Closed Bug 1045945 Opened 11 years ago Closed 11 years ago

Intermittent test_toBlob.html | application crashed [@ 0x0][@ JS::Zone::sweepCompartments]

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox32 --- wontfix
firefox33 --- unaffected
firefox34 --- fixed
firefox35 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: KWierso, Assigned: jonco)

References

Details

(Keywords: crash, intermittent-failure)

Attachments

(1 file, 1 obsolete file)

set-worker-pricipals-callback v2
3.78 KB, patch
bent.mozilla
: review+
lmandel
: approval-mozilla-aurora+
Details | Diff | Splinter Review
https://tbpl.mozilla.org/php/getParsedLog.php?id=44831173&tree=Mozilla-Aurora Android 2.3 Armv6 Emulator mozilla-aurora opt test mochitest-2 on 2014-07-29 13:03:52 PDT for push feec66ee1e93 slave: tst-linux64-spot-024 13:34:58 INFO - 3129 INFO TEST-OK | /tests/content/canvas/test/test_isPointInStroke.html | took 3079ms 13:34:58 INFO - 3130 INFO TEST-START | /tests/content/canvas/test/test_mozDashOffset.html 13:34:58 INFO - 3131 INFO TEST-OK | /tests/content/canvas/test/test_mozDashOffset.html | took 2363ms 13:34:58 INFO - 3132 INFO TEST-START | /tests/content/canvas/test/test_mozGetAsFile.html 13:34:58 INFO - 3133 INFO TEST-OK | /tests/content/canvas/test/test_mozGetAsFile.html | took 3231ms 13:34:58 INFO - 3134 INFO TEST-START | /tests/content/canvas/test/test_setlinedash.html 13:34:58 INFO - 3135 INFO TEST-OK | /tests/content/canvas/test/test_setlinedash.html | took 2778ms 13:34:58 INFO - 3136 INFO TEST-START | /tests/content/canvas/test/test_strokeText_throw.html 13:34:58 INFO - 3137 INFO TEST-OK | /tests/content/canvas/test/test_strokeText_throw.html | took 2531ms 13:34:58 INFO - 3138 INFO TEST-START | /tests/content/canvas/test/test_toBlob.html 13:34:58 INFO - 3139 INFO TEST-OK | /tests/content/canvas/test/test_toBlob.html | took 2983ms 13:34:58 INFO - INFO | automation.py | Application ran for: 0:22:46.798894 13:34:58 INFO - INFO | zombiecheck | Reading PID log: /tmp/tmpevD5YMpidlog 13:34:58 INFO - Contents of /data/anr/traces.txt: 13:34:58 INFO - 13:34:58 INFO - 13:34:58 INFO - mozcrash INFO | Downloading symbols from: https://ftp-ssl.mozilla.org/pub/mozilla.org/mobile/tinderbox-builds/mozilla-aurora-android-armv6/1406662216/fennec-33.0a2.en-US.android-arm-armv6.crashreporter-symbols.zip 13:34:58 WARNING - PROCESS-CRASH | /tests/content/canvas/test/test_toBlob.html | application crashed [@ 0x0] 13:34:58 INFO - Crash dump filename: /tmp/tmpCQLihm/1743a707-b624-ae17-64bc3039-2d4fc890.dmp 13:34:58 INFO - Operating system: Android 13:34:58 INFO - 0.0.0 Linux 2.6.29-ge3d684d #1 Mon Dec 16 22:26:51 UTC 2013 armv7l generic/sdk/generic:2.3.7/GINGERBREAD/eng.ubuntu.20140123.014351:eng/test-keys 13:34:58 INFO - CPU: arm 13:34:58 INFO - 0 CPUs 13:34:58 INFO - 13:34:58 INFO - Crash reason: SIGSEGV 13:34:58 INFO - Crash address: 0x0 13:34:58 INFO - 13:34:58 INFO - Thread 24 (crashed) 13:34:58 INFO - 0 0x0 13:34:58 INFO - r4 = 0x53f4ea78 r5 = 0x53f4ea7c r6 = 0x537df000 r7 = 0x542aec80 13:34:58 INFO - r8 = 0x53f4e800 r9 = 0x00000000 r10 = 0x53f4ea7c fp = 0x537df17c 13:34:58 INFO - sp = 0x544ffaa0 lr = 0x4da7bde0 pc = 0x00000000 13:34:58 INFO - Found by: given as instruction pointer in context 13:34:58 INFO - 1 libxul.so!JS::Zone::sweepCompartments(js::FreeOp*, bool, bool) [jsgc.cpp:feec66ee1e93 : 3021 + 0x2] 13:34:58 INFO - sp = 0x544ffaa8 pc = 0x4dab0600 13:34:58 INFO - Found by: stack scanning 13:34:58 INFO - 2 libxul.so!js::gc::GCRuntime::sweepZones(js::FreeOp*, bool) [jsgc.cpp:feec66ee1e93 : 3054 + 0x12] 13:34:58 INFO - r4 = 0x53f4e800 r5 = 0x537df180 r6 = 0x537df180 r7 = 0x537df160 13:34:58 INFO - r8 = 0x544ffb30 r9 = 0x4cca46fc r10 = 0x00000001 fp = 0x537df17c 13:34:58 INFO - sp = 0x544ffad8 pc = 0x4dab087c 13:34:58 INFO - Found by: call frame info 13:34:58 INFO - 3 libxul.so!js::gc::GCRuntime::endSweepPhase(js::JSGCInvocationKind, bool) [jsgc.cpp:feec66ee1e93 : 4572 + 0xe] 13:34:58 INFO - r4 = 0x00000001 r5 = 0x00000000 r6 = 0x0000000c r7 = 0x4e372294 13:34:58 INFO - r8 = 0x537df160 r9 = 0x00000003 r10 = 0x4e10b99c fp = 0x4e10b970 13:34:58 INFO - sp = 0x544ffb00 pc = 0x4dab5f00 13:34:58 INFO - Found by: call frame info 13:34:58 INFO - 4 libxul.so!js::gc::GCRuntime::incrementalCollectSlice(long long, JS::gcreason::Reason, js::JSGCInvocationKind) [jsgc.cpp:feec66ee1e93 : 4951 + 0xe] 13:34:58 INFO - r4 = 0x544ffb78 r5 = 0x00000001 r6 = 0x537df160 r7 = 0x537df000 13:34:58 INFO - r8 = 0x00000000 r9 = 0x00000000 r10 = 0x537df188 fp = 0x00000001 13:34:58 INFO - sp = 0x544ffb68 pc = 0x4dab6588 13:34:58 INFO - Found by: call frame info 13:34:58 INFO - 5 libxul.so!js::gc::GCRuntime::gcCycle(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) [jsgc.cpp:feec66ee1e93 : 5115 + 0x1a] 13:34:58 INFO - r4 = 0x537df160 r5 = 0x537df000 r6 = 0x00000000 r7 = 0x4e10bb7c 13:34:58 INFO - r8 = 0x00000000 r9 = 0x537dfa60 r10 = 0x537df000 fp = 0x00000000 13:34:58 INFO - sp = 0x544ffbb0 pc = 0x4dab6f8c 13:34:58 INFO - Found by: call frame info
GC crash.
Component: Canvas: 2D → JavaScript: GC
Summary: Intermittent test_toBlob.html | application crashed [@ 0x0] → Intermittent test_toBlob.html | application crashed [@ 0x0][@ JS::Zone::sweepCompartments]
https://tbpl.mozilla.org/php/getParsedLog.php?id=46118492&tree=Fx-Team Terrence, this appears to be a pretty frequent crash we hit in automation, mostly on Android 2.3 and Windows. Any chance you can help take a look?
Flags: needinfo?(terrence)
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #6) > https://tbpl.mozilla.org/php/getParsedLog.php?id=46118492&tree=Fx-Team > > Terrence, this appears to be a pretty frequent crash we hit in automation, > mostly on Android 2.3 and Windows. Any chance you can help take a look? This is probably the same as the current topcrasher with that signature. Good to know that if we do figure out what's causing it, we'll at least have confirmation through try.
Flags: needinfo?(terrence)
It looks like the destroyPrincipals callback on the JSRuntime is null and JS_DropPrincipals() is calling it when we destroy a compartment's principals.
Attached patch set-worker-pricipals-callback (obsolete) — Splinter Review
This might be because we never set the destroy pricipals callback for workers.
Assignee: nobody → jcoppeard
Attachment #8484161 - Flags: review?(bent.mozilla)
Keywords: leave-open
Comment on attachment 8484161 [details] [diff] [review] set-worker-pricipals-callback Review of attachment 8484161 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for figuring this out! Any idea when this destroy callback became necessary? ::: dom/workers/Principal.cpp @@ +26,5 @@ > return &sPrincipal; > } > > +void > +DestroyWorkerPrincipals(JSPrincipals *principals) Nit: * on the left, and args get the "a" prefix.
Attachment #8484161 - Flags: review?(bent.mozilla) → review+
Also, why is this intermittent?
(In reply to ben turner [:bent] (use the needinfo? flag!) from comment #21) So thinking about this some more, I think this is not the solution (although it might possibly fix the symptom). We should never call the destroy callback here because the reference count starts at one and should never drop below this. However it looks like GetWorkerPrincipal() is racy since sInitialized is set to true before the object is actually initialized. I wonder if that might be related.
This should fix the race, and will trigger an assertion rather than branching to address zero if things go wrong.
Attachment #8484161 - Attachment is obsolete: true
Attachment #8484908 - Flags: review?(bent.mozilla)
Comment on attachment 8484908 [details] [diff] [review] set-worker-pricipals-callback v2 Review of attachment 8484908 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/workers/Principal.h @@ +13,5 @@ > JSPrincipals* > GetWorkerPrincipal(); > > +void > +DestroyWorkerPrincipals(JSPrincipals *principals); Nit: Same thing here with * and "a"
Attachment #8484908 - Flags: review?(bent.mozilla) → review+
https://tbpl.mozilla.org/php/getParsedLog.php?id=48949428&tree=Mozilla-Aurora Can we get this on Aurora too? Seems to be working on trunk :)
Flags: needinfo?(jcoppeard)
Comment on attachment 8484908 [details] [diff] [review] set-worker-pricipals-callback v2 Approval Request Comment [Feature/regressing bug #]: Bug 884676 [User impact if declined]: Intermittent crashes [Describe test coverage new/current, TBPL]: No crashes in last 10 days on central. [Risks and why]: Low risk [String/UUID change made/needed]: None
Attachment #8484908 - Flags: approval-mozilla-aurora?
Flags: needinfo?(jcoppeard)
Comment on attachment 8484908 [details] [diff] [review] set-worker-pricipals-callback v2 Aurora+
Attachment #8484908 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/5c5b67febe2c
Status: NEW → RESOLVED
Closed: 11 years ago
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: