp:5071
#31 0x00007f332cbb61f6 in mozilla::BootstrapImpl::XRE_main (this=0x10a6180, argc=4, argv=0x7ffd98678d18, aConfig=...) at /home/nicolas/mozilla/wksp-5/toolkit/xre/Bootstrap.cpp:49
#32 0x0000000000405f8f in do_main (argc=4, argv=0x7ffd98678d18, envp=0x7ffd98678d40) at /home/nicolas/mozilla/wksp-5/browser/app/nsBrowserApp.cpp:231
#33 0x00000000004061b7 in main (argc=4, argv=0x7ffd98678d18, envp=0x7ffd98678d40) at /home/nicolas/mozilla/wksp-5/browser/app/nsBrowserApp.cpp:304

(rr) p TlsContext.get()
$3 = (JSContext *) 0x1249eb0
(rr) p helperThreadOwnerContext_
$5 = {<js::ProtectedData<js::CheckUnprotected, JSContext*>> = {value = 0x0, check = {<No data fields>}}, <No data fields>}
(rr) p Zone::helperThreadUse.mValue._M_i
$9 = (JS::Zone::HelperThreadUse::Pending | unknown: 629328)

This might be a regression from Bug 1452982.
Priority: -- → P1
helperThreadUse may be uninitialized at this point because it's set after we initialize the other fields.
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
Fix Zone constructor to initialize helperThreadUse_ first.

(I could repro the assertion failure with a local hack: malloc + initialize memory with int32_t(2) + calling the constructor.)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8970839 - Flags: review?(jcoppeard)
Comment on attachment 8970839 [details] [diff] [review]
Patch

Review of attachment 8970839 [details] [diff] [review]:
-----------------------------------------------------------------

Nice, thanks for fixing this.
Attachment #8970839 - Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cecfe0621cfb
Initialize Zone::helperThreadUse_ first to avoid accessing uninitialized memory in debug builds. r=jonco
https://hg.mozilla.org/mozilla-central/rev/cecfe0621cfb
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Duplicate of this bug: 1457232
You need to log in before you can comment on or make changes to this bug.