Closed
Bug 1179264
Opened 10 years ago
Closed 6 years ago
Assertion failure: entry->isMarkedFromAnyThread(rt), at js/src/jit/JitcodeMap.cpp:479
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: dholbert, Assigned: shu)
Details
Attachments
(1 file)
1.56 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
Just tried running with my normal everyday web-browsing profile, with a debug build, for the first time in a while.
While my browser session was coming up (after a window had appeared, I think), I hit a fatal assertion (below).
My debug build was built from yesterday's mozilla-central changeset 291614a686f. This is a e10s-disabled Firefox profile, with various add-ons (including Gecko Profiler, which I suspect may be involved here, based on "Profiling" in the stack and earlier GeckoProfiler-triggered JS issues I've run into in the past.)
The assertion & stack:
Assertion failure: entry->isMarkedFromAnyThread(rt), at $SRC/js/src/jit/JitcodeMap.cpp:479
Program ./dist/bin/firefox (pid = 22275) received signal 11.
Stack:
#01: AsmJSFaultHandler(int, siginfo_t*, void*) ($SRC/js/src/asmjs/AsmJSSignalHandlers.cpp:1135)
#02: __restore_rt (sigaction.c:?)
#03: js::jit::JitcodeGlobalTable::lookupForSampler(void*, js::jit::JitcodeGlobalEntry*, JSRuntime*, unsigned int) ($SRC/js/src/jit/JitcodeMap.cpp:479 (discriminator 4))
#04: JS::ProfilingFrameIterator::getPhysicalFrameAndEntry(js::jit::JitcodeGlobalEntry*) const ($SRC/js/src/vm/Stack.cpp:1887)
#05: JS::ProfilingFrameIterator::getPhysicalFrameWithoutLabel() const ($SRC/js/src/vm/Stack.cpp:1943)
#06: mergeStacksIntoProfile(ThreadProfile&, TickSample*, NativeStack&) ($SRC/tools/profiler/TableTicker.cpp:786)
#07: TableTicker::doNativeBacktrace(ThreadProfile&, TickSample*) ($SRC/tools/profiler/TableTicker.cpp:1163)
#08: TableTicker::InplaceTick(TickSample*) ($SRC/tools/profiler/TableTicker.cpp:1213)
#09: TableTicker::Tick(TickSample*) ($SRC/tools/profiler/TableTicker.cpp:1194)
#10: (anonymous namespace)::ProfilerSignalHandler(int, siginfo_t*, void*) ($SRC/tools/profiler/platform-linux.cc:252)
#11: __restore_rt (sigaction.c:?)
#12: js::gc::IsInsideNursery(js::gc::Cell const*) ($OBJ/xpcom/base/../../dist/include/js/HeapAPI.h:323)
#13: js::gc::Cell::isTenured() const ($SRC/js/src/gc/Heap.h:221)
#14: JSObject::readBarrier(JSObject*) ($SRC/js/src/jsobj.h:621)
#15: js::InternalGCMethods<JSObject*>::readBarrier(JSObject*) ($SRC/js/src/gc/Barrier.h:246)
#16: void js::ReadBarrierFunctor<JS::Value>::operator()<JSObject>(JSObject*) ($SRC/js/src/gc/Barrier.cpp:74)
#17: _ZN2js18DispatchValueTypedINS_18ReadBarrierFunctorIN2JS5ValueEEEJEEEDTclfp_scP8JSObjectLDnEspclsr7mozillaE7ForwardIT0_Efp1_EEET_RKS3_DpOS7_ (/tmp/../../dist/include/js/Value.h:1876)
#18: js::InternalGCMethods<JS::Value>::readBarrier(JS::Value const&) ($SRC/js/src/gc/Barrier.h:295)
#19: js::ReadBarriered<JS::Value>::get() const ($SRC/js/src/gc/Barrier.h:628)
#20: js::gc::GCRuntime::beginSweepPhase(bool) ($SRC/js/src/jsgc.cpp:5091)
#21: js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) ($SRC/js/src/jsgc.cpp:5846)
#22: js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) ($SRC/js/src/jsgc.cpp:6045)
#23: js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) ($SRC/js/src/jsgc.cpp:6154)
#24: js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::gcreason::Reason, long) ($SRC/js/src/jsgc.cpp:6224)
#25: js::gc::GCRuntime::maybePeriodicFullGC() ($SRC/js/src/jsgc.cpp:3177)
#26: JS_MaybeGC(JSContext*) ($SRC/js/src/jsapi.cpp:1533)
#27: ~AutoEntryScript ($SRC/dom/base/ScriptSettings.cpp:556)
#28: nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJS*, nsID const&, void**) ($SRC/js/xpconnect/src/XPCWrappedJSClass.cpp:587)
#29: nsXPCWrappedJS::QueryInterface(nsID const&, void**) ($SRC/js/xpconnect/src/XPCWrappedJS.cpp:221)
#30: XPCConvert::JSObject2NativeInterface(void**, JS::Handle<JSObject*>, nsID const*, nsISupports*, nsresult*) ($SRC/js/xpconnect/src/XPCConvert.cpp:951)
#31: XPCConvert::JSData2Native(void*, JS::Handle<JS::Value>, nsXPTType const&, nsID const*, nsresult*) ($SRC/js/xpconnect/src/XPCConvert.cpp:713)
#32: CallMethodHelper::ConvertIndependentParam(unsigned char) ($SRC/js/xpconnect/src/XPCWrappedNative.cpp:1873)
#33: CallMethodHelper::ConvertIndependentParams(bool*) ($SRC/js/xpconnect/src/XPCWrappedNative.cpp:1762)
#34: CallMethodHelper::Call() ($SRC/js/xpconnect/src/XPCWrappedNative.cpp:1411)
#35: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) ($SRC/js/xpconnect/src/XPCWrappedNative.cpp:1384)
#36: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) ($SRC/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1144)
#37: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ($SRC/js/src/jscntxtinlines.h:235)
#38: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) ($SRC/js/src/vm/Interpreter.cpp:709)
#39: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) ($SRC/js/src/vm/Interpreter.cpp:766)
#40: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ($SRC/js/src/proxy/DirectProxyHandler.cpp:77)
#41: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ($SRC/js/src/proxy/CrossCompartmentWrapper.cpp:289)
#42: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) ($SRC/js/src/proxy/Proxy.cpp:391)
#43: js::proxy_Call(JSContext*, unsigned int, JS::Value*) ($SRC/js/src/proxy/Proxy.cpp:697)
#44: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ($SRC/js/src/jscntxtinlines.h:235)
#45: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) ($SRC/js/src/vm/Interpreter.cpp:697)
#46: Interpret(JSContext*, js::RunState&) ($SRC/js/src/vm/Interpreter.cpp:2957)
#47: js::RunScript(JSContext*, js::RunState&) ($SRC/js/src/vm/Interpreter.cpp:653)
#48: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) ($SRC/js/src/vm/Interpreter.cpp:729)
#49: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) ($SRC/js/src/vm/Interpreter.cpp:766)
#50: js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ($SRC/js/src/proxy/DirectProxyHandler.cpp:77)
#51: js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const ($SRC/js/src/proxy/CrossCompartmentWrapper.cpp:289)
#52: js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) ($SRC/js/src/proxy/Proxy.cpp:391)
#53: js::proxy_Call(JSContext*, unsigned int, JS::Value*) ($SRC/js/src/proxy/Proxy.cpp:697)
#54: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) ($SRC/js/src/jscntxtinlines.h:235)
#55: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) ($SRC/js/src/vm/Interpreter.cpp:697)
#56: js::SpreadCallOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) ($SRC/js/src/vm/Interpreter.cpp:4602)
#57: js::jit::DoSpreadCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, JS::Value*, JS::MutableHandle<JS::Value>) ($SRC/js/src/jit/BaselineIC.cpp:9917)
#58: ??? (???:???)
Sleeping for 300 seconds.
Type 'gdb ./dist/bin/firefox 22275' to attach your debugger to this thread.
Done sleeping...
Shu, 'hg blame' says you added this assertion. Any ideas?
Assignee | ||
Comment 1•10 years ago
|
||
I don't know what's wrong from the stack. I've seen this very rarely in the past and didn't make any headway debugging.
How reproducible is this for you?
Reporter | ||
Comment 2•10 years ago
|
||
I hit it once. I'll see if I can hit it again. If I hit it again & trap it in gdb, would that be useful?
Assignee | ||
Comment 3•10 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #2)
> I hit it once. I'll see if I can hit it again. If I hit it again & trap it
> in gdb, would that be useful?
Possibly, yeah. Is this a debug opt build, or a debug no-opt build?
Reporter | ||
Comment 4•10 years ago
|
||
debug no-opt
Reporter | ||
Comment 5•10 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #2)
> I hit it once. I'll see if I can hit it again.
(haven't been able to hit it again, so far, btw)
Assignee | ||
Comment 6•10 years ago
|
||
jonco helped me debug the stack dholbert posted. It looks like the mark sweep
phase is getting interrupted, during which time the iterative marking of the
jitcode map may not yet have finished, or run at all.
Change the logic of the assertion to only assert during finalization.
Attachment #8628476 -
Flags: review?(terrence)
Updated•10 years ago
|
Attachment #8628476 -
Flags: review?(terrence) → review+
Assignee | ||
Updated•10 years ago
|
Assignee | ||
Comment 8•10 years ago
|
||
dholbert, let me know if you still reproduce with the new patch.
Reporter | ||
Comment 9•10 years ago
|
||
Will do. Thanks!
(Though, keep in mind that I've only been able to reproduce this once. So, if I (hopefully) can't repro this after the patch lands, that's only a weak data point.)
Comment 10•10 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #6)
I realised after our IRC conversation that the right thing to do is to check zone->isGCSweeping(), but the this is fine too.
Comment 11•10 years ago
|
||
Assignee | ||
Comment 12•10 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #10)
> (In reply to Shu-yu Guo [:shu] from comment #6)
> I realised after our IRC conversation that the right thing to do is to check
> zone->isGCSweeping(), but the this is fine too.
Well, it's crucial that this assertion isn't tried during sweep-marking (the iterative weak marking thing). Does isGCSweeping() ignore that subphase of sweeping?
Comment 13•10 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #12)
Yes, we only set the zone state to sweeping after that marking work is complete.
Comment 14•6 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:sdetar, maybe it's time to close this bug?
Flags: needinfo?(sdetar)
Comment 15•6 years ago
|
||
Jon, any thoughts on what to do with this old bug? Close?
Flags: needinfo?(sdetar) → needinfo?(jcoppeard)
Comment 16•6 years ago
|
||
Yes, this is fixed.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → FIXED
Updated•6 years ago
|
Keywords: leave-open
You need to log in
before you can comment on or make changes to this bug.
Description
•