Closed Bug 1045945 Opened 9 years ago Closed 9 years ago

Intermittent test_toBlob.html | application crashed [@ 0x0][@ JS::Zone::sweepCompartments]

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox32 --- wontfix
firefox33 --- unaffected
firefox34 --- fixed
firefox35 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: KWierso, Assigned: jonco)

References

Details

(Keywords: crash, intermittent-failure)

Attachments

(1 file, 1 obsolete file)

set-worker-pricipals-callback v2
3.78 KB, patch
bent.mozilla
: review+
lmandel
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
https://tbpl.mozilla.org/php/getParsedLog.php?id=44831173&tree=Mozilla-Aurora
Android 2.3 Armv6 Emulator mozilla-aurora opt test mochitest-2 on 2014-07-29 13:03:52 PDT for push feec66ee1e93

slave: tst-linux64-spot-024



13:34:58     INFO -  3129 INFO TEST-OK | /tests/content/canvas/test/test_isPointInStroke.html | took 3079ms
13:34:58     INFO -  3130 INFO TEST-START | /tests/content/canvas/test/test_mozDashOffset.html
13:34:58     INFO -  3131 INFO TEST-OK | /tests/content/canvas/test/test_mozDashOffset.html | took 2363ms
13:34:58     INFO -  3132 INFO TEST-START | /tests/content/canvas/test/test_mozGetAsFile.html
13:34:58     INFO -  3133 INFO TEST-OK | /tests/content/canvas/test/test_mozGetAsFile.html | took 3231ms
13:34:58     INFO -  3134 INFO TEST-START | /tests/content/canvas/test/test_setlinedash.html
13:34:58     INFO -  3135 INFO TEST-OK | /tests/content/canvas/test/test_setlinedash.html | took 2778ms
13:34:58     INFO -  3136 INFO TEST-START | /tests/content/canvas/test/test_strokeText_throw.html
13:34:58     INFO -  3137 INFO TEST-OK | /tests/content/canvas/test/test_strokeText_throw.html | took 2531ms
13:34:58     INFO -  3138 INFO TEST-START | /tests/content/canvas/test/test_toBlob.html
13:34:58     INFO -  3139 INFO TEST-OK | /tests/content/canvas/test/test_toBlob.html | took 2983ms
13:34:58     INFO -  INFO | automation.py | Application ran for: 0:22:46.798894
13:34:58     INFO -  INFO | zombiecheck | Reading PID log: /tmp/tmpevD5YMpidlog
13:34:58     INFO -  Contents of /data/anr/traces.txt:
13:34:58     INFO -  
13:34:58     INFO -  
13:34:58     INFO -  mozcrash INFO | Downloading symbols from: https://ftp-ssl.mozilla.org/pub/mozilla.org/mobile/tinderbox-builds/mozilla-aurora-android-armv6/1406662216/fennec-33.0a2.en-US.android-arm-armv6.crashreporter-symbols.zip
13:34:58  WARNING -  PROCESS-CRASH | /tests/content/canvas/test/test_toBlob.html | application crashed [@ 0x0]
13:34:58     INFO -  Crash dump filename: /tmp/tmpCQLihm/1743a707-b624-ae17-64bc3039-2d4fc890.dmp
13:34:58     INFO -  Operating system: Android
13:34:58     INFO -                    0.0.0 Linux 2.6.29-ge3d684d #1 Mon Dec 16 22:26:51 UTC 2013 armv7l generic/sdk/generic:2.3.7/GINGERBREAD/eng.ubuntu.20140123.014351:eng/test-keys
13:34:58     INFO -  CPU: arm
13:34:58     INFO -       0 CPUs
13:34:58     INFO -  
13:34:58     INFO -  Crash reason:  SIGSEGV
13:34:58     INFO -  Crash address: 0x0
13:34:58     INFO -  
13:34:58     INFO -  Thread 24 (crashed)
13:34:58     INFO -   0  0x0
13:34:58     INFO -       r4 = 0x53f4ea78    r5 = 0x53f4ea7c    r6 = 0x537df000    r7 = 0x542aec80
13:34:58     INFO -       r8 = 0x53f4e800    r9 = 0x00000000   r10 = 0x53f4ea7c    fp = 0x537df17c
13:34:58     INFO -       sp = 0x544ffaa0    lr = 0x4da7bde0    pc = 0x00000000
13:34:58     INFO -      Found by: given as instruction pointer in context
13:34:58     INFO -   1  libxul.so!JS::Zone::sweepCompartments(js::FreeOp*, bool, bool) [jsgc.cpp:feec66ee1e93 : 3021 + 0x2]
13:34:58     INFO -       sp = 0x544ffaa8    pc = 0x4dab0600
13:34:58     INFO -      Found by: stack scanning
13:34:58     INFO -   2  libxul.so!js::gc::GCRuntime::sweepZones(js::FreeOp*, bool) [jsgc.cpp:feec66ee1e93 : 3054 + 0x12]
13:34:58     INFO -       r4 = 0x53f4e800    r5 = 0x537df180    r6 = 0x537df180    r7 = 0x537df160
13:34:58     INFO -       r8 = 0x544ffb30    r9 = 0x4cca46fc   r10 = 0x00000001    fp = 0x537df17c
13:34:58     INFO -       sp = 0x544ffad8    pc = 0x4dab087c
13:34:58     INFO -      Found by: call frame info
13:34:58     INFO -   3  libxul.so!js::gc::GCRuntime::endSweepPhase(js::JSGCInvocationKind, bool) [jsgc.cpp:feec66ee1e93 : 4572 + 0xe]
13:34:58     INFO -       r4 = 0x00000001    r5 = 0x00000000    r6 = 0x0000000c    r7 = 0x4e372294
13:34:58     INFO -       r8 = 0x537df160    r9 = 0x00000003   r10 = 0x4e10b99c    fp = 0x4e10b970
13:34:58     INFO -       sp = 0x544ffb00    pc = 0x4dab5f00
13:34:58     INFO -      Found by: call frame info
13:34:58     INFO -   4  libxul.so!js::gc::GCRuntime::incrementalCollectSlice(long long, JS::gcreason::Reason, js::JSGCInvocationKind) [jsgc.cpp:feec66ee1e93 : 4951 + 0xe]
13:34:58     INFO -       r4 = 0x544ffb78    r5 = 0x00000001    r6 = 0x537df160    r7 = 0x537df000
13:34:58     INFO -       r8 = 0x00000000    r9 = 0x00000000   r10 = 0x537df188    fp = 0x00000001
13:34:58     INFO -       sp = 0x544ffb68    pc = 0x4dab6588
13:34:58     INFO -      Found by: call frame info
13:34:58     INFO -   5  libxul.so!js::gc::GCRuntime::gcCycle(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) [jsgc.cpp:feec66ee1e93 : 5115 + 0x1a]
13:34:58     INFO -       r4 = 0x537df160    r5 = 0x537df000    r6 = 0x00000000    r7 = 0x4e10bb7c
13:34:58     INFO -       r8 = 0x00000000    r9 = 0x537dfa60   r10 = 0x537df000    fp = 0x00000000
13:34:58     INFO -       sp = 0x544ffbb0    pc = 0x4dab6f8c
13:34:58     INFO -      Found by: call frame info
GC crash.
Component: Canvas: 2D → JavaScript: GC
Summary: Intermittent test_toBlob.html | application crashed [@ 0x0] → Intermittent test_toBlob.html | application crashed [@ 0x0][@ JS::Zone::sweepCompartments]
https://tbpl.mozilla.org/php/getParsedLog.php?id=46118492&tree=Fx-Team

Terrence, this appears to be a pretty frequent crash we hit in automation, mostly on Android 2.3 and Windows. Any chance you can help take a look?
Flags: needinfo?(terrence)
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #6)
> https://tbpl.mozilla.org/php/getParsedLog.php?id=46118492&tree=Fx-Team
> 
> Terrence, this appears to be a pretty frequent crash we hit in automation,
> mostly on Android 2.3 and Windows. Any chance you can help take a look?

This is probably the same as the current topcrasher with that signature. Good to know that if we do figure out what's causing it, we'll at least have confirmation through try.
Flags: needinfo?(terrence)
It looks like the destroyPrincipals callback on the JSRuntime is null and JS_DropPrincipals() is calling it when we destroy a compartment's principals.
Attached patch set-worker-pricipals-callback (obsolete) — Splinter Review 
This might be because we never set the destroy pricipals callback for workers.
Assignee: nobody → jcoppeard
Attachment #8484161 - Flags: review?(bent.mozilla)
Comment on attachment 8484161 [details] [diff] [review]
set-worker-pricipals-callback

Review of attachment 8484161 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for figuring this out!

Any idea when this destroy callback became necessary?

::: dom/workers/Principal.cpp
@@ +26,5 @@
>    return &sPrincipal;
>  }
>  
> +void
> +DestroyWorkerPrincipals(JSPrincipals *principals)

Nit: * on the left, and args get the "a" prefix.
Attachment #8484161 - Flags: review?(bent.mozilla) → review+
Also, why is this intermittent?
(In reply to ben turner [:bent] (use the needinfo? flag!) from comment #21)
So thinking about this some more, I think this is not the solution (although it might possibly fix the symptom).  We should never call the destroy callback here because the reference count starts at one and should never drop below this.

However it looks like GetWorkerPrincipal() is racy since sInitialized is set to true before the object is actually initialized.  I wonder if that might be related.
This should fix the race, and will trigger an assertion rather than branching to address zero if things go wrong.
Attachment #8484161 - Attachment is obsolete: true
Attachment #8484908 - Flags: review?(bent.mozilla)
Comment on attachment 8484908 [details] [diff] [review]
set-worker-pricipals-callback v2

Review of attachment 8484908 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/workers/Principal.h
@@ +13,5 @@
>  JSPrincipals*
>  GetWorkerPrincipal();
>  
> +void
> +DestroyWorkerPrincipals(JSPrincipals *principals);

Nit: Same thing here with * and "a"
Attachment #8484908 - Flags: review?(bent.mozilla) → review+
https://tbpl.mozilla.org/php/getParsedLog.php?id=48949428&tree=Mozilla-Aurora

Can we get this on Aurora too? Seems to be working on trunk :)
Flags: needinfo?(jcoppeard)
Comment on attachment 8484908 [details] [diff] [review]
set-worker-pricipals-callback v2

Approval Request Comment
[Feature/regressing bug #]: Bug 884676
[User impact if declined]: Intermittent crashes
[Describe test coverage new/current, TBPL]: No crashes in last 10 days on central.
[Risks and why]: Low risk
[String/UUID change made/needed]: None
Attachment #8484908 - Flags: approval-mozilla-aurora?
Flags: needinfo?(jcoppeard)
Comment on attachment 8484908 [details] [diff] [review]
set-worker-pricipals-callback v2

Aurora+
Attachment #8484908 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/5c5b67febe2c
Status: NEW → RESOLVED
Closed: 9 years ago
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.