Closed
Bug 893184
Opened 11 years ago
Closed 11 years ago
Intermittent jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | application crashed [@ js::gc::Cell::tenuredZone() const] after "Assertion failure: addr % CellSize == 0, at ../../../js/src/gc/Heap.h:1027"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
Tracking | Status | |
---|---|---|
firefox24 | --- | unaffected |
firefox25 | --- | fixed |
firefox26 | --- | fixed |
People
(Reporter: RyanVM, Assigned: jonco)
References
Details
(Keywords: assertion, crash, intermittent-failure)
Crash Data
Attachments
(1 file, 2 obsolete files)
6.28 KB,
patch
|
jonco
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
https://tbpl.mozilla.org/php/getParsedLog.php?id=25224823&tree=Mozilla-Inbound Rev5 MacOSX Mountain Lion 10.8 mozilla-inbound debug test jsreftest on 2013-07-12 09:59:05 PDT for push 1c4f15e06065 slave: talos-mtnlion-r5-033 10:05:28 INFO - REFTEST TEST-START | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js 10:05:28 INFO - REFTEST TEST-LOAD | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | 1101 / 6561 (16%) 10:05:28 INFO - ++DOMWINDOW == 138 (0x14e6e7a78) [serial = 2168] [outer = 0x10f661798] 10:05:28 INFO - WARNING: No permission to access camera: file ../../../dom/camera/DOMCameraManager.cpp, line 84 10:05:28 INFO - 852563: IdValuePair::value should be initialized to avoid GC sequence-point issues 10:05:28 INFO - Note: You must run this test under valgrind to be certain it passes 10:05:28 INFO - Tests complete 10:05:30 INFO - Assertion failure: addr % CellSize == 0, at ../../../js/src/gc/Heap.h:1027 10:05:41 WARNING - TEST-UNEXPECTED-FAIL | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | Exited with code 1 during test run 10:05:41 INFO - INFO | automation.py | Application ran for: 0:04:13.114511 10:05:41 INFO - INFO | zombiecheck | Reading PID log: /var/folders/sd/07fbcfhn15386646cl87f8hh00000w/T/tmpuTLioapidlog 10:05:55 WARNING - PROCESS-CRASH | file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | application crashed [@ js::gc::Cell::tenuredZone() const] 10:05:55 INFO - Crash dump filename: /var/folders/sd/07fbcfhn15386646cl87f8hh00000w/T/tmpu2Odp7/minidumps/C5FCC72A-2EF7-416D-AA6D-A88F7E54F903.dmp 10:05:55 INFO - Operating system: Mac OS X 10:05:55 INFO - 10.8.0 12A269 10:05:55 INFO - CPU: amd64 10:05:55 INFO - family 6 model 42 stepping 7 10:05:55 INFO - 8 CPUs 10:05:55 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 10:05:55 INFO - Crash address: 0x0 10:05:55 INFO - Thread 0 (crashed) 10:05:55 INFO - 0 XUL!js::gc::Cell::tenuredZone() const [Heap.h:1c4f15e06065 : 993 + 0x0] 10:05:55 INFO - rbx = 0x00007fff7dacac68 r12 = 0x0000000106939e00 10:05:55 INFO - r13 = 0xcdcdcdcdcdcdcdcd r14 = 0x000000010693a168 10:05:55 INFO - r15 = 0x000000014a87eea0 rip = 0x0000000103725e7b 10:05:55 INFO - rsp = 0x00007fff5fbfa0a0 rbp = 0x00007fff5fbfa0b0 10:05:55 INFO - Found by: given as instruction pointer in context 10:05:55 INFO - 1 XUL!MarkInternal<JSAtom> [String.h:1c4f15e06065 : 429 + 0x7] 10:05:55 INFO - rbx = 0x000000000000002b r12 = 0x0000000106939e00 10:05:55 INFO - r13 = 0xcdcdcdcdcdcdcdcd r14 = 0x000000010693a168 10:05:55 INFO - r15 = 0x000000014a87eea0 rip = 0x00000001035bb82d 10:05:55 INFO - rsp = 0x00007fff5fbfa0c0 rbp = 0x00007fff5fbfa100 10:05:55 INFO - Found by: call frame info 10:05:55 INFO - 2 XUL!JSScript::markChildren(JSTracer*) [jsscript.cpp:1c4f15e06065 : 2742 + 0xa] 10:05:55 INFO - rbx = 0x000000000000002b r12 = 0x0000000106939e00 10:05:55 INFO - r13 = 0x0000000120ee5128 r14 = 0x000000010693a168 10:05:55 INFO - r15 = 0x0000000103c0cd1d rip = 0x00000001037f00fc 10:05:55 INFO - rsp = 0x00007fff5fbfa110 rbp = 0x00007fff5fbfa140 10:05:55 INFO - Found by: call frame info 10:05:55 INFO - 3 XUL!MarkInternal<JSScript> [Marking.cpp:1c4f15e06065 : 190 + 0xa] 10:05:55 INFO - rbx = 0x000000010693a168 r12 = 0x0000000106939e00 10:05:55 INFO - r13 = 0x0000000120ee5128 r14 = 0x000000010693a168 10:05:55 INFO - r15 = 0x00007fff5fbfa1c8 rip = 0x00000001035b49ac 10:05:55 INFO - rsp = 0x00007fff5fbfa150 rbp = 0x00007fff5fbfa190 10:05:55 INFO - Found by: call frame info 10:05:55 INFO - 4 XUL!MarkRangeConservatively [RootMarking.cpp:1c4f15e06065 : 232 + 0xe] 10:05:55 INFO - rbx = 0x000000010693a168 r12 = 0x0000000120ee5128 10:05:55 INFO - r13 = 0x0000000120ee5000 r14 = 0x0000000000000002 10:05:55 INFO - r15 = 0x0000000120ee5128 rip = 0x0000000103600bdc 10:05:55 INFO - rsp = 0x00007fff5fbfa1a0 rbp = 0x00007fff5fbfa230 10:05:55 INFO - Found by: call frame info
Updated•11 years ago
|
Crash Signature: [@ js::gc::Cell::tenuredZone()]
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 15•11 years ago
|
||
Jon, this seems to have gone up in frequency recently. Any chance you could take a look?
Flags: needinfo?(jcoppeard)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 17•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #15) Sure, I'll look into it.
Assignee: general → jcoppeard
Status: NEW → ASSIGNED
Flags: needinfo?(jcoppeard)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 19•11 years ago
|
||
The problem here seems to be that the shared script data's atoms are not initialized stright away and so can end up being traced by a GC before they are set. Since we're pretending that the memory is a HeapPtrAtom array, we should really be calling the constructor/destructor of that class on every element. Actually we could get away without calling the constructor and just zeroing the memory at the moment, but this is saner. I recorded the number of atoms in the SharedScriptData struct which also means we can implement atoms() without having to pass any parameters.
Attachment #790704 -
Flags: review?(till)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Updated•11 years ago
|
Severity: normal → critical
Summary: Intermittent jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | Exited with code 1 during test run | application crashed [@ js::gc::Cell::tenuredZone() const] after "Assertion failure: addr % CellSize == 0, at ../../../js/src/gc/Heap.h:1027" → Intermittent jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | application crashed [@ js::gc::Cell::tenuredZone() const] after "Assertion failure: addr % CellSize == 0, at ../../../js/src/gc/Heap.h:1027"
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment 39•11 years ago
|
||
Comment on attachment 790704 [details] [diff] [review] shared-script-atoms Review of attachment 790704 [details] [diff] [review]: ----------------------------------------------------------------- Urgh, thanks for catching this. I wonder if we should turn JSScript->natoms and maybe ->length into getters that consult the SharedScriptData. natoms is only used in a few places, with markChildren being the only perf-critical one. Do you think that the added overhead would be an issue? njn would be delighted, I'm sure. :)
Attachment #790704 -
Flags: review?(till) → review+
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 55•11 years ago
|
||
My original patch caused occasional crashes on MacOS 10.6 mochitest, in the SharedScriptData destructor which ends up calling pre-barriers on the contents of the HeapPtrAtoms. The crash happened when one of the atoms contained a garbage value. I don't think it's strictly necessary to do this, and we weren't doing it before anyway, so in the interests of fixing this bug I took out that part of the patch and landed it. I'll raise a further bug to work out what's going on with this and apply the tidyups Till suggested above. https://hg.mozilla.org/integration/mozilla-inbound/rev/560f18fc3ae3
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 59•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/560f18fc3ae3
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Reporter | ||
Comment 60•11 years ago
|
||
Please request an Aurora uplift when you feel this has baked sufficiently long :)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 62•11 years ago
|
||
(In reply to TinderboxPushlog Robot from comment #61) > RyanVM > https://tbpl.mozilla.org/php/getParsedLog.php?id=26785326&tree=Mozilla- > Inbound > Rev5 MacOSX Mountain Lion 10.8 mozilla-inbound debug test jsreftest on > 2013-08-20 14:19:53 > revision: 01d3658a980c > slave: talos-mtnlion-r5-084 > > TEST-UNEXPECTED-FAIL | > file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest. > html?test=ecma_5/JSON/parse-array-gc.js | Exited with code 1 during test run > PROCESS-CRASH | > file:///builds/slave/talos-slave/test/build/tests/jsreftest/tests/jsreftest. > html?test=ecma_5/JSON/parse-array-gc.js | application crashed [@ > JSScript::markChildren(JSTracer*)] > Return code: 256 This is post-comment 55 :(
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla26 → ---
Assignee | ||
Comment 63•11 years ago
|
||
So I added this small change post-review because I thought it was innocuous, but in fact it ended up breaking things :( This is a patch to revert it. I never managed to get the actual failure to reproduce, but it's pretty clear from the crash that this is the culprit.
Attachment #793492 -
Flags: review?(till)
Comment 64•11 years ago
|
||
Comment on attachment 793492 [details] [diff] [review] revert-bogus-script-marking-change Review of attachment 793492 [details] [diff] [review]: ----------------------------------------------------------------- While I can't think of a reason for `code` to be NULL while `natoms` is > 0, it most certainly is never right to call MarkScriptData with a NULL pointer as the second argument. :)
Attachment #793492 -
Flags: review?(till) → review+
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 66•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4d6b320897df
Reporter | ||
Comment 67•11 years ago
|
||
I had to back this out while investigating another failure. Re-landed. https://hg.mozilla.org/integration/mozilla-inbound/rev/e1b2f6bd92c4
Comment 68•11 years ago
|
||
This appears to crash FFOS on Nexus 4 on startup. Backing out allows the N4 to boot.
Reporter | ||
Comment 69•11 years ago
|
||
By "this" do you mean only the first patch that's made m-c (and was known to be buggy - hence the follow-up that's currently on inbound), or do you mean both patches? If the former, can you boot if you apply the patch from comment 63?
Comment 70•11 years ago
|
||
The first patch and the first patch plus follow up both crash.
Comment 71•11 years ago
|
||
(gdb) bt #0 new_ (natoms=4, srcnotesLength=<optimized out>, codeLength=61, cx=0xb6a23320) at ../../../gecko/js/src/gc/Barrier.h:132 #1 JSScript::fullyInitFromEmitter (cx=0xb6a23320, script=..., bce=0xbe8e6250) at ../../../gecko/js/src/jsscript.cpp:1923 #2 0xb5d7ecca in js::frontend::EmitFunctionScript (cx=0xb6a23320, bce=0xbe8e6250, body=<optimized out>) at ../../../gecko/js/src/frontend/BytecodeEmitter.cpp:2583 #3 0xb5d7f0c0 in EmitFunc (cx=0xb6a23320, bce=0xbe8e6598, pn=0xb2ea7880) at ../../../gecko/js/src/frontend/BytecodeEmitter.cpp:4555 #4 0xb5d7d8f8 in js::frontend::EmitTree (cx=0xb6a23320, bce=0xbe8e6598, pn=0xb2ea7880) at ../../../gecko/js/src/frontend/BytecodeEmitter.cpp:5632 #5 0xb5d78cf8 in js::frontend::CompileScript (cx=0xb6a23320, alloc=<optimized out>, scopeChain=..., evalCaller=..., options=..., chars=0xb2e6f000, length=112375, source_=0x0, staticLevel=0, extraSct=0xbe8e7408) at ../../../gecko/js/src/frontend/BytecodeCompiler.cpp:361 #6 0xb5c1b7e2 in JS::Evaluate (cx=0xb6a23320, obj=..., options=..., chars=0xb2e6f000, length=112375, rval=0xbe8e74f0) at ../../../gecko/js/src/jsapi.cpp:5203 #7 0xb5c1ba38 in JS::Evaluate (cx=0xb6a23320, obj=..., options=..., bytes=0xb2e53000 "\n\n\n\n\nvar std_isFinite = isFinite;\nvar std_isNaN = isNaN;\nvar std_Array_indexOf = ArrayIndexOf;\nvar std_Array_join = Array.prototype.join;\nvar std_Array_push = Array.prototype.push;\nvar std_Array_shift"..., length=0, rval=0xbe8e74f0) at ../../../gecko/js/src/jsapi.cpp:5239 #8 0xb5bdfc0a in JSRuntime::initSelfHosting (this=<optimized out>, cx=0xb6a23320) at ../../../gecko/js/src/vm/SelfHosting.cpp:762 #9 0xb5c31e9e in js::NewContext (rt=0xb3004000, stackChunkSize=<optimized out>) at ../../../gecko/js/src/jscntxt.cpp:201 #10 0xb54aece4 in XPCJSContextStack::GetSafeJSContext (this=0xb6a108e0) at ../../../../gecko/js/xpconnect/src/XPCJSContextStack.cpp:150 #11 0xb53d4cfe in nsScriptSecurityManager::GetSafeJSContext ( this=<optimized out>) at ../../../gecko/caps/src/nsScriptSecurityManager.cpp:270 #12 0xb53d55ba in nsScriptSecurityManager::Init (this=0xb6add880) at ../../../gecko/caps/src/nsScriptSecurityManager.cpp:2332 #13 0xb53d7734 in nsScriptSecurityManager::GetScriptSecurityManager () at ../../../gecko/caps/src/nsScriptSecurityManager.cpp:2413 #14 0xb51bdb3a in nsContentUtils::Init () at ../../../../gecko/content/base/src/nsContentUtils.cpp:372 #15 0xb50846b6 in nsLayoutStatics::Initialize () at ../../../gecko/layout/build/nsLayoutStatics.cpp:163 #16 0xb50841f6 in Initialize () at ../../../gecko/layout/build/nsLayoutModule.cpp:405 #17 0xb58277e4 in nsComponentManagerImpl::KnownModule::Load (this=0xb6a8a180) at ../../../gecko/xpcom/components/nsComponentManager.cpp:770 #18 0xb5827f88 in nsFactoryEntry::GetFactory (this=0xb6a89320) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1778 #19 0xb5828284 in CreateInstanceByContractID (aResult=0xbe8e76b8, aIID=..., aDelegate=0x0, aContractID=0xb6afe8c0 "@mozilla.org/moz/jsloader;1", this=0xb6a25700) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1093 #20 nsComponentManagerImpl::CreateInstanceByContractID (this=0xb6a25700, aContractID=0xb6afe8c0 "@mozilla.org/moz/jsloader;1", aDelegate=0x0, aIID=..., aResult=0xbe8e76b8) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1048 #21 0xb58291fc in GetServiceByContractID (result=0xbe8e7734, aIID=..., aContractID=0xb6afe8c0 "@mozilla.org/moz/jsloader;1", this=0xb6a25700) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1453 #22 nsComponentManagerImpl::GetServiceByContractID (this=0xb6a25700, aContractID=0xb6afe8c0 "@mozilla.org/moz/jsloader;1", aIID=..., result=0xbe8e7734) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1367 #23 0xb5829440 in nsGetServiceFromCategory::operator() (this=0xbe8e7758, aIID=..., aInstancePtr=0xbe8e7734) at ../../../gecko/xpcom/components/nsComponentManager.cpp:171 #24 0xb580c258 in nsCOMPtr_base::assign_from_helper (this=0xbe8e7748, helper=<optimized out>, iid=<optimized out>) at ../../../gecko/xpcom/glue/nsCOMPtr.cpp:110 #25 0xb58276aa in operator= (rhs=..., this=0xbe8e7748) at ../../dist/include/nsCOMPtr.h:727 #26 nsComponentManagerImpl::LoaderForExtension (this=0xb6a25700, aExt=...) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1489 #27 0xb5827782 in nsComponentManagerImpl::KnownModule::EnsureLoader ( this=0xb6afe680) at ../../../gecko/xpcom/components/nsComponentManager.cpp:747 #28 0xb58277c0 in nsComponentManagerImpl::KnownModule::Load (this=0xb6afe680) at ../../../gecko/xpcom/components/nsComponentManager.cpp:758 #29 0xb5827f88 in nsFactoryEntry::GetFactory (this=0xb6aff150) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1778 #30 0xb5828284 in CreateInstanceByContractID (aResult=0xbe8e7810, aIID=..., aDelegate=0x0, aContractID=0xb3003f70 "@mozilla.org/browser/directory-provider;1", this=0xb6a25700) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1093 #31 nsComponentManagerImpl::CreateInstanceByContractID (this=0xb6a25700, aContractID=0xb3003f70 "@mozilla.org/browser/directory-provider;1", aDelegate=0x0, aIID=..., aResult=0xbe8e7810) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1048 #32 0xb58291fc in GetServiceByContractID (result=0xbe8e7864, aIID=..., aContractID=0xb3003f70 "@mozilla.org/browser/directory-provider;1", this=0xb6a25700) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1453 #33 nsComponentManagerImpl::GetServiceByContractID (this=0xb6a25700, aContractID=0xb3003f70 "@mozilla.org/browser/directory-provider;1", aIID=..., result=0xbe8e7864) at ../../../gecko/xpcom/components/nsComponentManager.cpp:1367 #34 0xb580cbfa in nsGetServiceByContractID::operator() (this=<optimized out>, aIID=<optimized out>, aInstancePtr=0xbe8e7864) at ../../../gecko/xpcom/glue/nsComponentManagerUtils.cpp:246 #35 0xb580c216 in nsCOMPtr_base::assign_from_gs_contractid (this=0xbe8e7888, gs=..., iid=<optimized out>) at ../../../gecko/xpcom/glue/nsCOMPtr.cpp:92 #36 0xb581f9f6 in nsCOMPtr (gs=<optimized out>, this=0xbe8e7888) at ../../dist/include/nsCOMPtr.h:620 #37 nsDirectoryService::RegisterCategoryProviders (this=0xb6a1a540) at ../../../gecko/xpcom/io/nsDirectoryService.cpp:487 #38 0xb5811490 in NS_InitXPCOM2 (result=0xb6a1b154, binDirectory=<optimized out>, appFileLocationProvider=<optimized out>) at ../../../gecko/xpcom/build/nsXPComInit.cpp:554 #39 0xb4f2967a in ScopedXPCOMStartup::Initialize (this=0xb6a1b154) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:1191 #40 0xb4f2c966 in XREMain::XRE_main (this=0xbe8e7994, argc=1, argv=<optimized out>, aAppData=<optimized out>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:3927 #41 0xb4f2cac0 in XRE_main (argc=1, argv=0xbe8e9b44, aAppData=0x221f8, aFlags=<optimized out>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4133 #42 0x0000b300 in do_main (argv=0xbe8e9b44, argc=1) at ../../../gecko/b2g/app/nsBrowserApp.cpp:168 #43 main (argc=<optimized out>, argv=<optimized out>) at ../../../gecko/b2g/app/nsBrowserApp.cpp:261
Reporter | ||
Comment 72•11 years ago
|
||
Good enough for me. Backed out. https://hg.mozilla.org/integration/mozilla-inbound/rev/482e7e3edadd
Assignee | ||
Comment 73•11 years ago
|
||
(In reply to Michael Wu [:mwu] from comment #71) By any chance, do you have the details of the exception that caused that crash?
Comment 74•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4d6b320897df https://hg.mozilla.org/mozilla-central/rev/e1b2f6bd92c4
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 76•11 years ago
|
||
Fixed pointer alignment issue that caused crashes on ARM and re-landed. https://hg.mozilla.org/integration/mozilla-inbound/rev/698bf87a8347
Comment 77•11 years ago
|
||
Is there a plan to add N4 to tbpl? This could have been caught before it hit m-c :-/
Comment 78•11 years ago
|
||
(In reply to Michael Vines [:m1] [:evilmachines] from comment #77) > Is there a plan to add N4 to tbpl? This could have been caught before it > hit m-c :-/ There's work going on to add the JB emulator to TBPL - bug 885630 . No idea if that would've caught this. Testing on actual devices is somewhat hard so we largely rely on the emulator now.
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 80•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/698bf87a8347 Round 3! As before, please request Aurora and Beta uplift when you feel this has sufficiently baked on trunk :)
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Assignee | ||
Comment 81•11 years ago
|
||
(In reply to Michael Wu [:mwu] from comment #78) This one was an alignment issue. Would it not be possible to configure one of the existing emulator targets to abort on unaligned access? I thought most ARM platforms were normally set up this way anyway.
Comment 82•11 years ago
|
||
We use qemu, and I'm not sure if that supports exceptions on unaligned access. http://stackoverflow.com/a/4032289 says no, but that's from 2010. I haven't found any better answers on Google.
Reporter | ||
Updated•11 years ago
|
Assignee | ||
Comment 83•11 years ago
|
||
Final patch, as pushed.
Attachment #790704 -
Attachment is obsolete: true
Attachment #793492 -
Attachment is obsolete: true
Attachment #796010 -
Flags: review+
Assignee | ||
Comment 84•11 years ago
|
||
Comment on attachment 796010 [details] [diff] [review] shared-scipt-atoms [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 679940 - split JSScript into a per-compartment portion and a shareable runtime-global portion User impact if declined: Possible crashes Testing completed (on m-c, etc.): On central since 22nd. Risk to taking this patch (and alternatives if risky): Low String or IDL/UUID changes made by this patch: None
Attachment #796010 -
Flags: approval-mozilla-aurora?
Updated•11 years ago
|
Attachment #796010 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Reporter | ||
Comment 85•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/abbdc26298fa
You need to log in
before you can comment on or make changes to this bug.
Description
•