Assertion failure: CurrentThreadCanAccessRuntime(rt), at js/src/gc/Cell.h:258 with evalInWorker
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | --- | unaffected |
firefox70 | --- | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 1d4db40e38dd (build with --enable-debug, run with --fuzzing-safe --baseline-warmup-threshold=0 --ion-warmup-threshold=0):
for (let i = 0; i < 99; ++i) {
(function() {
evalInWorker("null") ? 0 : 0;
})();
}
oomTest(runOffThreadScript);
Backtrace:
#0 js::gc::Cell::runtimeFromMainThread (this=0x32e74be25040) at /home/ubuntu/trees/mozilla-central/js/src/gc/Cell.h:258
#1 js::jit::JitScript::setIonScriptImpl (this=0x7fb78de8f3d0, script=0x32e74be25040, ionScript=0x0) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitScript.cpp:621
#2 0x000056205cbbb5b3 in js::jit::JitScript::clearIsIonCompilingOffThread (this=<optimized out>, script=<optimized out>) at /home/ubuntu/trees/mozilla-central/js/src/jit/JitScript.h:566
#3 js::jit::FinishOffThreadBuilder (runtime=0x7fb78c5cb000, builder=0x7fb77c725238, locked=...) at /home/ubuntu/trees/mozilla-central/js/src/jit/Ion.cpp:454
#4 0x000056205c161006 in CancelOffThreadIonCompileLocked (selector=..., discardLazyLinkList=<optimized out>, lock=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/HelperThreads.cpp:361
#5 0x000056205c1651d6 in js::GlobalHelperThreadState::waitForAllThreadsLocked (this=0x7fb78de07400, lock=...) at /home/ubuntu/trees/mozilla-central/js/src/vm/HelperThreads.cpp:1302
/snip
For detailed crash information, see attachment.
This testcase is fairly intermittent.
Reporter | ||
Comment 1•5 years ago
|
||
Reporter | ||
Comment 2•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/7db7c0c4fadd
user: Jan de Mooij
date: Thu Aug 15 16:13:50 2019 +0000
summary: Bug 1505689 part 5 - Move BaselineScript and IonScript pointers from JSScript to JitScript. r=tcampbell
Jan, is bug 1505689 a likely regressor?
Assignee | ||
Comment 3•5 years ago
|
||
Cancelling compilations from other runtimes is racy. We could restrict to the
caller's runtime, but waiting for all threads to finish should end up draining
the Ion compilation queue anyway (for that runtime) and we don't cancel other
task types there (except for Wasm but that has more complicated helper thread
usage).
Assignee | ||
Comment 4•5 years ago
|
||
The code was racy (shell only code) before bug 1505689, but that triggered an assertion that caught this.
Assignee | ||
Comment 5•5 years ago
|
||
Doesn't affect Firefox itself.
Comment 6•5 years ago
|
||
Jan, what are the next steps with this bug? I was trying to figure out how to best triage this.
Assignee | ||
Comment 7•5 years ago
|
||
(In reply to Steven DeTar [:sdetar] from comment #6)
Jan, what are the next steps with this bug? I was trying to figure out how to best triage this.
I just have to land the patch for this shell-only issue. I'll do that today.
Comment 9•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Reporter | ||
Comment 10•5 years ago
|
||
For archival purposes, this is the Pernosco trace:
https://pernos.co/debug/mtNlpaEh_shvWz8o45YB9Q/index.html
Tested on a --enable-debug --disable-optimize --enable-more-deterministic build on m-c rev 447c2f04371a (right before the fix landed), with --num-cores=4
as a rr record
parameter.
Updated•3 years ago
|
Description
•