Last Comment Bug 746006 - "Assertion failure: thing->compartment()->rt == trc->runtime," with Worker
: "Assertion failure: thing->compartment()->rt == trc->runtime," with Worker
Status: RESOLVED FIXED
[fuzzblocker:shell-worker]
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: general
:
:
Mentors:
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2012-04-16 16:32 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-07-05 19:37 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Gary Kwong [:gkw] [:nth10sd] 2012-04-16 16:32:33 PDT
Worker()
gc()

asserts js debug shell on m-c changeset c61e7c3a232a without any CLI arguments at Assertion failure: thing->compartment()->rt == trc->runtime,

I used https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx-debug/1334608993/jsshell-mac.zip

(I couldn't seem to reproduce with a shell compiled locally)

s-s because gc is involved. I'm not sure if the Worker() function is shell-only. If it is, this bug can be opened.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-04-17 16:42:58 PDT
Steve mentions that the Worker() function is enabled with --enable-threadsafe. I don't compile my shells with --enable-threadsafe by default.

Should the tinderboxen js shells be compiled with --enabled-threadsafe by default?
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2012-04-17 17:03:46 PDT
See bug 731448 comment 4. jorendorff mentions that probably "jsworkers.cpp is just completely broken and nobody noticed".
Comment 3 Daniel Veditz [:dveditz] 2012-04-18 10:43:25 PDT
Worker() exists in Gecko ("Error: Constructor requires at least one argument") but I don't know if it's the same underlying worker or not. Should try this using the fuzzing add-on that enables gc() in Firefox.
Comment 4 Jesse Ruderman 2012-04-18 14:24:15 PDT
This does not crash the browser:

new Worker("data:text/javascript,3");
fuzzPriv.GC();
Comment 5 Jason Orendorff [:jorendorff] 2012-04-20 07:06:09 PDT
It's not the same Worker implementation at all. This is a bug in code that is not linked into Gecko at all.
Comment 6 David Mandelin [:dmandelin] 2012-04-26 19:02:40 PDT
Unhiding per comment 5.
Comment 7 Gary Kwong [:gkw] [:nth10sd] 2012-06-24 23:40:52 PDT
jsfunfuzz is now running on releng hardware, this assert is clouding results as creating an exception for this assert also ignores other non-Worker triggered testcases for this assert.
Comment 8 Jesse Ruderman 2012-06-25 13:04:36 PDT
I turned off fuzzing of shell Worker, so now we're back where we were before.
Comment 9 Gary Kwong [:gkw] [:nth10sd] 2012-07-05 19:37:14 PDT
(actually, FIXED by the removal of Worker, a known patch in bug 771281 - hurray!)

Note You need to log in before you can comment on or make changes to this bug.