Closed Bug 1124619 Opened 10 years ago Closed 10 years ago

Intermittent regress-360969-03.js | application crashed [@ js::ShapeTable::fixupAfterMovingGC()]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox36 --- unaffected
firefox37 --- unaffected
firefox38 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: cbook, Assigned: jonco)

References

(
URL
)

Details

(Keywords: crash, intermittent-failure)

Attachments

(2 files)

dont-fixup-shape-table
2.81 KB, patch
terrence
: review+
Details | Diff | Splinter Review
shape-table-sweep
7.76 KB, patch
Details | Diff | Splinter Review
Android armv7 API 9 mozilla-inbound opt test jsreftest-2 https://treeherder.mozilla.org/logviewer.html#?job_id=5763679&repo=mozilla-inbound 03:09:53 WARNING - PROCESS-CRASH | http://10.0.2.2:8854/jsreftest/tests/jsreftest.html?test=js1_5/Regress/regress-360969-03.js | application crashed [@ js::ShapeTable::fixupAfterMovingGC()] 03:09:53 INFO - Crash dump filename: /tmp/tmpkdouS8/06cef885-9cca-06c5-218d464f-5c75f3ee.dmp 03:09:53 INFO - Operating system: Android 03:09:53 INFO - 0.0.0 Linux 2.6.29-ge3d684d #1 Mon Dec 16 22:26:51 UTC 2013 armv7l generic/sdk/generic:2.3.7/GINGERBREAD/eng.ubuntu.20140123.014351:eng/test-keys 03:09:53 INFO - CPU: arm 03:09:53 INFO - 0 CPUs 03:09:53 INFO - 03:09:53 INFO - Crash reason: SIGSEGV 03:09:53 INFO - Crash address: 0x5a133fec 03:09:53 INFO - 03:09:53 INFO - Thread 29 (crashed) 03:09:53 INFO - 0 libxul.so!js::ShapeTable::fixupAfterMovingGC() [Shape.cpp:2c6305279bd6 : 266 + 0x6] 03:09:53 INFO - r4 = 0x5e200000 r5 = 0xbad0bad1 r6 = 0x5a0566c0 r7 = 0x00000020 03:09:53 INFO - r8 = 0x5a056840 r9 = 0x5a0567a0 r10 = 0x5a057000 fp = 0x46f726e0 03:09:53 INFO - sp = 0x5307fe08 lr = 0x4e6a3d13 pc = 0x4e738f88 03:09:53 INFO - Found by: given as instruction pointer in context 03:09:53 INFO - 1 libxul.so!UpdateCellPointers [Shape-inl.h:2c6305279bd6 : 231 + 0x3] 03:09:53 INFO - r4 = 0x0000000f r5 = 0x5307fe48 r6 = 0x5a0566c0 r7 = 0x00000020 03:09:53 INFO - r8 = 0x5a056840 r9 = 0x5a0567a0 r10 = 0x5a057000 fp = 0x46f726e0 03:09:53 INFO - sp = 0x5307fe10 pc = 0x4e6a3d13 03:09:53 INFO - Found by: call frame info 03:09:53 INFO - 2 libxul.so!js::gc::UpdateCellPointersTask::run() [jsgc.cpp:2c6305279bd6 : 2513 + 0x7] 03:09:53 INFO - r4 = 0x5a056000 r5 = 0x471ff4b8 r6 = 0x4eff37ec r7 = 0x00000000 03:09:53 INFO - r8 = 0x4e6701f5 r9 = 0x00000000 r10 = 0x00080000 fp = 0x46f726e0 03:09:53 INFO - sp = 0x5307fe40 pc = 0x4e6a7ab1 03:09:53 INFO - Found by: call frame info 03:09:53 INFO - 3 libxul.so!js::GCParallelTask::runFromHelperThread() [HelperThreads.cpp:2c6305279bd6 : 810 + 0x1] 03:09:53 INFO - r4 = 0xb24a6c26 r5 = 0x00050d3b r6 = 0x471ff4b8 r7 = 0x4eff37ec 03:09:53 INFO - r8 = 0x002aa228 r9 = 0x00000000 r10 = 0x00080000 fp = 0x46f726e0 03:09:53 INFO - sp = 0x5307fe78 pc = 0x4e70fcfb 03:09:53 INFO - Found by: call frame info 03:09:53 INFO - 4 libxul.so!js::HelperThread::threadLoop() [HelperThreads.cpp:2c6305279bd6 : 834 + 0x3] 03:09:53 INFO - r4 = 0x46f554a0 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x000001e7
I guess this is probably CGC fallout? Adding a needinfo so we don't drop it.
Flags: needinfo?(jcoppeard)
(In reply to Terrence Cole [:terrence] from comment #47) This was triggered by CGC landing which added this fixup method. However the actual fixup is unnecessary since we don't move shapes yet, so all it should do is walk the shape table and not update anything. Instead it is crashing in a way that looks like it is touching deallocated memory. The obvious fix is to take this method out again but I'm loath to do that without understanding what the issue is here.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
The problem is that base shapes' shape tables are not swept during GC. A base shape is only accessed via a shape, and these shape tables are only present when that shape is the last one on an object. Since marking a shape marks its parent, it's not possible to observe dead shapes in one of these tables when starting from a live shape. So the fact that a base shape's shape table can contain references to dead shapes doesn't matter as far as I can tell (or at least it's not causing us problems at the moment). Compacting GC traverses the entire heap to fix up references to relocated things, and thus can encounter these pointers to dead shapes. One solution is to sweep these tables. I wrote a patch to do that and it does fix the problem. The other is to remove the compacting GC fixup code, since it is only useful if we relocate shapes. Since we don't relocate shapes at the moment, I suggest we take this code out. If we start relocating shapes in the future we will have to replace it and add the code to sweep these tables.
Attachment #8560465 - Flags: review?(terrence)
For reference, a patch to sweep the shape tables.
Comment on attachment 8560465 [details] [diff] [review] dont-fixup-shape-table Review of attachment 8560465 [details] [diff] [review]: ----------------------------------------------------------------- The other patch seems like a much nicer cleanup, but I agree we're better off not taking the risk. Please do file a bug with the sweeping patch though so that we don't just drop it.
Attachment #8560465 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/9a201c9a448c
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox38: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: