Closed
Bug 1180954
Opened 9 years ago
Closed 9 years ago
Crash in JS:CollectRuntimeStats while stability testing
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1132502
blocking-b2g | 2.2? |
People
(Reporter: ggrisco, Assigned: terrence)
References
Details
(Keywords: crash, Whiteboard: [b2g-crash][caf-crash 643][caf priority: p1][CR 848251])
Crash Data
Attachments
(11 files)
146.55 KB,
text/plain
|
Details | |
495.20 KB,
text/plain
|
Details | |
146.55 KB,
text/plain
|
Details | |
495.20 KB,
text/plain
|
Details | |
133.30 KB,
text/plain
|
Details | |
433.63 KB,
text/plain
|
Details | |
136.63 KB,
text/plain
|
Details | |
447.76 KB,
text/plain
|
Details | |
140.39 KB,
text/plain
|
Details | |
366.67 KB,
text/plain
|
Details | |
24.00 KB,
application/gzip
|
Details |
Saw this stack trace while running stability tests overnight: @ AddClassInfo | StatsCellCallback<(Granularity)0u> | IterateCompartmentsArenasCells | js::IterateZonesCompartmentsArenasCells ] cafbot will upload the logs.
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
Updated•9 years ago
|
Whiteboard: [CR 848251] → [caf priority: p1][CR 848251]
Updated•9 years ago
|
Whiteboard: [caf priority: p1][CR 848251] → [b2g-crash][caf-crash 643][caf priority: p1][CR 848251]
Comment 3•9 years ago
|
||
Observed on: Device: msm8909 Gonk Version: AU_LINUX_GECKO_LF.BR.1.2.3.00.00.00.000.196 Moz BuildID: 20150606002503 Manifest: https://www.codeaurora.org/cgit/quic/lf/b2g/manifest/tree/caf_AU_LINUX_GECKO_LF.BR.1.2.3.00.00.00.000.196.xml?h=release B2G Version: v2.2 Gecko Version: 37.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=8fc797527a3eca7665bc1d1828848f2fb77ca99f Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=e0045f9c8b7e84fc52ba628141688c8ecb4b7a52 Patches: bug 1133147, bug 1167799, bug 1162663
Comment 4•9 years ago
|
||
Comment 5•9 years ago
|
||
Comment 6•9 years ago
|
||
Looks like a use after free accessing the contents of a BaseShape's JSClass.
Comment 7•9 years ago
|
||
Naveed/Jon, Your help is appreciated with this stability bug. If you need further info, feel free to ping ggrisco or ikumar from CAF (Also NI Josh Cheng - 2.2 RM to triage and track 2.2 crash issues) Thanks Hema
Flags: needinfo?(nihsanullah)
Flags: needinfo?(joshcheng)
Flags: needinfo?(jcoppeard)
Updated•9 years ago
|
Flags: needinfo?(jcoppeard)
Comment 8•9 years ago
|
||
It seems there have been no dynamically allocated JSClasses since FF31 (bug 990290), so not UAF of a JSClass. Does this happen every time? Is it possible to reproduce?
Flags: needinfo?(ggrisco)
Comment 9•9 years ago
|
||
jonco is active here so pulling off the needinfo on me
Flags: needinfo?(nihsanullah)
Reporter | ||
Comment 10•9 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #8) > It seems there have been no dynamically allocated JSClasses since FF31 (bug > 990290), so not UAF of a JSClass. > > Does this happen every time? Is it possible to reproduce? So far we only saw this crash one time on AU 196 after many hours of test, so it's not easily reproduced.
Flags: needinfo?(ggrisco)
Updated•9 years ago
|
Flags: needinfo?(joshcheng) → needinfo?(jocheng)
Comment 11•9 years ago
|
||
Dear Jon, Thanks for your help. Is it possible to find any clue from the log provided earlier?
Flags: needinfo?(jocheng) → needinfo?(jcoppeard)
Comment 12•9 years ago
|
||
It's not a lot to go on. I'm wondering if something in the memory reporter can end up triggering a GC while we're iterating through the arenas, but I'd be surprised if that didn't trigger an assert somewhere.
Flags: needinfo?(jcoppeard)
Comment 13•9 years ago
|
||
(In reply to Jon Coppeard (:jonco) (PTO until 21st July) from comment #12) > It's not a lot to go on. I'm wondering if something in the memory reporter > can end up triggering a GC while we're iterating through the arenas, but I'd > be surprised if that didn't trigger an assert somewhere. Thanks Jon, It seems we can only wait until same issue happen next time? Before then, is there any additional log we can ask Greg to provide?
Flags: needinfo?(jcoppeard)
Updated•9 years ago
|
Flags: needinfo?(jocheng)
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Comment 14•9 years ago
|
||
"Closing issue which has not been seen since 06/30/15 20:21"
Updated•9 years ago
|
Flags: needinfo?(jocheng)
Flags: needinfo?(jcoppeard)
Updated•9 years ago
|
blocking-b2g: 2.2? → ---
Reporter | ||
Comment 15•9 years ago
|
||
Re-opening since this was seen again on AU 214. cafbot will follow-up with latest logs.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Reporter | ||
Updated•9 years ago
|
blocking-b2g: --- → 2.2?
Comment 16•9 years ago
|
||
Comment 17•9 years ago
|
||
Comment 18•9 years ago
|
||
Observed on: Device: msm8909 Gonk Version: AU_LINUX_GECKO_LF.BR.1.2.3.00.00.00.000.214 Moz BuildID: 20150606002503 Manifest: https://www.codeaurora.org/cgit/quic/lf/b2g/manifest/tree/caf_AU_LINUX_GECKO_LF.BR.1.2.3.00.00.00.000.214.xml?h=release B2G Version: v2.2 Gecko Version: 37.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=8fc797527a3eca7665bc1d1828848f2fb77ca99f Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=e0045f9c8b7e84fc52ba628141688c8ecb4b7a52 Patches: bug 1133147, bug 1181641
Comment 19•9 years ago
|
||
Comment 20•9 years ago
|
||
Comment 21•9 years ago
|
||
Hi Jon, Could you help to check whether there are any useful information in new log? Thanks!
Flags: needinfo?(jcoppeard)
Comment 22•9 years ago
|
||
It's the same problem as before, crashing when trying to dereferencing the heap free pattern while inside the memory reporter. Nick, have you seen anything like this before?
Flags: needinfo?(jcoppeard) → needinfo?(n.nethercote)
Comment 23•9 years ago
|
||
The JS memory reporter iterates over every live thing in the GC heap, and measures most of the malloc'd blocks that hang off those things. So if there's any kind of GC heap corruption there's a good chance that it will manifest in the reporter. This reminds me slightly of part 6 in bug 972712 which involved identifying which class each object belonged to. It originally landed in March 2014 but had to be backed out due to intermittent ASAN failures. I was eventually able to land it three months later (in bug 1023719) despite not having made any changes. I concluded that I had been hitting some kind of latent heap corruption and then it went away, either via luck or via someone fixing something. So this one is going to be difficult to debug. I wonder if implementing a GC heap sanity checker would be a good idea. It would be similar to the reporter -- iterate over every GC thing, checking that everything looks ok. I've seen this kind of thing be implemented in other systems, mostly checking IR in compilers, and they typically find real problems.
Flags: needinfo?(n.nethercote)
Comment 24•9 years ago
|
||
Observed on: Device: msm8909 Gonk Version: AU_LINUX_GECKO_LF.BR.1.2.3.00.00.00.000.221 Moz BuildID: 20150721162504 Manifest: https://www.codeaurora.org/cgit/quic/lf/b2g/manifest/tree/caf_AU_LINUX_GECKO_LF.BR.1.2.3.00.00.00.000.221.xml?h=release B2G Version: v2.2 Gecko Version: 37.0 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=e1e6317f17a840b19af9dbb25f5a771d8d9fa161 Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=72899a6655a5d42cea9bb5c3effe1d720bd8bb4e Patches: bug
Comment 25•9 years ago
|
||
Comment 26•9 years ago
|
||
Comment 27•9 years ago
|
||
Please feel free to provide us a debug patch to collect more logs. We are seeing this issue more consistently now after many hours of stability testing so we need to resolve it asap.
Comment 28•9 years ago
|
||
Hi Nick, Is it possible to provide a debug patch here? Thanks!
Flags: needinfo?(n.nethercote)
Comment 29•9 years ago
|
||
> Is it possible to provide a debug patch here? Thanks!
I don't have anything specific for you, sorry.
Flags: needinfo?(n.nethercote)
Comment 30•9 years ago
|
||
Hi Bobby, Could you help to find anyone who can help here? Thanks!
Flags: needinfo?(bchien)
Comment 31•9 years ago
|
||
This looks like the same crash reported in bug 1189934.
Comment 32•9 years ago
|
||
Similar crash from memory reference in bug 1189934 and bug 1132502.
Comment 33•9 years ago
|
||
Jason, per some research in comment 32. Looks similar crash in Javascript. could you help on this?
Flags: needinfo?(jorendorff)
Comment 35•9 years ago
|
||
Terrence check out Nick's comment, https://bugzilla.mozilla.org/show_bug.cgi?id=1180954#c23, would that help us out in the future?
Assignee: nobody → terrence
Flags: needinfo?(nihsanullah)
Updated•9 years ago
|
Flags: needinfo?(jorendorff)
Priority: -- → P2
Comment hidden (spam) |
Comment 37•9 years ago
|
||
on a OS capable up to 3,3 Gb ram.
Comment hidden (obsolete) |
Comment 40•9 years ago
|
||
Revisit minidump attachments and search signature from crash report site. No new similar crash for long time. Close as worksforme.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → WORKSFORME
Comment 42•9 years ago
|
||
@Bobby: I dont understand your request. Minidum folder: empty. I found only https://crash-stats.mozilla.com/report/index/6aaae493-b969-41da-ae75-badf82151102 where sould I search for the signature?
Comment 43•9 years ago
|
||
http://postimg.org/image/s6e21f9lf/
Comment 44•9 years ago
|
||
(In reply to Yorgos from comment #42) > @Bobby: I dont understand your request. > Minidum folder: empty. > I found only > https://crash-stats.mozilla.com/report/index/6aaae493-b969-41da-ae75- > badf82151102 > where sould I search for the signature? Per your crash (https://crash-stats.mozilla.com/report/index/6aaae493-b969-41da-ae75-badf82151102), you could copy signature "js::detail::HashTable<T>::lookupForAdd" to search (top-right corner) from crash report site. so you could query statistics. Let me know if you still have trouble. Thanks.
Comment 45•9 years ago
|
||
Done. http://postimg.org/image/sgc0wl7yb/ I am not the only with this crash, I hope for a fix.
Comment 46•9 years ago
|
||
Hi Jorgos, I close this bug for firefox OS. I saw you follow another bug 1132502 for firefox. Please keep trace. Many thanks.
Comment 47•8 years ago
|
||
Yeah, turns out this is actually a dup of bug 1132502.
Resolution: WORKSFORME → DUPLICATE
Updated•8 years ago
|
No longer blocks: CAF-v2.2-metabug
You need to log in
before you can comment on or make changes to this bug.
Description
•