The default bug view has changed. See this FAQ.

"Assertion failure: thing->compartment()->rt == trc->runtime," with Worker

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86
Mac OS X
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker:shell-worker])

(Reporter)

Description

5 years ago
Worker()
gc()

asserts js debug shell on m-c changeset c61e7c3a232a without any CLI arguments at Assertion failure: thing->compartment()->rt == trc->runtime,

I used https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx-debug/1334608993/jsshell-mac.zip

(I couldn't seem to reproduce with a shell compiled locally)

s-s because gc is involved. I'm not sure if the Worker() function is shell-only. If it is, this bug can be opened.
(Reporter)

Comment 1

5 years ago
Steve mentions that the Worker() function is enabled with --enable-threadsafe. I don't compile my shells with --enable-threadsafe by default.

Should the tinderboxen js shells be compiled with --enabled-threadsafe by default?
(Reporter)

Updated

5 years ago
Summary: "Assertion failure: thing->compartment()->rt == trc->runtime," → "Assertion failure: thing->compartment()->rt == trc->runtime," with Worker
(Reporter)

Comment 2

5 years ago
See bug 731448 comment 4. jorendorff mentions that probably "jsworkers.cpp is just completely broken and nobody noticed".
Worker() exists in Gecko ("Error: Constructor requires at least one argument") but I don't know if it's the same underlying worker or not. Should try this using the fuzzing add-on that enables gc() in Firefox.

Comment 4

5 years ago
This does not crash the browser:

new Worker("data:text/javascript,3");
fuzzPriv.GC();
It's not the same Worker implementation at all. This is a bug in code that is not linked into Gecko at all.
Unhiding per comment 5.
Group: core-security
Whiteboard: js-triage-needed
(Reporter)

Comment 7

5 years ago
jsfunfuzz is now running on releng hardware, this assert is clouding results as creating an exception for this assert also ignores other non-Worker triggered testcases for this assert.
Whiteboard: [fuzzblocker]

Comment 8

5 years ago
I turned off fuzzing of shell Worker, so now we're back where we were before.
Whiteboard: [fuzzblocker] → [fuzzblocker:shell-worker]
(Reporter)

Comment 9

5 years ago
(actually, FIXED by the removal of Worker, a known patch in bug 771281 - hurray!)
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.