1501157 - Assertion failure: CurrentThreadCanAccessRuntime(cx->runtime()), at js/src/threading/ProtectedData.cpp:59

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

The following testcase crashes on mozilla-central revision 2872e7a3606d (build with --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

// Adapted from randomly chosen test: js/src/tests/test262/language/module-code/dynamic-import/syntax/valid/nested-while-nested-imports.js
offThreadCompileScript('import("")', {});

Backtrace:

#0  0x0000564347fc0458 in js::CheckMainThread<(js::AllowedHelperThread)0>::check (this=<optimized out>) at js/src/threading/ProtectedData.cpp:59
#1  0x0000564347914a4c in js::ProtectedData<js::CheckMainThread<(js::AllowedHelperThread)0>, bool (*)(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>)>::ref (this=<optimized out>) at js/src/threading/ProtectedData.h:116
#2  js::ProtectedData<js::CheckMainThread<(js::AllowedHelperThread)0>, bool (*)(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>)>::operator bool (* const&)(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) (this=<optimized out>) at js/src/threading/ProtectedData.h:84
#3  js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::importExpr (this=0x7fb5de4fd5a8, yieldHandling=(unknown: 3730481312)) at js/src/frontend/Parser.cpp:10916
#4  0x0000564347913452 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::memberExpr (this=0x7fb5de4fd5a8, yieldHandling=js::frontend::YieldIsName, tripledotHandling=js::frontend::TripledotProhibited, tt=js::frontend::TokenKind::Import, allowCallSyntax=true, possibleError=0x7fb5de4fc640, invoked=js::frontend::ParserBase::PredictUninvoked) at js/src/frontend/Parser.cpp:9581
#5  0x0000564347912f6d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::unaryExpr (this=<optimized out>, yieldHandling=js::frontend::YieldIsName, 
/snip

For detailed crash information, see attachment.

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: Detailed Crash Information

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/430db29f4685
user:        Jon Coppeard
date:        Mon Oct 22 11:28:16 2018 +0100
summary:     Bug 1499140 - Implement support for dynamic module import in the interpreter r=jandem

Jon, is bug 1499140 a likely regressor?

Comment 3

[Jon Coppeard (:jonco)]

Attachment: bug1501157-off-thread-parsing

The problem is that we are using the embedding dynamic import hook to test whether dynamic module import is enabled or not, and this is currently only accessible from the main thread.  We check this when emitting bytecode, which can happen off thread.

The patch fixes this by making this state atomic.  We also have to check when the dynamic import is started in case the state changed in the meantime.

It's possible that we should have a separate flag for enabling/disabling this feature, but this is simpler.  Let me know if you think that doing it that way would be preferable.

Comment 4

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8468729762b5
Allow checking whether dynamic module import is supported from helper threads r=jandem

Comment 5

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/8468729762b5