Closed
Bug 1150714
Opened 9 years ago
Closed 9 years ago
crash during talos profiling dromaeo [@ js::PutEscapedStringImpl(char*, unsigned int, _IO_FILE*, JSLinearString*, unsigned int)]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla40
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: mstange, Assigned: shu)
Details
Attachments
(2 files)
1.59 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
3.62 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
Steps to reproduce: 1. Apply the patch from bug 1141712 (might not be necessary) 2. Push to try with "try: -b o -p linux,linux64 -u none -t all mozharness: --spsProfile" Example push here: https://treeherder.mozilla.org/#/jobs?repo=try&revision=2085b3f8192b This try push includes the patch for bug 1148069, it's based on https://hg.mozilla.org/mozilla-central/rev/35046df9df1f . Crash stack: 4:47:45 INFO - CPU: x86 14:47:45 INFO - GenuineIntel family 6 model 30 stepping 5 14:47:45 INFO - 8 CPUs 14:47:45 INFO - Crash reason: SIGSEGV 14:47:45 INFO - Crash address: 0x0 14:47:45 INFO - Thread 0 (crashed) 14:47:45 INFO - 0 libxul.so!js::PutEscapedStringImpl(char*, unsigned int, _IO_FILE*, JSLinearString*, unsigned int) [ArrayBufferObject.cpp:2085b3f8192b : 1566 + 0x0] 14:47:45 INFO - eip = 0xb52f250d esp = 0xbf8f2e50 ebp = 0xbf8f2e78 ebx = 0xb6e71064 14:47:45 INFO - esi = 0x00001000 edi = 0xbf8f3108 eax = 0x00000000 ecx = 0x00000000 14:47:45 INFO - edx = 0x9b3f0ea0 efl = 0x00010286 14:47:45 INFO - Found by: given as instruction pointer in context 14:47:45 INFO - 1 libxul.so!js::jit::IonTrackedOptimizationsTypeInfo::ForEachOpAdapter::readType(js::jit::IonTrackedTypeWithAddendum const&) [jsstr.h:2085b3f8192b : 367 + 0x35] 14:47:45 INFO - eip = 0xb51755c6 esp = 0xbf8f2e80 ebp = 0xbf8f30c8 ebx = 0xb6e71064 14:47:45 INFO - esi = 0x00001000 edi = 0xbf8f3108 14:47:45 INFO - Found by: call frame info 14:47:45 INFO - 2 libxul.so!JS::ForEachTrackedOptimizationTypeInfo(JSRuntime*, void*, unsigned char, JS::ForEachTrackedOptimizationTypeInfoOp&) [OptimizationTracking.cpp:2085b3f8192b : 486 + 0xe] 14:47:45 INFO - eip = 0xb518c93a esp = 0xbf8f30d0 ebp = 0xbf8f3158 ebx = 0xb6e71064 14:47:45 INFO - esi = 0x947afc5f edi = 0x94dfeee0 14:47:45 INFO - Found by: call frame info 14:47:45 INFO - 3 libxul.so!UniqueJITOptimizations::stream(JSStreamWriter&, JSRuntime*) [ProfileEntry.cpp:2085b3f8192b : 332 + 0x11] 14:47:45 INFO - eip = 0xb49336ef esp = 0xbf8f3160 ebp = 0xbf8f31c8 ebx = 0xb6e71064 14:47:45 INFO - esi = 0xbf8f3294 edi = 0x0000000d 14:47:45 INFO - Found by: call frame info 14:47:45 INFO - 4 libxul.so!ThreadProfile::StreamJSObject(JSStreamWriter&) [ProfileEntry.cpp:2085b3f8192b : 671 + 0x15] 14:47:45 INFO - eip = 0xb49366f5 esp = 0xbf8f31d0 ebp = 0xbf8f3228 ebx = 0xb6e71064 14:47:45 INFO - esi = 0xbf8f3294 edi = 0xa0779a60 14:47:45 INFO - Found by: call frame info 14:47:45 INFO - 5 libxul.so!TableTicker::StreamJSObject(JSStreamWriter&) [TableTicker.cpp:2085b3f8192b : 354 + 0x7] 14:47:45 INFO - eip = 0xb4936854 esp = 0xbf8f3230 ebp = 0xbf8f3278 ebx = 0xb6e71064 14:47:45 INFO - esi = 0xbf8f3294 edi = 0x00000000 14:47:45 INFO - Found by: call frame info 14:47:45 INFO - 6 libxul.so!TableTicker::ToStreamAsJSON(std::ostream&) [TableTicker.cpp:2085b3f8192b : 224 + 0xa] 14:47:45 INFO - eip = 0xb4936a92 esp = 0xbf8f3280 ebp = 0xbf8f32d8 ebx = 0xb6e71064 14:47:45 INFO - esi = 0xbf8f3294 edi = 0xa6e80d20 14:47:45 INFO - Found by: call frame info 14:47:45 INFO - 7 libxul.so!mozilla_sampler_save_profile_to_file(char const*) [platform.cpp:2085b3f8192b : 594 + 0x8] 14:47:45 INFO - eip = 0xb493b66a esp = 0xbf8f32e0 ebp = 0xbf8f3428 ebx = 0xb6e71064 14:47:45 INFO - esi = 0xbf8f32fc edi = 0xa6e80d20 14:47:45 INFO - Found by: call frame info
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(shu)
Assignee | ||
Comment 1•9 years ago
|
||
Stupid bug. I think these crashes are caused by trying to stringify functions that just have no displayAtom().
Assignee: nobody → shu
Status: NEW → ASSIGNED
Flags: needinfo?(shu)
Attachment #8587839 -
Flags: review?(kvijayan)
Assignee | ||
Comment 2•9 years ago
|
||
I saw once an assertion about an JitcodeGlobalEntry not being marked while debugging this, and was never able to reproduce it again either on try or locally. While staring at the code, I realized we should also mark and sweep IC entries. I had originally thought, perhaps incorrectly, that the parent frame (that is, the immediately older frame) of IC frames is the rejoin frame. But that's actually not true, is it?
Attachment #8587841 -
Flags: review?(kvijayan)
Assignee | ||
Comment 3•9 years ago
|
||
Try is green with a few retriggers: https://treeherder.mozilla.org/#/jobs?repo=try&revision=de5b9a699e86
Updated•9 years ago
|
Attachment #8587839 -
Flags: review?(kvijayan) → review+
Comment 4•9 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #2) > While staring at the code, I realized we should also mark and sweep IC > entries. I had originally thought, perhaps incorrectly, that the parent > frame (that is, the immediately older frame) of IC frames is the rejoin > frame. But that's actually not true, is it? Correct. The IC frame and rejoin frame are the same frame.
Updated•9 years ago
|
Attachment #8587841 -
Flags: review?(kvijayan) → review+
Comment 5•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7483bfca580c https://hg.mozilla.org/mozilla-central/rev/e220e126ee6c
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in
before you can comment on or make changes to this bug.
Description
•