Closed Bug 1150714 Opened 9 years ago Closed 9 years ago

crash during talos profiling dromaeo [@ js::PutEscapedStringImpl(char*, unsigned int, _IO_FILE*, JSLinearString*, unsigned int)]

Categories

(Core :: JavaScript Engine: JIT, defect)

All
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: mstange, Assigned: shu)

Details

Attachments

(2 files)

Steps to reproduce:
 1. Apply the patch from bug 1141712 (might not be necessary)
 2. Push to try with
    "try: -b o -p linux,linux64 -u none -t all mozharness: --spsProfile"

Example push here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2085b3f8192b

This try push includes the patch for bug 1148069, it's based on https://hg.mozilla.org/mozilla-central/rev/35046df9df1f .

Crash stack:

4:47:45     INFO -  CPU: x86
14:47:45     INFO -       GenuineIntel family 6 model 30 stepping 5
14:47:45     INFO -       8 CPUs
14:47:45     INFO -  Crash reason:  SIGSEGV
14:47:45     INFO -  Crash address: 0x0
14:47:45     INFO -  Thread 0 (crashed)
14:47:45     INFO -   0  libxul.so!js::PutEscapedStringImpl(char*, unsigned int, _IO_FILE*, JSLinearString*, unsigned int) [ArrayBufferObject.cpp:2085b3f8192b : 1566 + 0x0]
14:47:45     INFO -      eip = 0xb52f250d   esp = 0xbf8f2e50   ebp = 0xbf8f2e78   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0x00001000   edi = 0xbf8f3108   eax = 0x00000000   ecx = 0x00000000
14:47:45     INFO -      edx = 0x9b3f0ea0   efl = 0x00010286
14:47:45     INFO -      Found by: given as instruction pointer in context
14:47:45     INFO -   1  libxul.so!js::jit::IonTrackedOptimizationsTypeInfo::ForEachOpAdapter::readType(js::jit::IonTrackedTypeWithAddendum const&) [jsstr.h:2085b3f8192b : 367 + 0x35]
14:47:45     INFO -      eip = 0xb51755c6   esp = 0xbf8f2e80   ebp = 0xbf8f30c8   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0x00001000   edi = 0xbf8f3108
14:47:45     INFO -      Found by: call frame info
14:47:45     INFO -   2  libxul.so!JS::ForEachTrackedOptimizationTypeInfo(JSRuntime*, void*, unsigned char, JS::ForEachTrackedOptimizationTypeInfoOp&) [OptimizationTracking.cpp:2085b3f8192b : 486 + 0xe]
14:47:45     INFO -      eip = 0xb518c93a   esp = 0xbf8f30d0   ebp = 0xbf8f3158   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0x947afc5f   edi = 0x94dfeee0
14:47:45     INFO -      Found by: call frame info
14:47:45     INFO -   3  libxul.so!UniqueJITOptimizations::stream(JSStreamWriter&, JSRuntime*) [ProfileEntry.cpp:2085b3f8192b : 332 + 0x11]
14:47:45     INFO -      eip = 0xb49336ef   esp = 0xbf8f3160   ebp = 0xbf8f31c8   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0xbf8f3294   edi = 0x0000000d
14:47:45     INFO -      Found by: call frame info
14:47:45     INFO -   4  libxul.so!ThreadProfile::StreamJSObject(JSStreamWriter&) [ProfileEntry.cpp:2085b3f8192b : 671 + 0x15]
14:47:45     INFO -      eip = 0xb49366f5   esp = 0xbf8f31d0   ebp = 0xbf8f3228   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0xbf8f3294   edi = 0xa0779a60
14:47:45     INFO -      Found by: call frame info
14:47:45     INFO -   5  libxul.so!TableTicker::StreamJSObject(JSStreamWriter&) [TableTicker.cpp:2085b3f8192b : 354 + 0x7]
14:47:45     INFO -      eip = 0xb4936854   esp = 0xbf8f3230   ebp = 0xbf8f3278   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0xbf8f3294   edi = 0x00000000
14:47:45     INFO -      Found by: call frame info
14:47:45     INFO -   6  libxul.so!TableTicker::ToStreamAsJSON(std::ostream&) [TableTicker.cpp:2085b3f8192b : 224 + 0xa]
14:47:45     INFO -      eip = 0xb4936a92   esp = 0xbf8f3280   ebp = 0xbf8f32d8   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0xbf8f3294   edi = 0xa6e80d20
14:47:45     INFO -      Found by: call frame info
14:47:45     INFO -   7  libxul.so!mozilla_sampler_save_profile_to_file(char const*) [platform.cpp:2085b3f8192b : 594 + 0x8]
14:47:45     INFO -      eip = 0xb493b66a   esp = 0xbf8f32e0   ebp = 0xbf8f3428   ebx = 0xb6e71064
14:47:45     INFO -      esi = 0xbf8f32fc   edi = 0xa6e80d20
14:47:45     INFO -      Found by: call frame info
Flags: needinfo?(shu)
Stupid bug.

I think these crashes are caused by trying to stringify functions that just have no displayAtom().
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Attachment #8587839 - Flags: review?(kvijayan)
I saw once an assertion about an JitcodeGlobalEntry not being marked while debugging this, and was never able to reproduce it again either on try or locally.

While staring at the code, I realized we should also mark and sweep IC entries. I had originally thought, perhaps incorrectly, that the parent frame (that is, the immediately older frame) of IC frames is the rejoin frame. But that's actually not true, is it?
Attachment #8587841 - Flags: review?(kvijayan)
Attachment #8587839 - Flags: review?(kvijayan) → review+
(In reply to Shu-yu Guo [:shu] from comment #2)
> While staring at the code, I realized we should also mark and sweep IC
> entries. I had originally thought, perhaps incorrectly, that the parent
> frame (that is, the immediately older frame) of IC frames is the rejoin
> frame. But that's actually not true, is it?

Correct.  The IC frame and rejoin frame are the same frame.
Attachment #8587841 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/7483bfca580c
https://hg.mozilla.org/mozilla-central/rev/e220e126ee6c
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: