Closed Bug 1456518 Opened 6 years ago Closed 6 years ago

Assertion failure: isEmpty() (failing this assertion means this LinkedList's creator is buggy: it should have removed all this list's elements before the list's destruction) with grayRoot

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- fixed

People

(Reporter: decoder, Assigned: sfink)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

Shut down the gray mark observers on worker threads
1.25 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 26e53729a109 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

evalInWorker(`
  addMarkObservers([grayRoot(), grayRoot().x, this, Object.create(null)]);
`);


Backtrace:

received signal SIGSEGV, Segmentation fault.
#0  0x0000000000c41bcb in mozilla::LinkedList<JS::PersistentRooted<void*> >::~LinkedList (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/mozilla/LinkedList.h:452
#1  mozilla::Array<mozilla::LinkedList<JS::PersistentRooted<void*> >, 14ul>::~Array (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/mozilla/Array.h:22
#2  mozilla::EnumeratedArray<JS::RootKind, (JS::RootKind)14, mozilla::LinkedList<JS::PersistentRooted<void*> > >::~EnumeratedArray (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/mozilla/EnumeratedArray.h:44
#3  js::ProtectedData<js::CheckMainThread<(js::AllowedHelperThread)0>, mozilla::EnumeratedArray<JS::RootKind, (JS::RootKind)14, mozilla::LinkedList<JS::PersistentRooted<void*> > > >::~ProtectedData (this=<optimized out>, __in_chrg=<optimized out>) at js/src/threading/ProtectedData.h:68
#4  js::ProtectedDataNoCheckArgs<js::CheckMainThread<(js::AllowedHelperThread)0>, mozilla::EnumeratedArray<JS::RootKind, (JS::RootKind)14, mozilla::LinkedList<JS::PersistentRooted<void*> > > >::~ProtectedDataNoCheckArgs (this=<optimized out>, __in_chrg=<optimized out>) at js/src/threading/ProtectedData.h:132
#5  JSRuntime::~JSRuntime (this=0x7ffff495a000, __in_chrg=<optimized out>) at js/src/vm/Runtime.cpp:188
#6  0x0000000000b8bc8c in js_delete<JSRuntime> (p=<optimized out>) at dist/include/js/Utility.h:541
#7  js::DestroyContext (cx=0x7ffff4947000) at js/src/vm/JSContext.cpp:202
#8  0x0000000000a0ab8a in JS_DestroyContext (cx=<optimized out>) at js/src/jsapi.cpp:496
#9  0x000000000046ec1a in <lambda()>::operator() (__closure=<optimized out>) at js/src/shell/js.cpp:3546
#10 mozilla::ScopeExit<WorkerMain(void*)::<lambda()> >::~ScopeExit (this=<optimized out>, __in_chrg=<optimized out>) at dist/include/mozilla/ScopeExit.h:113
#11 WorkerMain (arg=<optimized out>) at js/src/shell/js.cpp:3564
#12 0x0000000000475c52 in js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::callMain<0ul> (this=0x7ffff5f18110) at js/src/threading/Thread.h:242
#13 js::detail::ThreadTrampoline<void (&)(void*), WorkerInput*&>::Start (aPack=0x7ffff5f18110) at js/src/threading/Thread.h:235
#14 0x00007ffff7bc16ba in start_thread (arg=0x7ffff68ff700) at pthread_create.c:333
#15 0x00007ffff6c383dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
rax	0x0	0
rbx	0x7ffff495a000	140737296834560
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7ffff68febd0	140737330015184
rsp	0x7ffff68feb00	140737330014976
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff68ff700	140737330018048
r10	0x0	0
r11	0x0	0
r12	0x7ffff495d9f8	140737296849400
r13	0x7ffff68feb20	140737330015008
r14	0x7ffff495d9f8	140737296849400
r15	0x7ffff495d9f8	140737296849400
rip	0xc41bcb <JSRuntime::~JSRuntime()+1819>
=> 0xc41bcb <JSRuntime::~JSRuntime()+1819>:	movl   $0x0,0x0
   0xc41bd6 <JSRuntime::~JSRuntime()+1830>:	ud2
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/369de2fe16f5
user:        Steve Fink
date:        Sat May 27 12:55:55 2017 -0700
summary:     Bug 1366925 - Nest ShellContext lifetime within JSContext, r=jonco

This iteration took 259.390 seconds to run.
Flags: needinfo?(sphink)
Priority: -- → P1
Very probably test-only; will look soon.
This has run into many ordering issues in the past, but in this case, it seems simple enough -- the shutdown was simply missing in the worker runtime.
Attachment #8976741 - Flags: review?(jcoppeard)
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Attachment #8976741 - Flags: review?(jcoppeard) → review+
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dc793fbd9e1a
Shut down the gray mark observers on worker threads, r=jonco
https://hg.mozilla.org/mozilla-central/rev/dc793fbd9e1a
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Flags: needinfo?(sphink)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: