Hit MOZ_CRASH(Mutex ordering violation) at threading/Mutex.cpp:42
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox148 | --- | unaffected |
| firefox149 | --- | wontfix |
| firefox150 | --- | fixed |
People
(Reporter: gkw, Assigned: iain)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, reporter-external, testcase)
Attachments
(2 files)
enableGeckoProfiling();
var g = newGlobal({ newCompartment: true });
var x = Debugger();
x.addDebuggee(g);
x.onEnterFrame = (function() {});
g.eval("function f() { oomTest(function(){}); }");
g.f();
(gdb) bt
#0 0x0000555558305ac6 in MOZ_CrashSequence (aAddress=0x0, aLine=42)
at /home/msf4/shell-cache/js-dbg-64-linux-x86_64-beb1b1bcb864-612222/objdir-js/dist/include/mozilla/Assertions.h:237
#1 js::Mutex::preLockChecks (this=<optimized out>) at /home/msf4/trees/firefox/js/src/threading/Mutex.cpp:42
#2 js::Mutex::lock (this=<optimized out>) at /home/msf4/trees/firefox/js/src/threading/Mutex.cpp:19
#3 0x0000555557c49176 in js::jit::AutoLockPerfSpewer::AutoLockPerfSpewer (this=<optimized out>) at /home/msf4/trees/firefox/js/src/jit/PerfSpewer.cpp:126
#4 DisablePerfSpewer () at /home/msf4/trees/firefox/js/src/jit/PerfSpewer.cpp:397
#5 js::jit::CollectPerfSpewerJitCodeProfile (code=code@entry=0xcd3673360d8, msg=msg@entry=0x55555592fcc7 "DebugTrapHandler")
at /home/msf4/trees/firefox/js/src/jit/PerfSpewer.cpp:1288
/snip
d4f86372aac9-606749
d4f86372aac96a2ef41688d050df330eeece6bf5 is the first interesting commit
commit d4f86372aac96a2ef41688d050df330eeece6bf5
Author: Nazım Can Altınova
Date: Wed Feb 4 14:05:50 2026 +0000
Bug 1441689 - Add some more allocation failure checks inside PerfSpewer r=denispal
I noticed that sometimes some jit-tests were failing in CI because we
weren't handling the OOM cases here. After these changes, jit-tests
pass as expected.
Differential Revision: https://phabricator.services.mozilla.com/D277420
Run with --fuzzing-safe --no-threads --baseline-warmup-threshold=1, compile with AR=ar sh ~/trees/firefox/js/src/configure --enable-debug --enable-debug-symbols --with-ccache --enable-nspr-build --enable-ctypes --enable-gczeal --enable-rust-simd --disable-tests, tested on gh rev beb1b1bcb86476660e4bb6c77114a6c86369f076.
Iain, is bug 1441689 a likely regressor? (Setting Iain as the needinfo, as he was the reviewer for other patches in that bug)
Updated•3 months ago
|
Comment 1•3 months ago
|
||
Set release status flags based on info from the regressing bug 1441689
| Assignee | ||
Comment 2•3 months ago
|
||
This is not security sensitive. We attempt to claim the same lock twice in the OOM failure path here: we already have the lock from AutoLockPerfSpewer, but then we call the version of DisablePerfSpewer that tries to claim the lock itself. The fix is simply to pass in the lock when disabling the perf spewer.
Comment 3•3 months ago
|
||
:canova, since you are the author of the regressor, bug 1441689, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
| Assignee | ||
Comment 4•3 months ago
|
||
Updated•3 months ago
|
| Assignee | ||
Updated•3 months ago
|
Comment 6•3 months ago
|
||
Oops, thanks for the fix Iain!
Comment 7•3 months ago
|
||
| bugherder | ||
Comment 8•3 months ago
|
||
The patch landed in nightly and beta is affected.
:iain, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
- If no, please set
status-firefox149towontfix.
For more information, please visit BugBot documentation.
| Assignee | ||
Updated•3 months ago
|
Updated•3 months ago
|
Updated•3 months ago
|
Description
•