If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

[e10s] Content process hang under js::SetObjectElement (with 100% cpu)

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
RESOLVED WORKSFORME
3 years ago
3 years ago

People

(Reporter: ted, Unassigned)

Tracking

Trunk
x86
Windows 7
Points:
---

Firefox Tracking Flags

(e10s?)

Details

(Reporter)

Description

3 years ago
My content process got hung (spinning at 100% cpu) today on my Windows machine. Sampling the main thread's stack with WinDBG produced:

0:000> kp
ChildEBP RetAddr  
00439b0c 55d40b3b xul!JSObject::setFlag(class js::ExclusiveContext * cx = 0x1dc73d90, unsigned int flag_ = 0x80, JSObject::GenerateShape generateShape = GENERATE_NONE (0n0))+0x1 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\shape.cpp @ 1382]
00439b5c 309e6a60 xul!js::SetObjectElement(struct JSContext * cx = 0x1dc73d90, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, class JS::Handle<JS::Value> index = class JS::Handle<JS::Value>, class JS::Handle<JS::Value> value = class JS::Handle<JS::Value>, bool strict = false)+0x17b [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 3821]
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 0x309e6a60
0:000> g
(192c.1258): Break instruction exception - code 80000003 (first chance)
eax=fff82000 ebx=00000000 ecx=00000000 edx=7796f8ea esi=00000000 edi=00000000
eip=778e000c esp=6032fd7c ebp=6032fda8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!DbgBreakPoint:
778e000c cc              int     3
0:056> ~0 kp
ChildEBP RetAddr  
004399b4 55a0d840 xul!js::types::AutoEnterAnalysis::AutoEnterAnalysis(class js::ExclusiveContext * cx = 0x1dc73d90)+0x32 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jsinferinlines.h @ 273]
00439a88 55a0cc35 xul!NativeSet<0>(struct JSContext * cxArg = 0x00439a50, class JS::Handle<js::NativeObject *> obj = class JS::Handle<js::NativeObject *>, class JS::Handle<JSObject *> receiver = class JS::Handle<JSObject *>, class JS::Handle<js::Shape *> shape = class JS::Handle<js::Shape *>, bool strict = true, class JS::MutableHandle<JS::Value> vp = class JS::MutableHandle<JS::Value>)+0x190 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 1690]
00439b04 55d40b7e xul!js::baseops::SetPropertyHelper<0>(struct JSContext * cxArg = 0x00439a50, class JS::Handle<js::NativeObject *> obj = class JS::Handle<js::NativeObject *>, class JS::Handle<JSObject *> receiver = class JS::Handle<JSObject *>, class JS::Handle<jsid> id = class JS::Handle<jsid>, js::baseops::QualifiedBool qualified = 0n499596688 (No matching enumerant), class JS::MutableHandle<JS::Value> vp = class JS::MutableHandle<JS::Value>, bool strict = false)+0x103 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 2211]
00439b5c 309e6a60 xul!js::SetObjectElement(struct JSContext * cx = 0x1dc73d90, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, class JS::Handle<JS::Value> index = class JS::Handle<JS::Value>, class JS::Handle<JS::Value> value = class JS::Handle<JS::Value>, bool strict = false)+0x1be [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 3821]
WARNING: Frame IP not in any known module. Following frames may be wrong.
00439b74 00439ba0 0x309e6a60
00439b98 ffffff85 0x439ba0
00439b9c 00000000 0xffffff85
0:056> g
(192c.2050): Break instruction exception - code 80000003 (first chance)
eax=fff82000 ebx=00000000 ecx=00000000 edx=7796f8ea esi=00000000 edi=00000000
eip=778e000c esp=59e0fdd4 ebp=59e0fe00 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!DbgBreakPoint:
778e000c cc              int     3
0:056> ~0 kp
ChildEBP RetAddr  
004399ac 55a3430e xul!js::types::TypeObject::maybeSweep(class js::types::AutoClearTypeInferenceStateOnOOM * oom = 0x00000000)+0x6 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jsinfer.cpp @ 4678]
004399b8 55a0d828 xul!js::types::TypeObject::unknownProperties(void)+0xa [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jsinfer.h @ 1190]
00439a88 55a0cc35 xul!NativeSet<0>(struct JSContext * cxArg = 0x1a087a80, class JS::Handle<js::NativeObject *> obj = class JS::Handle<js::NativeObject *>, class JS::Handle<JSObject *> receiver = class JS::Handle<JSObject *>, class JS::Handle<js::Shape *> shape = class JS::Handle<js::Shape *>, bool strict = true, class JS::MutableHandle<JS::Value> vp = class JS::MutableHandle<JS::Value>)+0x178 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 1690]
00439b04 55d40b7e xul!js::baseops::SetPropertyHelper<0>(struct JSContext * cxArg = 0x1a087a80, class JS::Handle<js::NativeObject *> obj = class JS::Handle<js::NativeObject *>, class JS::Handle<JSObject *> receiver = class JS::Handle<JSObject *>, class JS::Handle<jsid> id = class JS::Handle<jsid>, js::baseops::QualifiedBool qualified = 0n67108929 (No matching enumerant), class JS::MutableHandle<JS::Value> vp = class JS::MutableHandle<JS::Value>, bool strict = false)+0x103 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\nativeobject.cpp @ 2211]
00439b5c 309e6a60 xul!js::SetObjectElement(struct JSContext * cx = 0x1dc73d90, class JS::Handle<JSObject *> obj = class JS::Handle<JSObject *>, class JS::Handle<JS::Value> index = class JS::Handle<JS::Value>, class JS::Handle<JS::Value> value = class JS::Handle<JS::Value>, bool strict = false)+0x1be [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 3821]
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 0x309e6a60

I wasn't able to get a longer stack out of WinDBG, I can try some other tools to see if I can recover more. I saved off a minidump and a full-memory dump which I can provide if they'd be useful.
(Reporter)

Updated

3 years ago
Summary: Content process hang under js::SetObjectElement (with 100% cpu) → [e10s] Content process hang under js::SetObjectElement (with 100% cpu)

Comment 1

3 years ago
Could be a duplicate of bug 1085032 which has similar js::SetObjectElement signature on Linux ?
tracking-e10s: --- → m7+
Ted, have you seen this lately? We had a bunch of bugs like this a while ago (bug 1091705) but they've been cleared up.
tracking-e10s: m7+ → ?
Flags: needinfo?(ted)
(Reporter)

Comment 3

3 years ago
No, I haven't had a content process hang in a long time. Progress!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(ted)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.