969702 - Crash [@ PodAssign<char16_t>] or [@ js::CurrentThreadCanAccessRuntime]

Status: VERIFIED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

var x;
evalcx("y+z", x);

crashes js debug shell on m-c changeset 262e73a6b7cd with --ion-parallel-compile=off --ion-eager --ion-check-thread-safety at PodAssign<char16_t>

s-s because this signature seems scary. This crash is intermittent and crashes Ubuntu Linux 12.04 LTS about once in 5-10 times for me.

My configure flags are:

AR=ar sh ./configure --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --with-ccache --enable-threadsafe <other NSPR options>

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/995f7402235b
user:        Brian Hackett
date:        Wed Feb 05 11:40:35 2014 -0700
summary:     Bug 941805 - Make the pool of JS workers be per process rather than per runtime, r=billm.

Brian, is bug 941805 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Sometimes the crash signature is at js::CurrentThreadCanAccessRuntime.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Error: Failed to compile specified revision 262e73a6b7cd (maybe try another?)

Comment 3

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

(In reply to Christian Holler (:decoder) from comment #2)
> JSBugMon: Cannot process bug: Error: Failed to compile specified revision
> 262e73a6b7cd (maybe try another?)

Retry with a later revision that fixed non-threadsafe build compilation issues.

Comment 4

[Christian Holler (:decoder)]

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment 5

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This is a fairly common occurrence for threadsafe builds.

Comment 6

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Passing the --no-sse3 or the --no-sse4 flags into the Windows 64-bit debug shell, e.g.:

./js --no-sse3 -e 42

can also occasionally (once in ~30 times) result in a crash (non-zero exit code 253).

autoBisect also reduced this to:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/995f7402235b
user:        Brian Hackett
date:        Wed Feb 05 11:40:35 2014 -0700
summary:     Bug 941805 - Make the pool of JS workers be per process rather than per runtime, r=billm.

Comment 7

[Brian Hackett [Laid off!]]

Can you attach stacks for all threads when this crash is hit?  I can't reproduce it.

Comment 8

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: thread apply all bt

I could reproduce this on the original specified changeset with --ion-check-thread-safety.

Comment 9

[Brian Hackett [Laid off!]]

Hmm, it looks like the memory protection done by --ion-check-thread-safety is causing this crash --- the main thread is compiling a script and has protected the GC heap, and another thread is doing source compression and trying to use a string's inline chars for the script source.  This behavior is fine and just an issue with debugging code, and since --ion-check-thread-safety has been removed there isn't anything more to be done here.  I don't know what the problem with the Windows 64 bit crash is but it's a separate issue and there isn't much to go on without a stack trace.

Comment 10

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The Win64-debug crash is perhaps the same issue, but I can always open a new bug if it happens again. Since the issue in comment 0 has likely been fixed by the backout let's just call this fixed for now.

Comment 11

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> and since --ion-check-thread-safety has been removed there isn't anything more to be
> done here.

For the record, this was removed in bug 785905.

Comment 12

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.