Closed Bug 561444 Opened 15 years ago Closed 15 years ago

"Assertion failure: title->ownercx == cx || title->ownercx->thread == cx->thread, at ../jslock.cpp:1414" with multiple threads

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jorendorff, Assigned: jorendorff)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

v1 - remove the assertions
3.48 KB, patch
igor
: review+
Details | Diff | Splinter Review
A new object, created in thread 2, shares an empty scope that was created in thread 1. An assertion in js_IsTitleLocked claims this shouldn't happen. jsapi-test in the works.
Attached patch jsapi-test (obsolete) — Splinter Review
The test. I think the upshot of this is that the property tree must be per-compartment. This makes sense anyway since it must be GC'd and can contain references to objects (getters and setters). The trace-tree code cache will be per-compartment, too, for similar reasons but also because it's so dependent on the global object.
Two bugs here. 1. The assertion we're hitting, in jslock.cpp, seems bogus to me. My understanding of the request model is that the JSAPI imposes no such restriction. An application is allowed to create same-shaped objects in two different threads; it seems to me JS_THREADSAFE aims to support that sort of thing. 2. The particular function, js_IsTitleLocked, where the failing assertion appears is only ever called when we assert a particular scope or object is locked--an assertion within an assertion. Once I fix the inner assertion, the outer one fails. That assertion is in js_GetXMLObject, which claims that its caller should have locked xml->parent->object. There's a nice comment explaining why -- but js_GetXMLObject is called from 32 places, none of which lock anything. The assertion and the accompanying comment seem to be wishful thinking, or perhaps a design sketch for an XML thread safety scheme that was never implemented. So I propose deleting this assertion too. It would be better to weaken it; we would like to assert whenever the application actually shares XML objects among racing threads. I don't see a way to do that, though.
Assignee: general → jorendorff
Attachment #441147 - Attachment is obsolete: true
Attachment #441638 - Flags: review?(igor)
Comment on attachment 441638 [details] [diff] [review] v1 - remove the assertions >@@ -1402,23 +1402,21 @@ js_IsTitleLocked(JSContext *cx, JSTitle > /* >- * General case: the title is either exclusively owned (by cx), or it has >- * a thin or fat lock to cope with shared (concurrent) ownership. >+ * General case: the title is either exclusively owned by some context, or >+ * it has a thin or fat lock to cope with shared (concurrent) ownership. > */ >- if (title->ownercx) { >- JS_ASSERT(title->ownercx == cx || title->ownercx->thread == cx->thread); >- return JS_TRUE; >- } >+ if (title->ownercx) >+ return title->ownercx == cx; > return js_CurrentThreadId() == > ((JSThread *)Thin_RemoveWait(ReadWord(title->lock.owner)))->id; > } The assert is really bogus and the changes are right on the target. But we need comments that js_LockObj(cx, obj) must set ownercx to the cx if the current thread can own the object. >- /* >- * A JSXML cannot be shared among threads unless it has an object. >- * A JSXML cannot be given an object unless: >- * (a) it has no parent; or >- * (b) its parent has no object (therefore is thread-private); or >- * (c) its parent's object is locked. >- * >- * Once given an object, a JSXML is immutable. >- */ >- JS_ASSERT(!xml->parent || >- !xml->parent->object || >- JS_IS_OBJ_LOCKED(cx, xml->parent->object)); >- XML objects are not thread safe indeed.
Attachment #441638 - Flags: review?(igor) → review+
(In reply to comment #2) > Created an attachment (id=441638) [details] > That assertion is in js_GetXMLObject, which claims that its caller should have > locked xml->parent->object. There's a nice comment explaining why -- but > js_GetXMLObject is called from 32 places, none of which lock anything. The > assertion and the accompanying comment seem to be wishful thinking, or perhaps > a design sketch for an XML thread safety scheme that was never implemented. The latter, FWIW. That comment goes way back. > So I propose deleting this assertion too. It would be better to weaken it; we > would like to assert whenever the application actually shares XML objects among > racing threads. I don't see a way to do that, though. There's no good way, we should just delete as you propose. E4X is ST-only, too bad. The only bug here is lack of enforcement on MT embeddings. /be
http://hg.mozilla.org/tracemonkey/rev/394cdeb4fc38
Whiteboard: fixed-in-tracemonkey
Depends on: 562909
http://hg.mozilla.org/mozilla-central/rev/394cdeb4fc38
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
These follow-ups need to go in m-c as well. I apologize. http://hg.mozilla.org/tracemonkey/rev/f462a8e1fe38 http://hg.mozilla.org/tracemonkey/rev/633d4ea174a8
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: