Closed Bug 905396 Opened 7 years ago Closed 7 years ago

Crash [@ js::EncapsulatedPtr] or Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at vm/Runtime.h with ParallelArray

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla26

People

(Reporter: gkw, Assigned: h4writer)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(2 files)

Attached file stack
x = Proxy.createFunction((function() {
    return {
        r: function() {},
        r: function() {},
        y: function() {},
        s: function() {},
        e: function() {},
        x: function() {},
        s: function() {},
        n: function() {},
        t: function() {},
        t: function() {},
        e: function() {},
        e: function() {},
        s: function() {}
    }
})(), Function)
ParallelArray([88], x)

crashes js debug (64-bit threadsafe deterministic) shell on m-c changeset 4930fdea3efa without any CLI arguments at js::EncapsulatedPtr
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
This definitely reproduces for me, at least with a threadsafe shell on Mac OS X 10.8. Will run autoBisect first.
Summary: Crash [@ js::EncapsulatedPtr] → Crash [@ js::EncapsulatedPtr] with ParallelArray
Whiteboard: [jsbugmon:bisect]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/9179e5001bb4
user:        Hannes Verschore
date:        Tue Aug 13 22:46:27 2013 +0200
summary:     Bug 891910 - IonMonkey: In a generic call handle all cases without need for bailout, r=sstangl
Blocks: 891910
Crash Signature: [@ js::EncapsulatedPtr] → [@ js::EncapsulatedPtr<JSObject, unsigned long>::operator->()]
Hannes, this is happening fairly often - is it possible to take a look?
Flags: needinfo?(hv1989)
Whiteboard: [fuzzblocker]
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #4)
> Hannes, this is happening fairly often - is it possible to take a look?

Sure
Assignee: general → hv1989
Flags: needinfo?(hv1989)
This seems to cause Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at vm/Runtime.h as well.
Summary: Crash [@ js::EncapsulatedPtr] with ParallelArray → Crash [@ js::EncapsulatedPtr] or Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at vm/Runtime.h with ParallelArray
Duplicate of this bug: 906016
We now also take the parallel bailout path (instead of the previous snapshot bailout path) for non JSFunctions. So adjust spewing, so we don't crash there.
Attachment #791863 - Flags: review?(sstangl)
Attachment #791863 - Flags: review?(sstangl) → review+
https://hg.mozilla.org/mozilla-central/rev/9586120a2290
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in before you can comment on or make changes to this bug.