Closed Bug 1277174 Opened 4 years ago Closed 4 years ago

Intermittent Main app process exited normally | application crashed [@ js::gc::AutoAssertEmptyNursery::checkCondition(JSRuntime *)]

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox49 --- fixed
firefox50 --- fixed

People

(Reporter: cbook, Assigned: sfink)

References

()

Details

(Keywords: crash, intermittent-failure)

Attachments

(1 file)

https://treeherder.mozilla.org/logviewer.html#?job_id=29181751&repo=mozilla-inbound#L9565

PROCESS-CRASH | Main app process exited normally | application crashed [@ js::gc::AutoAssertEmptyNursery::checkCondition(JSRuntime *)]

 22:29:15     INFO -  Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpngrqbw.mozrunner\minidumps\7d686f5f-8af8-47fc-8198-588a28cbd242.dmp

 22:29:15     INFO -  Operating system: Windows NT

 22:29:15     INFO -                    6.1.7601 Service Pack 1

 22:29:15     INFO -  CPU: x86

 22:29:15     INFO -       GenuineIntel family 6 model 62 stepping 4

 22:29:15     INFO -       8 CPUs

 22:29:15     INFO -  Crash reason:  EXCEPTION_BREAKPOINT

 22:29:15     INFO -  Crash address: 0x5c72c2d0

 22:29:15     INFO -  Assertion: Unknown assertion type 0x00000000

 22:29:15     INFO -  Process uptime: 149 seconds

 22:29:15     INFO -  Thread 0 (crashed)

 22:29:15     INFO -   0  xul.dll!js::gc::AutoAssertEmptyNursery::checkCondition(JSRuntime *) [jsgc.cpp:30d59f3fb7e8 : 7872 + 0x46]

 22:29:15     INFO -      eip = 0x5c72c2d0   esp = 0x0029bba8   ebp = 0x0029bba8   ebx = 0x5c863d90

 22:29:15     INFO -      esi = 0x06eae000   edi = 0x0029bd58   eax = 0x00000000   ecx = 0x71da705d

 22:29:15     INFO -      edx = 0x778470b4   efl = 0x00000212

 22:29:15     INFO -      Found by: given as instruction pointer in context

 22:29:15     INFO -   1  xul.dll!js::IterateScripts(JSRuntime *,JSCompartment *,void *,void (*)(JSRuntime *,void *,JSScript *)) [Iteration.cpp:30d59f3fb7e8 : 103 + 0x1c]

 22:29:15     INFO -      eip = 0x5c7f8d85   esp = 0x0029bbb0   ebp = 0x0029bc5c

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   2  xul.dll!js::Debugger::ScriptQuery::findScripts() [Debugger.cpp:30d59f3fb7e8 : 4064 + 0x17]

 22:29:15     INFO -      eip = 0x5c86aefd   esp = 0x0029bc64   ebp = 0x0029bd04

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   3  xul.dll!js::Debugger::findScripts(JSContext *,unsigned int,JS::Value *) [Debugger.cpp:30d59f3fb7e8 : 4369 + 0xb]

 22:29:15     INFO -      eip = 0x5c82e02a   esp = 0x0029bd0c   ebp = 0x0029beec

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   4  xul.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:30d59f3fb7e8 : 235 + 0xe]

 22:29:15     INFO -      eip = 0x5c8d4f5a   esp = 0x0029bef4   ebp = 0x0029bf14

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   5  xul.dll!js::InternalCallOrConstruct(JSContext *,JS::CallArgs const &,js::MaybeConstruct) [Interpreter.cpp:30d59f3fb7e8 : 452 + 0xf]

 22:29:15     INFO -      eip = 0x5c8dd12b   esp = 0x0029bf1c   ebp = 0x0029bf78

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   6  xul.dll!InternalCall [Interpreter.cpp:30d59f3fb7e8 : 497 + 0xb]

 22:29:15     INFO -      eip = 0x5c8dcdb9   esp = 0x0029bf80   ebp = 0x0029bf9c

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   7  xul.dll!js::Call(JSContext *,JS::Handle<JS::Value>,JS::Handle<JS::Value>,js::AnyInvokeArgs const &,JS::MutableHandle<JS::Value>) [Interpreter.cpp:30d59f3fb7e8 : 516 + 0x5]

 22:29:15     INFO -      eip = 0x5c8d4d45   esp = 0x0029bfa4   ebp = 0x0029bfb0

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   8  xul.dll!js::Wrapper::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [Wrapper.cpp:30d59f3fb7e8 : 165 + 0x26]

 22:29:15     INFO -      eip = 0x5c9107e0   esp = 0x0029bfb8   ebp = 0x0029c080

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -   9  xul.dll!js::CrossCompartmentWrapper::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [CrossCompartmentWrapper.cpp:30d59f3fb7e8 : 309 + 0xd]

 22:29:15     INFO -      eip = 0x5cabe804   esp = 0x0029c088   ebp = 0x0029c0b0

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  10  xul.dll!js::Proxy::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) [Proxy.cpp:30d59f3fb7e8 : 399 + 0xe]

 22:29:15     INFO -      eip = 0x5cabea31   esp = 0x0029c0b8   ebp = 0x0029c110

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  11  xul.dll!js::proxy_Call(JSContext *,unsigned int,JS::Value *) [Proxy.cpp:30d59f3fb7e8 : 691 + 0x12]

 22:29:15     INFO -      eip = 0x5cac59a3   esp = 0x0029c118   ebp = 0x0029c148

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  12  xul.dll!js::CallJSNative(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),JS::CallArgs const &) [jscntxtinlines.h:30d59f3fb7e8 : 235 + 0xe]

 22:29:15     INFO -      eip = 0x5c8d4f5a   esp = 0x0029c150   ebp = 0x0029c170

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  13  xul.dll!js::InternalCallOrConstruct(JSContext *,JS::CallArgs const &,js::MaybeConstruct) [Interpreter.cpp:30d59f3fb7e8 : 440 + 0x8]

 22:29:15     INFO -      eip = 0x5c8dd063   esp = 0x0029c178   ebp = 0x0029c1d4

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  14  xul.dll!InternalCall [Interpreter.cpp:30d59f3fb7e8 : 497 + 0xb]

 22:29:15     INFO -      eip = 0x5c8dcdb9   esp = 0x0029c1dc   ebp = 0x0029c1f8

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  15  xul.dll!Interpret [Interpreter.cpp:30d59f3fb7e8 : 2840 + 0x10]

 22:29:15     INFO -      eip = 0x5c8e060a   esp = 0x0029c200   ebp = 0x0029c6c0

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  16  xul.dll!js::RunScript(JSContext *,js::RunState &) [Interpreter.cpp:30d59f3fb7e8 : 398 + 0xd]

 22:29:15     INFO -      eip = 0x5c8e89d3   esp = 0x0029c6c8   ebp = 0x0029c774

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  17  xul.dll!js::InternalCallOrConstruct(JSContext *,JS::CallArgs const &,js::MaybeConstruct) [Interpreter.cpp:30d59f3fb7e8 : 470 + 0xa]

 22:29:15     INFO -      eip = 0x5c8dd191   esp = 0x0029c77c   ebp = 0x0029c7d4

 22:29:15     INFO -      Found by: call frame info

 22:29:15     INFO -  18  xul.dll!InternalCall [Interpreter.cpp:30d59f3fb7e8 : 497 + 0xb]

 22:29:15     INFO -      eip = 0x5c8dcdb9   esp = 0x0029c7dc   ebp = 0x0029c7f8

22:29:15 INFO -
Ok, that's odd.

IterateScript will empty the nursery before it does anything: http://dxr.mozilla.org/mozilla-central/source/js/src/gc/Iteration.cpp#98

Then somehow, we manage to allocate something in the nursery. I skimmed through the callback (consider() at http://dxr.mozilla.org/mozilla-central/source/js/src/vm/Debugger.cpp#4286 ) and I don't see anything.

Then at the end of iteration, we check to be sure the nursery is still empty (in ~AutoEmptyNursery), and the check fails.

I thought maybe the scriptSource() stuff might lazily create things, but I'm not seeing it. Maybe I should figure out a way to dump the first cell in the nursery. (We can't iterate the nursery, but surely we can find the first cell?)
Diagnostic patch in bug 1277690, to see what is being placed into the nursery. Probably overkill for this bug, but it seemed generally useful.
MozReview-Commit-ID: 1ubndCgr7y8
Attachment #8759825 - Flags: review?(jcoppeard)
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Comment on attachment 8759825 [details] [diff] [review]
Forbid nursery allocations within AutoAssertEmptyNursery

Review of attachment 8759825 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsgc.cpp
@@ +7635,5 @@
>  
>  void
>  AutoAssertEmptyNursery::checkCondition(JSRuntime *rt) {
> +    if (!this->rt)
> +        rt->gc.disallowNurseryAlloc();

If a derived class sets this->rt then we will do an allow in the destructor without doing a disallow here.  Maybe assert this->rt is null here?
Attachment #8759825 - Flags: review?(jcoppeard) → review+
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/439fa181138b
Forbid nursery allocations within AutoAssertEmptyNursery, r=jonco
https://hg.mozilla.org/mozilla-central/rev/439fa181138b
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Please request Aurora approval on this when you get a chance.
Flags: needinfo?(sphink)
Comment on attachment 8759825 [details] [diff] [review]
Forbid nursery allocations within AutoAssertEmptyNursery

Approval Request Comment
[Feature/regressing bug #]: N/A, sorta
[User impact if declined]: none
[Describe test coverage new/current, TreeHerder]: on central for 18 days
[Risks and why]: this is a diagnostic patch, intended to make failures easier to track down. It only has an effect on a debug build. If it breaks things, then hopefully we can fix the actual bug that it uncovers.
[String/UUID change made/needed]: none
Flags: needinfo?(sphink)
Attachment #8759825 - Flags: approval-mozilla-aurora?
Comment on attachment 8759825 [details] [diff] [review]
Forbid nursery allocations within AutoAssertEmptyNursery

Diagnostic patch, please uplift to aurora to give us a chance of figuring out a fix.
Attachment #8759825 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.