Closed
Bug 920782
Opened 11 years ago
Closed 11 years ago
Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at ./../../dist/include/js/HeapAPI.h:90
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: gwagner, Assigned: bhackett1024)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
|
769 bytes,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
I see this pretty often with a b2g-desktop debug build.
We should also make sure that we fix 1.2 if it's affected.
Assertion failure: js::CurrentThreadCanAccessRuntime(runtime_), at ./../../dist/include/js/HeapAPI.h:90
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
[Switching to process 98570 thread 0x5303]
js::TriggerZoneGC (zone=<value temporarily unavailable, due to optimizations>, reason=<value temporarily unavailable, due to optimizations>) at HeapAPI.h:90
90 JS_ASSERT(js::CurrentThreadCanAccessRuntime(runtime_));
(gdb) bt
#0 js::TriggerZoneGC (zone=<value temporarily unavailable, due to optimizations>, reason=<value temporarily unavailable, due to optimizations>) at HeapAPI.h:90
#1 0x0000000103b96e87 in js::gc::Chunk::allocateArena (this=<value temporarily unavailable, due to optimizations>, zone=<value temporarily unavailable, due to optimizations>, thingKind=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/jsgc.cpp:786
#2 0x0000000103ba560a in js::gc::ArenaLists::allocateFromArenaInline (this=0x107e64038, zone=0x107e64000, thingKind=js::gc::FINALIZE_STRING) at /Volumes/mac/code/src/js/src/jsgc.cpp:1292
#3 0x0000000103ba6058 in js::gc::ArenaLists::refillFreeList<(js::AllowGC)0> (cx=0x140cbeab0, thingKind=js::gc::FINALIZE_STRING) at /Volumes/mac/code/src/js/src/jsgc.cpp:1541
#4 0x0000000103c6ed1c in js::gc::NewGCThing<JSString, (js::AllowGC)0> (cx=0x140cbeab0, kind=js::gc::FINALIZE_STRING, thingSize=<value temporarily unavailable, due to optimizations>, heap=180868096) at jsgcinlines.h:426
#5 0x0000000103c668fd in JSInlineString::new_<(js::AllowGC)0> () at String-inl.h:254
#6 0x0000000103c668fd in js_NewGCString<(js::AllowGC)0> () at /Volumes/mac/code/src/js/src/jsgcinlines.h:76
#7 0x0000000103c668fd in js::NewShortString<(js::AllowGC)1> (cx=<value temporarily unavailable, due to optimizations>, chars={<mozilla::Range<unsigned short>> = {mStart = {ptr = 0x146790c00, rangeStart = 0x146790c00, rangeEnd = 0x146790c0c}, mEnd = {ptr = 0x146790c0c, rangeStart = 0x146790c00, rangeEnd = 0x146790c0c}}, <No data fields>}) at String-inl.h:254
#8 0x0000000103c6de1b in js_NewStringCopyN<(js::AllowGC)1> (cx=0x140cbeab0, s=0x146790c00, n=6) at /Volumes/mac/code/src/js/src/jsstr.cpp:3828
#9 0x0000000103b5dada in AtomizeAndCopyChars (cx=0x140cbeab0, tbchars=0x146790c00, length=6, ib=js::DoNotInternAtom) at /Volumes/mac/code/src/js/src/jsatom.cpp:311
#10 0x0000000103b5f07f in js::AtomizeChars<(js::AllowGC)1> (cx=<value temporarily unavailable, due to optimizations>, chars=<value temporarily unavailable, due to optimizations>, length=<value temporarily unavailable, due to optimizations>, ib=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/jsatom.cpp:424
#11 0x0000000103aa54e4 in js::frontend::TokenStream::getTokenInternal (this=0x10ac80728, modifier=2504) at /Volumes/mac/code/src/js/src/frontend/TokenStream.cpp:913
#12 0x0000000103a49ef8 in js::frontend::TokenStream::peekToken () at /Volumes/mac/code/src/js/src/frontend/TokenStream.h:508
#13 0x0000000103a49ef8 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::arrayInitializer (this=0x10ac806f8) at TokenStream.h:6451
#14 0x0000000103a48799 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::primaryExpr (this=0x10ac806f8, tt=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6790
#15 0x0000000103a497b7 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::memberExpr (this=0x10ac806f8, tt=js::frontend::TOK_LB, allowCallSyntax=true) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6286
#16 0x0000000103a49590 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::unaryExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5537
#17 0x0000000103a490fd in js::frontend::Parser<js::frontend::SyntaxParseHandler>::orExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5195
#18 0x0000000103a48f22 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::condExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5247
#19 0x0000000103a46537 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::assignExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5375
#20 0x0000000103a4a642 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::objectLiteral (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6667
#21 0x0000000103a487a9 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::primaryExpr (this=0x10ac806f8, tt=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6793
#22 0x0000000103a497b7 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::memberExpr (this=0x10ac806f8, tt=js::frontend::TOK_LC, allowCallSyntax=true) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6286
#23 0x0000000103a49590 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::unaryExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5537
#24 0x0000000103a490fd in js::frontend::Parser<js::frontend::SyntaxParseHandler>::orExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5195
#25 0x0000000103a48f22 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::condExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5247
#26 0x0000000103a46537 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::assignExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5375
#27 0x0000000103a49fa8 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::arrayInitializer (this=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6469
#28 0x0000000103a48799 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::primaryExpr (this=0x10ac806f8, tt=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6790
#29 0x0000000103a497b7 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::memberExpr (this=0x10ac806f8, tt=js::frontend::TOK_LB, allowCallSyntax=true) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6286
#30 0x0000000103a49590 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::unaryExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5537
#31 0x0000000103a490fd in js::frontend::Parser<js::frontend::SyntaxParseHandler>::orExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5195
#32 0x0000000103a48f22 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::condExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5247
#33 0x0000000103a46537 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::assignExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5375
#34 0x0000000103a4a642 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::objectLiteral (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6667
#35 0x0000000103a487a9 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::primaryExpr (this=0x10ac806f8, tt=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6793
#36 0x0000000103a497b7 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::memberExpr (this=0x10ac806f8, tt=js::frontend::TOK_LC, allowCallSyntax=true) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6286
#37 0x0000000103a49590 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::unaryExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5537
#38 0x0000000103a490fd in js::frontend::Parser<js::frontend::SyntaxParseHandler>::orExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5195
#39 0x0000000103a48f22 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::condExpr1 (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5247
#40 0x0000000103a46537 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::assignExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5375
#41 0x0000000103a465d8 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::assignExpr (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5417
#42 0x0000000103a45a23 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::expr () at /Volumes/mac/code/src/js/src/frontend/Parser.h:5068
#43 0x0000000103a45a23 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::expressionStatement (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:3722
#44 0x0000000103a42ba1 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::statement (this=<value temporarily unavailable, due to optimizations>, canHaveDirectives=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5060
#45 0x0000000103a422a1 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::statements (this=0x10ac806f8) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:2646
#46 0x0000000103a46051 in js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionBody (this=0x10ac806f8, kind=js::frontend::Expression, type=js::frontend::Parser<js::frontend::SyntaxParseHandler>::StatementListBody) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:1066
#47 0x0000000103a46c0c in js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionArgsAndBodyGeneric (this=0x10ac806f8, pn=js::frontend::SyntaxParseHandler::NodeGeneric, type=<value temporarily unavailable, due to optimizations>, kind=js::frontend::Expression, newDirectives=0x10ac7d400) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:2320
#48 0x0000000103a2d6ec in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=0x10ac80038, pn=0x11aa89020, type=js::frontend::Normal, kind=js::frontend::Expression, generatorKind=<value temporarily unavailable, due to optimizations>, newDirectives=0x10ac80728) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:2141
#49 0x0000000103a3a0b3 in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=0x10ac80038, start=@0x10ac7f1a0, type=js::frontend::Normal, kind=js::frontend::Expression, generatorKind=js::NotGenerator) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:1995
#50 0x0000000103a3a52f in js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:2475
#51 0x0000000103a3b5cb in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=0x10ac80038, tt=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6787
#52 0x0000000103a3ce79 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x10ac80038, tt=js::frontend::TOK_FUNCTION, allowCallSyntax=true) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6286
#53 0x0000000103a3c97b in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5537
#54 0x0000000103a3c389 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5195
#55 0x0000000103a3c0d6 in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5247
#56 0x0000000103a385a6 in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5375
#57 0x0000000103a3abf6 in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5068
#58 0x0000000103a3a987 in js::frontend::Parser<js::frontend::FullParseHandler>::parenExpr (this=0x10ac80038, genexp=0x10ac7f61b) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6896
#59 0x0000000103a3b41e in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=0x10ac80038, tt=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6803
#60 0x0000000103a3ce79 in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x10ac80038, tt=js::frontend::TOK_LP, allowCallSyntax=true) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:6286
#61 0x0000000103a3c97b in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5537
#62 0x0000000103a3c389 in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5195
#63 0x0000000103a3c0d6 in js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1 (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5247
#64 0x0000000103a385a6 in js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5375
#65 0x0000000103a3abf6 in js::frontend::Parser<js::frontend::FullParseHandler>::expr (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5068
#66 0x0000000103a37772 in js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement (this=0x10ac80038) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:3722
#67 0x0000000103a33f35 in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=<value temporarily unavailable, due to optimizations>, canHaveDirectives=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/Parser.cpp:5060
#68 0x0000000103980b8a in js::frontend::CompileScript (cx=0x140cbeab0, alloc=0x11a517480, options=@0x1408e55c8, chars=0x1408e55c8, length=<value temporarily unavailable, due to optimizations>, source_=0x0, extraSct=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/js/src/frontend/BytecodeCompiler.cpp:318
#69 0x0000000103c7d65c in js::WorkerThread::handleParseWorkload (this=0x10aa3b2a0, state=@0x10052fc40) at /Volumes/mac/code/src/js/src/jsworkers.cpp:744
#70 0x0000000103c7cb67 in js::WorkerThread::threadLoop (this=0x10aa3b2a0) at /Volumes/mac/code/src/js/src/jsworkers.cpp:922
#71 0x000000010121f707 in _pt_root ()
#72 0x00007fff8bd74772 in _pthread_start ()
#73 0x00007fff8bd611a1 in thread_start ()
(gdb) l
85 JS_ASSERT(js::CurrentThreadCanAccessRuntime(runtime_));
86 return barrierTracer_;
87 }
88
89 JSRuntime *runtimeFromMainThread() const {
90 JS_ASSERT(js::CurrentThreadCanAccessRuntime(runtime_));
91 return runtime_;
92 }
93
94 // Note: Unrestricted access to the zone's runtime from an arbitrary
(gdb)
|
Reporter | |
Updated•11 years ago
|
blocking-b2g: --- → koi?
Hmm, I wonder if this is somehow caused by b2g not having IonMonkey. Is there any reason that JS_WORKERS is tied to Ion?
|
||
Comment 2•11 years ago
|
||
Ion is enabled on v1.2. It's only disabled on v1.1 (b2g18).
Actually, I think this is just a bug. It's not shown in the stack trace, but I'm guessing that TriggerZoneGC is getting called. This probably happens more often on b2g because the alloc triggers are lower.
|
Assignee | |
Comment 4•11 years ago
|
||
I don't think there's anything bad that could result from triggering GCs via the operation callback while off the main thread, but this patch avoids doing these triggers. Triggering a zone GC on one of these exclusive zones will not actually collect from the zone (will it collect from anything?).
Attachment #811188 -
Flags: review?(wmccloskey)
Comment on attachment 811188 [details] [diff] [review] potential patch Review of attachment 811188 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, I don't think anything bad would actually happen.
Attachment #811188 -
Flags: review?(wmccloskey) → review+
|
|
Assignee | |
Comment 6•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/696af256f174
|
|
Reporter | |
Comment 7•11 years ago
|
||
Thanks for the quick fix!
https://hg.mozilla.org/mozilla-central/rev/696af256f174
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
|
||
Comment 9•11 years ago
|
||
spoke offline with gregor and the patch is low risk and would help avoid a race condition in the allocation path which can lead to security bugs, hence taking the forward fix here.
blocking-b2g: koi? → koi+
|
|
||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/a7c7fa46bd9e
status-b2g-v1.2:
--- → fixed
status-firefox25:
--- → wontfix
status-firefox26:
--- → fixed
status-firefox27:
--- → fixed
|
||
Updated•11 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•