Closed
Bug 1024101
Opened 10 years ago
Closed 10 years ago
Intermittent test_bug622361.html | application crashed [@ mozilla::dom::ProtoAndIfaceCache::~ProtoAndIfaceCache()]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1010666
People
(Reporter: RyanVM, Unassigned)
Details
(Keywords: crash)
https://tbpl.mozilla.org/php/getParsedLog.php?id=41539117&tree=Mozilla-Inbound Rev4 MacOSX Snow Leopard 10.6 mozilla-inbound debug test mochitest-3 on 2014-06-11 11:28:57 PDT for push 85a48222098a slave: t-snow-r4-0058 11:39:49 INFO - 2151 INFO TEST-START | /tests/dom/tests/mochitest/bugs/test_bug620947.html 11:39:50 INFO - ++DOMWINDOW == 153 (0x12153a400) [pid = 965] [serial = 2590] [outer = 0x12ebd5c00] 11:39:50 INFO - 2152 INFO TEST-INFO | MEMORY STAT vsize after test: 3955277824 11:39:50 INFO - 2153 INFO TEST-INFO | MEMORY STAT residentFast after test: 515981312 11:39:50 INFO - 2154 INFO TEST-INFO | MEMORY STAT heapAllocated after test: 113776312 11:39:50 INFO - 2155 INFO TEST-END | /tests/dom/tests/mochitest/bugs/test_bug620947.html | finished in 236ms 11:39:50 INFO - ++DOMWINDOW == 154 (0x127404800) [pid = 965] [serial = 2591] [outer = 0x12ebd5c00] 11:39:50 INFO - 2156 INFO TEST-START | /tests/dom/tests/mochitest/bugs/test_bug622361.html 11:39:50 INFO - ++DOMWINDOW == 155 (0x1272a3000) [pid = 965] [serial = 2592] [outer = 0x12ebd5c00] 11:39:50 INFO - ++DOCSHELL 0x1311bc800 == 25 [pid = 965] [id = 687] 11:39:50 INFO - ++DOMWINDOW == 156 (0x1232b0c00) [pid = 965] [serial = 2593] [outer = 0x0] 11:39:50 INFO - ++DOMWINDOW == 157 (0x1261b7400) [pid = 965] [serial = 2594] [outer = 0x1232b0c00] 11:39:50 INFO - [Parent 965] WARNING: NS_ENSURE_TRUE(mMutable) failed: file /builds/slave/m-in-osx64-d-00000000000000000/build/netwerk/base/src/nsSimpleURI.cpp, line 265 11:39:50 INFO - ++DOMWINDOW == 158 (0x14e0fc800) [pid = 965] [serial = 2595] [outer = 0x1232b0c00] 11:39:50 INFO - [Parent 965] WARNING: NS_ENSURE_TRUE(mMutable) failed: file /builds/slave/m-in-osx64-d-00000000000000000/build/netwerk/base/src/nsSimpleURI.cpp, line 265 11:39:50 INFO - ++DOMWINDOW == 159 (0x14f04a400) [pid = 965] [serial = 2596] [outer = 0x1232b0c00] 11:39:52 INFO - TEST-INFO | Main app process: killed by SIGHUP 11:39:52 WARNING - TEST-UNEXPECTED-FAIL | /tests/dom/tests/mochitest/bugs/test_bug622361.html | application terminated with exit code 1 11:39:52 INFO - INFO | runtests.py | Application ran for: 0:09:00.268603 11:39:52 INFO - INFO | zombiecheck | Reading PID log: /var/folders/gp/gp6E0Yo7GAOF8RNmVxgKMU+++-k/-Tmp-/tmpTBTj68pidlog 11:40:13 WARNING - PROCESS-CRASH | /tests/dom/tests/mochitest/bugs/test_bug622361.html | application crashed [@ mozilla::dom::ProtoAndIfaceCache::~ProtoAndIfaceCache()] 11:40:13 INFO - Crash dump filename: /var/folders/gp/gp6E0Yo7GAOF8RNmVxgKMU+++-k/-Tmp-/tmpccPLxa/minidumps/C31AA209-839E-46B4-96B7-3FAFBD759686.dmp 11:40:13 INFO - Operating system: Mac OS X 11:40:13 INFO - 10.6.8 10K549 11:40:13 INFO - CPU: amd64 11:40:13 INFO - family 6 model 23 stepping 10 11:40:13 INFO - 2 CPUs 11:40:13 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 11:40:13 INFO - Crash address: 0x5e5fffe8 11:40:13 INFO - Thread 0 (crashed) 11:40:13 INFO - 0 XUL!mozilla::dom::ProtoAndIfaceCache::~ProtoAndIfaceCache() [HeapAPI.h:85a48222098a : 239 + 0x0] 11:40:13 INFO - rbx = 0x00000000000016f0 r12 = 0x00000000000000a0 11:40:13 INFO - r13 = 0x0000000000000003 r14 = 0x0000000155213b80 11:40:13 INFO - r15 = 0x0000000155802000 rip = 0x0000000102ce9cbf 11:40:13 INFO - rsp = 0x00007fff5fbfc850 rbp = 0x00007fff5fbfc880 11:40:13 INFO - Found by: given as instruction pointer in context 11:40:13 INFO - 1 XUL!mozilla::dom::DestroyProtoAndIfaceCache(JSObject*) [BindingUtils.h:85a48222098a : 425 + 0x7] 11:40:13 INFO - rbx = 0x0000000155213b80 r12 = 0x00000000000000a0 11:40:13 INFO - r13 = 0x0000000000000003 r14 = 0x00007fff5fbfcb10 11:40:13 INFO - r15 = 0x000000014e4cef60 rip = 0x0000000102ce7a18 11:40:13 INFO - rsp = 0x00007fff5fbfc890 rbp = 0x00007fff5fbfc8a0 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 2 XUL!mozilla::dom::WindowBinding::_finalize [WindowBinding.cpp:85a48222098a : 12338 + 0xa] 11:40:13 INFO - rbx = 0x00000001511e4c00 r12 = 0x00000000000000a0 11:40:13 INFO - r13 = 0x0000000000000003 r14 = 0x00007fff5fbfcb10 11:40:13 INFO - r15 = 0x000000014e4cef60 rip = 0x0000000102c7ea70 11:40:13 INFO - rsp = 0x00007fff5fbfc8b0 rbp = 0x00007fff5fbfc8d0 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 3 XUL!JSObject::finalize(js::FreeOp*) [jsobjinlines.h:85a48222098a : 91 + 0x7] 11:40:13 INFO - rbx = 0x000000014e4cef60 r12 = 0x00000000000000a0 11:40:13 INFO - r13 = 0x0000000000000003 r14 = 0x00007fff5fbfcb10 11:40:13 INFO - r15 = 0x000000014e4ceb00 rip = 0x0000000104b599d5 11:40:13 INFO - rsp = 0x00007fff5fbfc8e0 rbp = 0x00007fff5fbfc8f0 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 4 XUL!bool js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned long) [jsgc.cpp:85a48222098a : 486 + 0xb] 11:40:13 INFO - rbx = 0x000000014e4ce9c0 r12 = 0x00000000000000a0 11:40:13 INFO - r13 = 0x0000000000000003 r14 = 0x000000014e4cef60 11:40:13 INFO - r15 = 0x000000014e4ceb00 rip = 0x0000000104b594ec 11:40:13 INFO - rsp = 0x00007fff5fbfc900 rbp = 0x00007fff5fbfc9a0 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 5 XUL!FinalizeArenas [jsgc.cpp:85a48222098a : 543 + 0x12] 11:40:13 INFO - rbx = 0x000000014e4ce000 r12 = 0x000000000000000a 11:40:13 INFO - r13 = 0x000000000000000a r14 = 0x00007fff5fbfca20 11:40:13 INFO - r15 = 0x000000012739e220 rip = 0x0000000104ad4aad 11:40:13 INFO - rsp = 0x00007fff5fbfc9b0 rbp = 0x00007fff5fbfca10 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 6 XUL!js::gc::ArenaLists::forceFinalizeNow(js::FreeOp*, js::gc::AllocKind) [jsgc.cpp:85a48222098a : 1807 + 0xd] 11:40:13 INFO - rbx = 0x00000000000000a0 r12 = 0x000000012739e220 11:40:13 INFO - r13 = 0x000000012739e030 r14 = 0x00007fff5fbfcb10 11:40:13 INFO - r15 = 0x000000000000000a rip = 0x0000000104b21580 11:40:13 INFO - rsp = 0x00007fff5fbfca20 rbp = 0x00007fff5fbfca60 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 7 XUL!js::gc::ArenaLists::queueObjectsForSweep(js::FreeOp*) [jsgc.cpp:85a48222098a : 1795 + 0xf] 11:40:13 INFO - rbx = 0x00007fff5fbfcb10 r12 = 0x0000000000000016 11:40:13 INFO - r13 = 0x00000001189de368 r14 = 0x00000001189de5d0 11:40:13 INFO - r15 = 0x000000012739e030 rip = 0x0000000104ad5853 11:40:13 INFO - rsp = 0x00007fff5fbfca70 rbp = 0x00007fff5fbfca90 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 8 XUL!js::gc::GCRuntime::beginSweepingZoneGroup() [jsgc.cpp:85a48222098a : 4036 + 0xc] 11:40:13 INFO - rbx = 0x000000012739e000 r12 = 0x0000000000000016 11:40:13 INFO - r13 = 0x00000001189de368 r14 = 0x00000001189de5d0 11:40:13 INFO - r15 = 0x0004fb93c51c131a rip = 0x0000000104adbbdf 11:40:13 INFO - rsp = 0x00007fff5fbfcaa0 rbp = 0x00007fff5fbfcb90 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 9 XUL!js::gc::GCRuntime::sweepPhase(js::SliceBudget&) [jsgc.cpp:85a48222098a : 4201 + 0x7] 11:40:13 INFO - rbx = 0x000000011d552000 r12 = 0x000000010514e580 11:40:13 INFO - r13 = 0x00000001189de368 r14 = 0x0000000000000001 11:40:13 INFO - r15 = 0x00007fff5fbfcc50 rip = 0x0000000104adc832 11:40:13 INFO - rsp = 0x00007fff5fbfcba0 rbp = 0x00007fff5fbfcc20 11:40:13 INFO - Found by: call frame info 11:40:13 INFO - 10 XUL!js::gc::GCRuntime::incrementalCollectSlice(long long, JS::gcreason::Reason, js::JSGCInvocationKind) [jsgc.cpp:85a48222098a : 4746 + 0x7] 11:40:13 INFO - rbx = 0x0000000000009c40 r12 = 0x0000000000000003 11:40:13 INFO - r13 = 0x0000000000000000 r14 = 0x00000001189de368 11:40:13 INFO - r15 = 0x0000000000000003 rip = 0x0000000104ade535 11:40:13 INFO - rsp = 0x00007fff5fbfcc30 rbp = 0x00007fff5fbfccb0 11:40:13 INFO - Found by: call frame info
|
||
Comment 1•10 years ago
|
||
So the crash is on this line in HeapAPI.h in IsInsideNursery(): 239 uint32_t location = *reinterpret_cast<uint32_t *>(addr); so presumably addr is dead. We're coming in via WindowBinding::_finalize, so presumably ending up in ~ArrayCache, where we have: class ArrayCache : public Array<JS::Heap<JSObject*>, kProtoAndIfaceCacheCount> and no explicit destructor defined. ~Heap is claimed to call IsInsideNursery(). But the things inside the Heap might get finalized before the window, I'd think, so we may have dead pointers in there... Maybe only if we released the chunk that the thing the Heap pointed to lived in?
|
|
||
Updated•10 years ago
|
Flags: needinfo?(terrence)
|
||
Comment 2•10 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #1) > So the crash is on this line in HeapAPI.h in IsInsideNursery(): > > 239 uint32_t location = *reinterpret_cast<uint32_t *>(addr); > > so presumably addr is dead. > > We're coming in via WindowBinding::_finalize, so presumably ending up in > ~ArrayCache, where we have: > > class ArrayCache : public Array<JS::Heap<JSObject*>, > kProtoAndIfaceCacheCount> > > and no explicit destructor defined. > > ~Heap is claimed to call IsInsideNursery(). > > But the things inside the Heap might get finalized before the window, I'd > think, so we may have dead pointers in there... Maybe only if we released > the chunk that the thing the Heap pointed to lived in? Heap<T> assumes the pointer it is holding is live for the entire lifetime of the Heap<T>. The expected usage is that if there exists a Heap<T> in the system, it will get traced during GC: e.g. that it will not hold weak pointers ever. If this is not true, then we'll need to come up with some non-Heap<T> mechanism.
Flags: needinfo?(terrence)
|
|
||
Comment 3•10 years ago
|
||
> The expected usage is that if there exists a Heap<T> in the system, it will get traced
> during GC
This is true, if the object holding it is true. But in this case the Heap<T> is in a C++ object that's owned by another JS object and traced from that other JS object's trace hook.
Should we not be using Heap<T> for this situation? What _should_ we be using?Flags: needinfo?(terrence)
|
|
||
Comment 4•10 years ago
|
||
Note that this sort of thing is pretty common in DOM code in general, though typically the tracing of the Heap<T> happens off a cycle collector trace hook, not the JS engine's trace hook. I _think_ JS_GlobalObjectTraceHook is the only trace hook WebIDL bindings use...
|
||
Comment 5•10 years ago
|
||
The stuff using CC's tracing stuff (which requires use of Hold/DropJSObjects) ends up using GrayJSTracing (1) setup http://mxr.mozilla.org/mozilla-central/source/xpcom/base/CycleCollectedJSRuntime.cpp?rev=37a64fc4edb3&mark=487-487#468 (2) calls http://mxr.mozilla.org/mozilla-central/source/xpcom/base/CycleCollectedJSRuntime.cpp?rev=37a64fc4edb3#736 (3) enumerates mJSHolders http://mxr.mozilla.org/mozilla-central/source/xpcom/base/CycleCollectedJSRuntime.cpp?rev=37a64fc4edb3#835 (4) and traces them all http://mxr.mozilla.org/mozilla-central/source/xpcom/base/CycleCollectedJSRuntime.cpp?rev=37a64fc4edb3&mark=787-787,827-832,841-841#787 "in this case the Heap<T> is in a C++ object that's owned by another JS object and traced from that other JS object's trace hook." sounds a setup very different to CC. In CC case it is always a C++ object holding to JS stuff.
|
|
||
Comment 6•10 years ago
|
||
We discussed this on IRC and walked through the relevant code. It seems like it should be impossible for this to crash. For the moment, we'd like to wait for more crashes to accumulate and maybe hope the one we've seen so far was cosmic rays.
Flags: needinfo?(terrence)
|
Reporter | |
Updated•10 years ago
|
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•