Last Comment Bug 746006 - "Assertion failure: thing->compartment()->rt == trc->runtime," with Worker
: "Assertion failure: thing->compartment()->rt == trc->runtime," with Worker
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
Reported: 2012-04-16 16:32 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-07-05 19:37 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Gary Kwong [:gkw] [:nth10sd] 2012-04-16 16:32:33 PDT

asserts js debug shell on m-c changeset c61e7c3a232a without any CLI arguments at Assertion failure: thing->compartment()->rt == trc->runtime,

I used

(I couldn't seem to reproduce with a shell compiled locally)

s-s because gc is involved. I'm not sure if the Worker() function is shell-only. If it is, this bug can be opened.
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-04-17 16:42:58 PDT
Steve mentions that the Worker() function is enabled with --enable-threadsafe. I don't compile my shells with --enable-threadsafe by default.

Should the tinderboxen js shells be compiled with --enabled-threadsafe by default?
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2012-04-17 17:03:46 PDT
See bug 731448 comment 4. jorendorff mentions that probably "jsworkers.cpp is just completely broken and nobody noticed".
Comment 3 User image Daniel Veditz [:dveditz] 2012-04-18 10:43:25 PDT
Worker() exists in Gecko ("Error: Constructor requires at least one argument") but I don't know if it's the same underlying worker or not. Should try this using the fuzzing add-on that enables gc() in Firefox.
Comment 4 User image Jesse Ruderman 2012-04-18 14:24:15 PDT
This does not crash the browser:

new Worker("data:text/javascript,3");
Comment 5 User image Jason Orendorff [:jorendorff] 2012-04-20 07:06:09 PDT
It's not the same Worker implementation at all. This is a bug in code that is not linked into Gecko at all.
Comment 6 User image David Mandelin [:dmandelin] 2012-04-26 19:02:40 PDT
Unhiding per comment 5.
Comment 7 User image Gary Kwong [:gkw] [:nth10sd] 2012-06-24 23:40:52 PDT
jsfunfuzz is now running on releng hardware, this assert is clouding results as creating an exception for this assert also ignores other non-Worker triggered testcases for this assert.
Comment 8 User image Jesse Ruderman 2012-06-25 13:04:36 PDT
I turned off fuzzing of shell Worker, so now we're back where we were before.
Comment 9 User image Gary Kwong [:gkw] [:nth10sd] 2012-07-05 19:37:14 PDT
(actually, FIXED by the removal of Worker, a known patch in bug 771281 - hurray!)

Note You need to log in before you can comment on or make changes to this bug.