Closed
Bug 1456494
Opened 6 years ago
Closed 6 years ago
Start-up assertion: zone->ownedByCurrentHelperThread(), while creating an HelperThread global.
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox61 | --- | fixed |
People
(Reporter: nbp, Assigned: jandem)
References
Details
Attachments
(1 file)
5.93 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
I reproduced this bug under rr, in this case it failed during the parent process creation, before rendering any window. Thread 1 received signal SIGSEGV, Segmentation fault. 0x00007f332d3532ab in js::CheckZone<(js::AllowedHelperThread)0>::check (this=0x3240538) at /home/nicolas/mozilla/wksp-5/js/src/threading/ProtectedData.cpp:74 74 MOZ_ASSERT(zone->ownedByCurrentHelperThread()); (rr) bt #0 0x00007f332d3532ab in js::CheckZone<(js::AllowedHelperThread)0>::check (this=0x3240538) at /home/nicolas/mozilla/wksp-5/js/src/threading/ProtectedData.cpp:74 #1 0x00007f332d91bf7c in js::ProtectedData<js::CheckZone<(js::AllowedHelperThread)0>, mozilla::EnumeratedArray<js::gc::AllocKind, (js::gc::AllocKind)29, js::gc::FreeSpan*> >::ref (this=0x3240450) at /home/nicolas/mozilla/wksp-5/js/src/threading/ProtectedData.h:103 #2 0x00007f332d900d22 in js::gc::ArenaLists::freeLists (this=0x3240448) at /home/nicolas/mozilla/wksp-5/js/src/gc/ArenaList.h:226 #3 0x00007f332d8e17bf in js::gc::ArenaLists::ArenaLists (this=0x3240448, rt=0x12447a0, zone=0x32403a0) at /home/nicolas/mozilla/wksp-5/js/src/gc/GC.cpp:3083 #4 0x00007f332d9ab6a3 in JS::Zone::Zone (this=0x32403a0, rt=0x12447a0) at /home/nicolas/mozilla/wksp-5/js/src/gc/Zone.cpp:67 #5 0x00007f332d928267 in js::MallocProvider<JSContext>::new_<JS::Zone, JSRuntime*> (this=0x1249eb0, args#0=@0x7ffd98676508: 0x12447a0) at /home/nicolas/mozilla/wksp-5/js/src/vm/MallocProvider.h:187 #6 0x00007f332d8f193f in js::NewCompartment (cx=0x1249eb0, principals=0x0, options=...) at /home/nicolas/mozilla/wksp-5/js/src/gc/GC.cpp:7936 #7 0x00007f332d45dc47 in js::GlobalObject::new_ (cx=0x1249eb0, clasp=0x7f3333db3c80 <parseTaskGlobalClass>, principals=0x0, hookOption=JS::DontFireOnNewGlobalHook, options=...) at /home/nicolas/mozilla/wksp-5/js/src/vm/GlobalObject.cpp:500 #8 0x00007f332d2ecf44 in JS_NewGlobalObject (cx=0x1249eb0, clasp=0x7f3333db3c80 <parseTaskGlobalClass>, principals=0x0, hookOption=JS::DontFireOnNewGlobalHook, options=...) at /home/nicolas/mozilla/wksp-5/js/src/jsapi.cpp:1943 #9 0x00007f332d462660 in CreateGlobalForOffThreadParse (cx=0x1249eb0, nogc=...) at /home/nicolas/mozilla/wksp-5/js/src/vm/HelperThreads.cpp:714 #10 0x00007f332d46286c in StartOffThreadParseTask (cx=0x1249eb0, task=0x1ce5040, options=...) at /home/nicolas/mozilla/wksp-5/js/src/vm/HelperThreads.cpp:756 #11 0x00007f332d4629dc in js::StartOffThreadParseScript (cx=0x1249eb0, options=..., chars=0x3250860 u"/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */\n/* vim: set sts=2 sw=2 et tw=80: */\n/* This Source Code Form is subject to the terms of the M ozilla Public\n * License, v. 2.0. If a copy o"..., length=60188, callback=0x7f332773b357 <OffThreadScriptLoaderCallback(void*, void*)>, callbackData=0x308be40) at /home/nicolas/mozilla/wksp-5/js/src/vm/HelperThreads.cpp:783 #12 0x00007f332d2f63d6 in JS::CompileOffThread (cx=0x1249eb0, options=..., chars=0x3250860 u"/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */\n/* vim: set sts=2 sw=2 et tw=80: */\n/* This Source Code Form is subject to the terms of the M ozilla Public\n * License, v. 2.0. If a copy o"..., length=60188, callback=0x7f332773b357 <OffThreadScriptLoaderCallback(void*, void*)>, callbackData=0x308be40) at /home/nicolas/mozilla/wksp-5/js/src/jsapi.cpp:4271 #13 0x00007f332773b4d1 in AsyncScriptCompiler::StartCompile (this=0x308be40, aCx=0x1249eb0) at /home/nicolas/mozilla/wksp-5/js/xpconnect/loader/ChromeScriptLoader.cpp:132 #14 0x00007f332773bbd1 in AsyncScriptCompiler::OnStreamComplete (this=0x308be40, aLoader=0x308cdb0, aContext=0x0, aStatus=nsresult::NS_OK, aLength=60188, aBuf=0x3241d30 "/* -*- Mode: indent-tabs-mode: nil; js-indent-level: 2 -*- */\n/* vim: set sts=2 sw=2 et tw=80: */\n/* This Source Code Form is subject to the terms of the Moz illa Public\n * License, v. 2.0. If a copy o"...) at /home/nicolas/mozilla/wksp-5/js/xpconnect/loader/ChromeScriptLoader.cpp:250 #15 0x00007f33269d5dc9 in nsIncrementalStreamLoader::OnStopRequest (this=0x308cdb0, request=0x308c648, ctxt=0x0, aStatus=nsresult::NS_OK) at /home/nicolas/mozilla/wksp-5/netwerk/base/nsIncrementalStreamLoader.cpp:103 #16 0x00007f33269ab238 in nsBaseChannel::OnStopRequest (this=0x308c600, request=0x308ce70, ctxt=0x0, status=nsresult::NS_OK) at /home/nicolas/mozilla/wksp-5/netwerk/base/nsBaseChannel.cpp:878 #17 0x00007f33269d946a in nsInputStreamPump::OnStateStop (this=0x308ce70) at /home/nicolas/mozilla/wksp-5/netwerk/base/nsInputStreamPump.cpp:708 #18 0x00007f33269d83ff in nsInputStreamPump::OnInputStreamReady (this=0x308ce70, stream=0x308ca80) at /home/nicolas/mozilla/wksp-5/netwerk/base/nsInputStreamPump.cpp:436 #19 0x00007f332686504d in nsInputStreamReadyEvent::Run (this=0x308c040) at /home/nicolas/mozilla/wksp-5/xpcom/io/nsStreamUtils.cpp:102 #20 0x00007f33268b08a7 in nsThread::ProcessNextEvent (this=0x1179450, aMayWait=false, aResult=0x7ffd9867725f) at /home/nicolas/mozilla/wksp-5/xpcom/threads/nsThread.cpp:1096 #21 0x00007f33268d0ef0 in NS_ProcessNextEvent (aThread=0x1179450, aMayWait=false) at /home/nicolas/mozilla/wksp-5/xpcom/threads/nsThreadUtils.cpp:519 #22 0x00007f3327146199 in mozilla::ipc::MessagePump::Run (this=0x11573d0, aDelegate=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/glue/MessagePump.cpp:97 #23 0x00007f332709ea07 in MessageLoop::RunInternal (this=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/chromium/src/base/message_loop.cc:326 #24 0x00007f332709e99a in MessageLoop::RunHandler (this=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/chromium/src/base/message_loop.cc:319 #25 0x00007f332709e973 in MessageLoop::Run (this=0x1126400) at /home/nicolas/mozilla/wksp-5/ipc/chromium/src/base/message_loop.cc:299 #26 0x00007f332a555840 in nsBaseAppShell::Run (this=0x1580cb0) at /home/nicolas/mozilla/wksp-5/widget/nsBaseAppShell.cpp:157 #27 0x00007f332ca62fdf in nsAppStartup::Run (this=0x1580c00) at /home/nicolas/mozilla/wksp-5/toolkit/components/startup/nsAppStartup.cpp:290 #28 0x00007f332cba2ac2 in XREMain::XRE_mainRun (this=0x7ffd98677990) at /home/nicolas/mozilla/wksp-5/toolkit/xre/nsAppRunner.cpp:4834 #29 0x00007f332cba372b in XREMain::XRE_main (this=0x7ffd98677990, argc=4, argv=0x7ffd98678d18, aConfig=...) at /home/nicolas/mozilla/wksp-5/toolkit/xre/nsAppRunner.cpp:4979 #30 0x00007f332cba3a20 in XRE_main (argc=4, argv=0x7ffd98678d18, aConfig=...) at /home/nicolas/mozilla/wksp-5/toolkit/xre/nsAppRunner.cpp:5071 #31 0x00007f332cbb61f6 in mozilla::BootstrapImpl::XRE_main (this=0x10a6180, argc=4, argv=0x7ffd98678d18, aConfig=...) at /home/nicolas/mozilla/wksp-5/toolkit/xre/Bootstrap.cpp:49 #32 0x0000000000405f8f in do_main (argc=4, argv=0x7ffd98678d18, envp=0x7ffd98678d40) at /home/nicolas/mozilla/wksp-5/browser/app/nsBrowserApp.cpp:231 #33 0x00000000004061b7 in main (argc=4, argv=0x7ffd98678d18, envp=0x7ffd98678d40) at /home/nicolas/mozilla/wksp-5/browser/app/nsBrowserApp.cpp:304 (rr) p TlsContext.get() $3 = (JSContext *) 0x1249eb0 (rr) p helperThreadOwnerContext_ $5 = {<js::ProtectedData<js::CheckUnprotected, JSContext*>> = {value = 0x0, check = {<No data fields>}}, <No data fields>} (rr) p Zone::helperThreadUse.mValue._M_i $9 = (JS::Zone::HelperThreadUse::Pending | unknown: 629328) This might be a regression from Bug 1452982.
Reporter | ||
Updated•6 years ago
|
status-firefox61:
--- → affected
Priority: -- → P1
Assignee | ||
Comment 1•6 years ago
|
||
helperThreadUse may be uninitialized at this point because it's set after we initialize the other fields.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 2•6 years ago
|
||
Fix Zone constructor to initialize helperThreadUse_ first. (I could repro the assertion failure with a local hack: malloc + initialize memory with int32_t(2) + calling the constructor.)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8970839 -
Flags: review?(jcoppeard)
Comment 3•6 years ago
|
||
Comment on attachment 8970839 [details] [diff] [review] Patch Review of attachment 8970839 [details] [diff] [review]: ----------------------------------------------------------------- Nice, thanks for fixing this.
Attachment #8970839 -
Flags: review?(jcoppeard) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/cecfe0621cfb Initialize Zone::helperThreadUse_ first to avoid accessing uninitialized memory in debug builds. r=jonco
Comment 5•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/cecfe0621cfb
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in
before you can comment on or make changes to this bug.
Description
•