Intermittent runner.py | application crashed [@ mozilla::dom::AutoNoJSAPI::AutoNoJSAPI(bool)]

RESOLVED FIXED in Firefox 35

Status

()

defect
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: cbook, Assigned: bholley)

Tracking

({crash, intermittent-failure})

Trunk
mozilla37
x86
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox35 fixed, firefox36 fixed, firefox37 fixed, firefox-esr31 wontfix)

Details

()

Attachments

(1 attachment)

Rev5 MacOSX Mountain Lion 10.8 mozilla-inbound debug test marionette

https://treeherder.mozilla.org/ui/logviewer.html#?job_id=4030729&repo=mozilla-inbound

22:56:08 ERROR - PROCESS-CRASH | runner.py | application crashed [@ mozilla::dom::AutoNoJSAPI::AutoNoJSAPI(bool)]
22:56:08 INFO - Crash dump filename: /var/folders/np/253ng38x5ln5h1fwm2gjh92h00000w/T/tmpDdX9PS.mozrunner/minidumps/623830CC-4F28-47AF-803A-001499FE870C.dmp
22:56:08 INFO - Operating system: Mac OS X
22:56:08 INFO - 10.8.0 12A269
22:56:08 INFO - CPU: amd64
22:56:08 INFO - family 6 model 42 stepping 7
22:56:08 INFO - 8 CPUs
22:56:08 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
22:56:08 INFO - Crash address: 0x0
22:56:08 INFO - Thread 0 (crashed)
22:56:08 INFO - 0 XUL!mozilla::dom::AutoNoJSAPI::AutoNoJSAPI(bool) [ScriptSettings.cpp:8c37c5083952 : 566 + 0x0]
22:56:08 INFO - rbx = 0x00007fff7584ec68 r12 = 0x0000000000020418
22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x0000000000000001
22:56:08 INFO - r15 = 0x00000001200e9bc0 rip = 0x00000001021b8d43
22:56:08 INFO - rsp = 0x00007fff5fbf9640 rbp = 0x00007fff5fbf9650
22:56:08 INFO - Found by: given as instruction pointer in context
22:56:08 INFO - 1 XUL!nsTextEditorState::GetValue(nsAString_internal&, bool) const [nsTextEditorState.cpp:8c37c5083952 : 1844 + 0x13]
22:56:08 INFO - rbx = 0x0000000000000001 r12 = 0x0000000000020418
22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x00007fff5fbf98c0
22:56:08 INFO - r15 = 0x00000001200e9bc0 rip = 0x0000000102d89748
22:56:08 INFO - rsp = 0x00007fff5fbf9660 rbp = 0x00007fff5fbf9800
22:56:08 INFO - Found by: call frame info
22:56:08 INFO - 2 XUL!nsTextEditorState::UnbindFromFrame(nsTextControlFrame*) [nsTextEditorState.cpp:8c37c5083952 : 1534 + 0xf]
22:56:08 INFO - rbx = 0x000000011fb97408 r12 = 0x00000001200e9bc0
22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x00007fff5fbf98c0
22:56:08 INFO - r15 = 0x00007fff5fbf98e0 rip = 0x0000000102d866f7
22:56:08 INFO - rsp = 0x00007fff5fbf9810 rbp = 0x00007fff5fbf99a0
22:56:08 INFO - Found by: call frame info
22:56:08 INFO - 3 XUL!nsTextControlFrame::DestroyFrom(nsIFrame*) [nsTextControlFrame.cpp:8c37c5083952 : 131 + 0xb]
22:56:08 INFO - rbx = 0x0000000000000000 r12 = 0x000000011fb97408
22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x000000012402f458
22:56:08 INFO - r15 = 0x000000011fb97408 rip = 0x0000000103839ade
22:56:08 INFO - rsp = 0x00007fff5fbf99b0 rbp = 0x00007fff5fbf99e0
22:56:08 INFO - Found by: call frame info
22:56:08 INFO - 4 XUL!nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) [nsLineBox.cpp:8c37c5083952 : 388 + 0xc]
22:56:08 INFO - rbx = 0x0000000120596a20 r12 = 0x000000011fb97408
22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x000000012402f458
22:56:08 INFO - r15 = 0x0000000120596a58 rip = 0x00000001037d19b0
Luke, any idea what the AsmJSSignalHandlers.cpp stuff is all about?
Component: DOM → JavaScript Engine
Flags: needinfo?(luke)
Thread 0 seems to be crashing because of an AutoNoJSAPI in GetValue where the callstack contains active JS.  On OSX, because of Mach weirdness, AsmJSSignalHandler runs in a separate thread that gets notified any time there is a SEGV which just happened on Thread 0 due to MOZ_CRASH in AutoNoJSAPI.  Nowhere in AsmJSSignalHandler is there a call to AutoNoJSAPI, so I expect frame 2 on Thread 17 is bogus.

bholley may be able to make something of thread 0's stack to see what's going on here.
Flags: needinfo?(luke) → needinfo?(bobbyholley)
So presumably what's happening is that js::Invoke throws, and then the AutoGCIfNeeded triggers a GC as it comes off the stack. This triggers a long callstack, which eventually finds its way down to an AutoNoJSAPI, which asserts that there is no pending exception (which there is). This assertion is designed to enforce the invariant that luke wanted in bug 989528 comment 12.

So we have a few options:
(1) Avoid GCing when an exception is pending.
(2) Make AutoNoJSAPI fallible (like AutoJSAPI etc), and have it fail to initialize when there's an exception pending on the active cx. 
(3) Allow AutoNoJSAPI when an exception is pending.

Thoughts, luke?
Flags: needinfo?(bobbyholley) → needinfo?(luke)
1 and 2 sound undesirable, so I'd go with 3.  Since AutoNoJSAPI seems to mean "I shouldn't be running script" and the exception invariant is "an exception shouldn't be pending when I run JS", there seems to be an impedance mismatch anyhow.  Really, it's AutoEntryScript's ctor which sounds to me like a good place for this assertion, but I don't really understand all the nuances of these Auto classes.
Flags: needinfo?(luke)
Comment on attachment 8538126 [details] [diff] [review]
Don't assert against pending exceptions in AutoNoJSAPI - do it in AutoJSAPI::InitInternal instead. v1

Review of attachment 8538126 [details] [diff] [review]:
-----------------------------------------------------------------

Great, thanks.
Attachment #8538126 - Flags: review?(luke) → review+
Attachment #8538126 - Flags: review?(bugs) → review+
So, this is orange on try. It looks like the reason is that we actually do instantiate an AutoEntryScript with a pending exception on the stack in two places - XPCWrappedJSClass:CheckForPendingException, and workers. The latter, unfortunately, can't be fixed until nsm finishes bug 1072144. So I'm splitting these pieces out.
Blocks: 1112920
Just removed the problematic assert in the mean time: https://hg.mozilla.org/integration/mozilla-inbound/rev/51ea551dd266
https://hg.mozilla.org/mozilla-central/rev/51ea551dd266
Assignee: nobody → bobbyholley
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Please request Aurora/Beta approval on this when you get a chance :)
Flags: needinfo?(bobbyholley)
Comment on attachment 8538126 [details] [diff] [review]
Don't assert against pending exceptions in AutoNoJSAPI - do it in AutoJSAPI::InitInternal instead. v1

The patch landed for this bug just removes an assertion that was firing intermittently in automation. No impact on the bits we ship.
Flags: needinfo?(bobbyholley)
Attachment #8538126 - Flags: approval-mozilla-beta?
Attachment #8538126 - Flags: approval-mozilla-aurora?
Comment on attachment 8538126 [details] [diff] [review]
Don't assert against pending exceptions in AutoNoJSAPI - do it in AutoJSAPI::InitInternal instead. v1

a=test-only works too, but approving to get this expidited.
Attachment #8538126 - Flags: approval-mozilla-beta?
Attachment #8538126 - Flags: approval-mozilla-beta+
Attachment #8538126 - Flags: approval-mozilla-aurora?
Attachment #8538126 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.