887921 - Assertion failure: InSequentialOrExclusiveParallelSection(), at gc/Heap.h

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

gc();
m0 = new WeakMap;
m0.toSource = (function() {
    p1 = new ParallelArray([16289], function() {});
});
uneval(this);
Object.defineProperty(this, "o0.v1", {
    configurable: gcPreserveCode(),
});
function f0() {
    return ''
};
gcslice(182);
p1.reduce(f0);

asserts js debug shell on m-c changeset 3b955f306226 without any CLI arguments at Assertion failure: InSequentialOrExclusiveParallelSection(), at gc/Heap.h

s-s because this involves gc and bug 857094 was previously s-s. Tested with a 64-bit threadsafe js debug shell.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/1aa1dc84a1a4
user:        Shu-yu Guo
date:        Thu Apr 04 08:13:22 2013 -0700
summary:     Bug 857094. (r=sstangl)

Comment 1

[Shu-yu Guo [:shu]]

Attachment: fix

Don't toggle pre barriers for parallel execution, as IGC doesn't run anyways during it.

Comment 2

[Shu-yu Guo [:shu]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/870d2959d44d

try: https://tbpl.mozilla.org/?tree=Try&rev=dcc924a0d06e

Comment 3

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/870d2959d44d

Comment 4

[Al Billings [:abillings - ex-MoCo]]

This should have gone through a security rating and sec approval since it crosses multiple branches. Now we need to decide whether we need it for ESR24 or not. 

Can someone please think about a security rating for this?

Comment 5

[Al Billings [:abillings - ex-MoCo]]

This needs a security rating and may need an ESR patch for 24 ESR depending on severity. We're running out of time to take ESR patches as well.

Comment 6

[Shu-yu Guo [:shu]]

This is a PJS bug, and PJS is ifdef'd out in all branches except Nightly.