Bug 1576303 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
Entering any text into the URL bar causes a crash in current opt (`-O3` non-debug) builds on ppc64le from trunk. This seems to be completely unrelated to bug 1512162. Brief backtrace follows, full crash signature provided.

@tcampbell, does any of this look familiar? Any places we should start looking? This smells like some sort of memory barrier issue. Interestingly, `-O3` but with debug on works fine.

```
% hg bisect --bad
The first bad revision is:
changeset:   482748:552b13ce8016
user:        Ted Campbell <tcampbell@mozilla.com>
date:        Mon Jul 15 05:44:14 2019 +0000
summary:     Bug 1565556 - Remove JSScript::hasTryNotes/ScopeNotes/ResumeOffsets. r=jandem
```
```
#0  0x00007ffff02a7040 in js::gc::Cell::storeBuffer() const
    (this=0x7fffffffa868)
    at /home/spectre/src/mozilla-central/js/src/gc/Cell.h:281
#1  0x00007ffff02a7040 in js::InternalBarrierMethods<JS::Value>::postBarrier(JS::Value*, JS::Value const&, JS::Value const&)
    (next=..., prev=..., vp=0x7fffffffa5f0)
    at /home/spectre/src/mozilla-central/js/src/gc/Barrier.h:352
#2  0x00007ffff02a7040 in js::WriteBarriered<JS::Value>::post(JS::Value const&, JS::Value const&) (next=..., prev=..., this=0x7fffffffa5f0)
    at /home/spectre/src/mozilla-central/js/src/gc/Barrier.h:456
#3  0x00007ffff02a7040 in js::HeapPtr<JS::Value>::HeapPtr(JS::Value const&)
    (v=..., this=0x7fffffffa5f0)
    at /home/spectre/src/mozilla-central/js/src/gc/Barrier.h:595
#4  0x00007ffff02a7040 in js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::Entry::Entry<JS::Handle<JS::Value> >(js::HashableValue const&, JS::Handle<JS::Value>&&)
    (v=..., k=..., this=0x7fffffffa598)
    at /home/spectre/src/mozilla-central/js/src/ds/OrderedHashTable.h:768
#5  0x00007ffff02a7040 in js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::put<JS::Handle<JS::Value> >(js::HashableValue const&, JS::Handle<JS::Value>&&)
    (value=..., key=..., this=0x7fffba215ab0)
    at /home/spectre/src/mozilla-central/js/src/ds/OrderedHashTable.h:811
#6  0x00007ffff02a7040 in js::MapObject::set_impl(JSContext*, JS::CallArgs const&) (cx=0x7fffd9849000, args=...)
    at /home/spectre/src/mozilla-central/js/src/builtin/MapObject.cpp:785
#7  0x00007ffff02a7d18 in JS::CallNonGenericMethod<&js::MapObject::is, &js::MapObject::set_impl>(JSContext*, JS::CallArgs const&)
    (args=..., cx=<optimized out>)
    at /home/spectre/src/mozilla-central/js/src/vm/NativeObject.h:1425
#8  0x00007ffff02a7d18 in js::MapObject::set(JSContext*, unsigned int, JS::Value*) (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>)
    at /home/spectre/src/mozilla-central/js/src/builtin/MapObject.cpp:796
#9  0x00007ffff021d43c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)
    (args=..., native=0x7ffff02a7be0 <js::MapObject::set(JSContext*, unsigned int, JS::Value*)>, cx=0x7fffd9849000)
    at /home/spectre/src/mozilla-central/obj-powerpc64le-unknown-linux-gnu/dist/include/js/CallArgs.h:284
#10 0x00007ffff021d43c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7fffd9849000, args=..., construct=<optimized out>) at /home/spectre/src/mozilla-central/js/src/vm/Interpreter.cpp:539
#11 0x00007ffff020f9a0 in js::CallFromStack(JSContext*, JS::CallArgs const&) (args=..., cx=<optimized out>) at /home/spectre/src/mozilla-central/js/src/vm/Interpreter.cpp:3084
#12 0x00007ffff020f9a0 in Interpret(JSContext*, js::RunState&) (cx=0x7fffd9849000, state=...) at /home/spectre/src/mozilla-central/js/src/vm/Interpreter.cpp:3084
```
Revision 1 by
on 
Entering any text into the URL bar causes a crash in current opt (`-O3` non-debug) builds on ppc64le from trunk. This seems to be completely unrelated to bug 1512162. Brief backtrace follows, full crash signature provided.

@tcampbell, does any of this look familiar? Any places we should start looking? This smells like some sort of memory barrier issue. Interestingly, `-O3` but with debug on works fine.

```
% hg bisect --bad
The first bad revision is:
changeset:   482748:552b13ce8016
user:        Ted Campbell <tcampbell@mozilla.com>
date:        Mon Jul 15 05:44:14 2019 +0000
summary:     Bug 1565556 - Remove JSScript::hasTryNotes/ScopeNotes/ResumeOffsets. r=jandem
```
```
Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x00007ffff02a7040 in js::gc::Cell::storeBuffer (this=0x7fffffffa868)
    at /home/spectre/src/mozilla-central/js/src/gc/Cell.h:281
281	  return chunk()->trailer.storeBuffer;
[...]
#0  0x00007ffff02a7040 in js::gc::Cell::storeBuffer() const
    (this=0x7fffffffa868)
    at /home/spectre/src/mozilla-central/js/src/gc/Cell.h:281
#1  0x00007ffff02a7040 in js::InternalBarrierMethods<JS::Value>::postBarrier(JS::Value*, JS::Value const&, JS::Value const&)
    (next=..., prev=..., vp=0x7fffffffa5f0)
    at /home/spectre/src/mozilla-central/js/src/gc/Barrier.h:352
#2  0x00007ffff02a7040 in js::WriteBarriered<JS::Value>::post(JS::Value const&, JS::Value const&) (next=..., prev=..., this=0x7fffffffa5f0)
    at /home/spectre/src/mozilla-central/js/src/gc/Barrier.h:456
#3  0x00007ffff02a7040 in js::HeapPtr<JS::Value>::HeapPtr(JS::Value const&)
    (v=..., this=0x7fffffffa5f0)
    at /home/spectre/src/mozilla-central/js/src/gc/Barrier.h:595
#4  0x00007ffff02a7040 in js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::Entry::Entry<JS::Handle<JS::Value> >(js::HashableValue const&, JS::Handle<JS::Value>&&)
    (v=..., k=..., this=0x7fffffffa598)
    at /home/spectre/src/mozilla-central/js/src/ds/OrderedHashTable.h:768
#5  0x00007ffff02a7040 in js::OrderedHashMap<js::HashableValue, js::HeapPtr<JS::Value>, js::HashableValue::Hasher, js::ZoneAllocPolicy>::put<JS::Handle<JS::Value> >(js::HashableValue const&, JS::Handle<JS::Value>&&)
    (value=..., key=..., this=0x7fffba215ab0)
    at /home/spectre/src/mozilla-central/js/src/ds/OrderedHashTable.h:811
#6  0x00007ffff02a7040 in js::MapObject::set_impl(JSContext*, JS::CallArgs const&) (cx=0x7fffd9849000, args=...)
    at /home/spectre/src/mozilla-central/js/src/builtin/MapObject.cpp:785
#7  0x00007ffff02a7d18 in JS::CallNonGenericMethod<&js::MapObject::is, &js::MapObject::set_impl>(JSContext*, JS::CallArgs const&)
    (args=..., cx=<optimized out>)
    at /home/spectre/src/mozilla-central/js/src/vm/NativeObject.h:1425
#8  0x00007ffff02a7d18 in js::MapObject::set(JSContext*, unsigned int, JS::Value*) (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>)
    at /home/spectre/src/mozilla-central/js/src/builtin/MapObject.cpp:796
#9  0x00007ffff021d43c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)
    (args=..., native=0x7ffff02a7be0 <js::MapObject::set(JSContext*, unsigned int, JS::Value*)>, cx=0x7fffd9849000)
    at /home/spectre/src/mozilla-central/obj-powerpc64le-unknown-linux-gnu/dist/include/js/CallArgs.h:284
#10 0x00007ffff021d43c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7fffd9849000, args=..., construct=<optimized out>) at /home/spectre/src/mozilla-central/js/src/vm/Interpreter.cpp:539
#11 0x00007ffff020f9a0 in js::CallFromStack(JSContext*, JS::CallArgs const&) (args=..., cx=<optimized out>) at /home/spectre/src/mozilla-central/js/src/vm/Interpreter.cpp:3084
#12 0x00007ffff020f9a0 in Interpret(JSContext*, js::RunState&) (cx=0x7fffd9849000, state=...) at /home/spectre/src/mozilla-central/js/src/vm/Interpreter.cpp:3084
```

Back to Bug 1576303 Comment 0