Closed Bug 1501157 Opened Last year Closed Last year

Assertion failure: CurrentThreadCanAccessRuntime(cx->runtime()), at js/src/threading/ProtectedData.cpp:59

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 2872e7a3606d (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

// Adapted from randomly chosen test: js/src/tests/test262/language/module-code/dynamic-import/syntax/valid/nested-while-nested-imports.js
offThreadCompileScript('import("")', {});

Backtrace:

#0  0x0000564347fc0458 in js::CheckMainThread<(js::AllowedHelperThread)0>::check (this=<optimized out>) at js/src/threading/ProtectedData.cpp:59
#1  0x0000564347914a4c in js::ProtectedData<js::CheckMainThread<(js::AllowedHelperThread)0>, bool (*)(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>)>::ref (this=<optimized out>) at js/src/threading/ProtectedData.h:116
#2  js::ProtectedData<js::CheckMainThread<(js::AllowedHelperThread)0>, bool (*)(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>)>::operator bool (* const&)(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) (this=<optimized out>) at js/src/threading/ProtectedData.h:84
#3  js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::importExpr (this=0x7fb5de4fd5a8, yieldHandling=(unknown: 3730481312)) at js/src/frontend/Parser.cpp:10916
#4  0x0000564347913452 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::memberExpr (this=0x7fb5de4fd5a8, yieldHandling=js::frontend::YieldIsName, tripledotHandling=js::frontend::TripledotProhibited, tt=js::frontend::TokenKind::Import, allowCallSyntax=true, possibleError=0x7fb5de4fc640, invoked=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:9581
#5  0x0000564347912f6d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::unaryExpr (this=<optimized out>, yieldHandling=js::frontend::YieldIsName, 
/snip

For detailed crash information, see attachment.
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/430db29f4685
user:        Jon Coppeard
date:        Mon Oct 22 11:28:16 2018 +0100
summary:     Bug 1499140 - Implement support for dynamic module import in the interpreter r=jandem

Jon, is bug 1499140 a likely regressor?
Blocks: 1499140
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Priority: -- → P1
The problem is that we are using the embedding dynamic import hook to test whether dynamic module import is enabled or not, and this is currently only accessible from the main thread.  We check this when emitting bytecode, which can happen off thread.

The patch fixes this by making this state atomic.  We also have to check when the dynamic import is started in case the state changed in the meantime.

It's possible that we should have a separate flag for enabling/disabling this feature, but this is simpler.  Let me know if you think that doing it that way would be preferable.
Attachment #9019408 - Flags: review?(jdemooij)
Attachment #9019408 - Flags: review?(jdemooij) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8468729762b5
Allow checking whether dynamic module import is supported from helper threads r=jandem
https://hg.mozilla.org/mozilla-central/rev/8468729762b5
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.