1291776 - Intermittent test_failures_AES-CTR.html,browser_net_statistics-02.js (and many others) | application crashed [@ JSCompartment::wrap(JSContext *,JS::MutableHandle<JSObject *>,JS::Handle<JSObject *>)] after Assertion failure: !ObjectIsMarkedGray(obj)

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P3)

Description

[Treeherder Bug Filer]

Filed by: philringnalda [at] gmail.com

https://treeherder.mozilla.org/logviewer.html#?job_id=33205417&repo=mozilla-inbound

http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-win32-debug/1470224861/mozilla-inbound_win7_vm-debug_test-web-platform-tests-2-bm139-tests1-windows-build607.txt.gz

Comment 1

[Intermittent Failures Robot]

19 automation job failures were associated with this bug yesterday.

Repository breakdown:
* mozilla-inbound: 9
* autoland: 6
* mozilla-central: 2
* fx-team: 2

Platform breakdown:
* windows7-32-vm: 11
* linux32: 4
* windowsxp: 2
* windows8-64: 1
* osx-10-10: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-03&endday=2016-08-03&tree=all

Comment 3

[Intermittent Failures Robot]

33 automation job failures were associated with this bug yesterday.

Repository breakdown:
* autoland: 10
* mozilla-inbound: 8
* try: 6
* fx-team: 6
* mozilla-central: 3

Platform breakdown:
* windows7-32-vm: 16
* linux32: 5
* windowsxp: 4
* windows8-64: 4
* linux64: 3
* android-4-3-armv7-api15: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-04&endday=2016-08-04&tree=all

Comment 4

[Intermittent Failures Robot]

36 automation job failures were associated with this bug yesterday.

Repository breakdown:
* mozilla-inbound: 15
* autoland: 14
* fx-team: 6
* mozilla-central: 1

Platform breakdown:
* windows7-32-vm: 17
* windows8-64: 12
* linux32: 3
* windowsxp: 2
* linux64: 2

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-05&endday=2016-08-05&tree=all

Comment 5

[Intermittent Failures Robot]

137 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* mozilla-inbound: 53
* autoland: 45
* fx-team: 19
* mozilla-central: 14
* try: 6

Platform breakdown:
* windows7-32-vm: 58
* windows8-64: 23
* linux32: 21
* windowsxp: 16
* linux64: 10
* osx-10-10: 6
* windows7-32: 2
* android-4-3-armv7-api15: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-01&endday=2016-08-07&tree=all

Comment 6

[Intermittent Failures Robot]

20 automation job failures were associated with this bug yesterday.

Repository breakdown:
* autoland: 13
* mozilla-inbound: 6
* try-comm-central: 1

Platform breakdown:
* windows7-32-vm: 11
* osx-10-10: 8
* linux32: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-08&endday=2016-08-08&tree=all

Comment 7

[Intermittent Failures Robot]

16 automation job failures were associated with this bug yesterday.

Repository breakdown:
* autoland: 7
* mozilla-inbound: 6
* comm-central: 2
* fx-team: 1

Platform breakdown:
* windows7-32-vm: 12
* osx-10-10: 2
* linux32: 2

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-09&endday=2016-08-09&tree=all

Comment 8

[Intermittent Failures Robot]

76 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* autoland: 34
* mozilla-inbound: 29
* fx-team: 7
* comm-central: 3
* mozilla-central: 2
* try-comm-central: 1

Platform breakdown:
* windows7-32-vm: 55
* osx-10-10: 17
* linux32: 4

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-08&endday=2016-08-14&tree=all

Comment 10

[Intermittent Failures Robot]

59 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* mozilla-inbound: 31
* autoland: 16
* fx-team: 7
* mozilla-central: 4
* ash: 1

Platform breakdown:
* windows7-32-vm: 39
* osx-10-10: 18
* windowsxp: 1
* linux64: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-15&endday=2016-08-21&tree=all

Comment 11

[Intermittent Failures Robot]

39 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* autoland: 17
* mozilla-inbound: 16
* mozilla-central: 3
* fx-team: 3

Platform breakdown:
* osx-10-10: 20
* windows7-32-vm: 19

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-22&endday=2016-08-28&tree=all

Comment 12

[BMO Automation]

Bulk assigning P3 to all open intermittent bugs without a priority set in Firefox components per bug 1298978.

Comment 13

[Ryan VanderMeulen [:RyanVM]]

The browser_net_statistics-02.js one is really frequent on Win8 on Ash (also available opt-in on Try).

Comment 14

[Intermittent Failures Robot]

9 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* try: 3
* mozilla-inbound: 3
* autoland: 3

Platform breakdown:
* osx-10-10: 6
* linux32: 2
* windows7-32-vm: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-08-29&endday=2016-09-04&tree=all

Comment 15

[Boris Zbarsky [:bzbarsky]]

This is coming from PromiseReactionJob.  Do we have a tracking bug for these asserts failing when coming from there?

Comment 16

[Terrence Cole [:terrence]]

There was another bug with the same failure that had stacks. I think in that bug the gray object was coming off the JS stack. This is almost certainly coming from gecko somewhere, so I think if we assert in CallArgs::create, we'll find the place.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=705fb869f57d

Comment 17

[Intermittent Failures Robot]

23 automation job failures were associated with this bug yesterday.

Repository breakdown:
* mozilla-aurora: 23

Platform breakdown:
* windowsxp: 8
* windows7-32-vm: 8
* windows8-64: 7

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-09-15&endday=2016-09-15&tree=all

Comment 18

[Intermittent Failures Robot]

49 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* mozilla-aurora: 47
* try: 2

Platform breakdown:
* windowsxp: 17
* windows7-32-vm: 17
* windows8-64: 15

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-09-12&endday=2016-09-18&tree=all

Comment 19

[Terrence Cole [:terrence]]

Oh, hey, this isn't a debug build failure, as it first appears! We're actually falling over in stage package in xpc-shell. I'll try to get this locally.

Comment 20

[Terrence Cole [:terrence]]

IsUnmarkedGray does not null-check!

Comment 21

[Boris Zbarsky [:bzbarsky]]

While true, we already did an early return if !obj, no?

Comment 22

[Terrence Cole [:terrence]]

No, it looks like GCThingIsMarkedGray just grabs the pointer and starts poking:

http://searchfox.org/mozilla-central/source/js/public/HeapAPI.h#392

I'm not sure why automation didn't post the new try run. In any case, it is here and looks much better already:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=912632f99f54

Comment 23

[Boris Zbarsky [:bzbarsky]]

> No, it looks like GCThingIsMarkedGray just grabs the pointer and starts poking:

Yes, but we don't pass it null in JSCompartment::wrap as far as I can tell.  That's where the null check I mention in comment 21 is...

Comment 24

[Terrence Cole [:terrence]]

Ah! The assertion in this patch is that we do not create CallArgs with any array elements that are initially gray -- e.g. I'm just covering more API surface area with assertions in the hope of catching something.

Do you see some more specific avenue we can take to root cause this?

Comment 25

[Terrence Cole [:terrence]]

Attachment: assert_we_dont_create_gray_args-v0.diff

Comment 26

[Boris Zbarsky [:bzbarsky]]

Could try instrumenting intrinsic_EnqueuePromiseReactionJob to do the check and if it fails dump the JS stack so we can get some idea of how we ended up there...

Comment 27

[Terrence Cole [:terrence]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/79b5d47038f91317a141be04f51f0c8518d18bdf
Bug 1291776 - Assert that we don't create gray arguments; r=sfink

Comment 28

[Terrence Cole [:terrence]]

(In reply to Boris Zbarsky [:bz] (TPAC) from comment #26)
> Could try instrumenting intrinsic_EnqueuePromiseReactionJob to do the check
> and if it fails dump the JS stack so we can get some idea of how we ended up
> there...

Good idea! It looks like the patch I just landed will catch this. Maybe we should print the JS stack from assertion failures in SpiderMonkey regardless?

Also, looks like Steve already did a try push with a more relevant assertion:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=976744db95b20df7328c1ba32265f99451c05d77&selectedJob=27541746

And it caught something!

Comment 29

[Terrence Cole [:terrence]]

The assertion says the (first) gray thing is |resolve|. I'm not sure what this tells us. Maybe we know where that goes onto the stack in the first place?

Comment 30

[Intermittent Failures Robot]

28 automation job failures were associated with this bug yesterday.

Repository breakdown:
* mozilla-beta: 27
* try: 1

Platform breakdown:
* windowsxp: 10
* windows7-32-vm: 10
* windows8-64: 8

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-09-20&endday=2016-09-20&tree=all

Comment 31

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/79b5d47038f9

Comment 32

[Intermittent Failures Robot]

22 automation job failures were associated with this bug yesterday.

Repository breakdown:
* mozilla-beta: 22

Platform breakdown:
* windowsxp: 7
* windows7-32-vm: 7
* windows8-64: 6
* linux32: 2

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-09-22&endday=2016-09-22&tree=all

Comment 33

[Terrence Cole [:terrence]]

All the automation failures are on Beta, so this may have been solved on nightly last week and not uplifted to aurora before it became beta. Ryan, I need your magic again!

Also, Till is totally off the hook for this one, so I might as well remove his ni.

Comment 34

[Ryan VanderMeulen [:RyanVM]]

OK, there were multiple "fixes" here.

The AES-CTR wpt failures went away on August 7, which fits when bug 1283634 and bug 1289581 landed (the latter being more relevant here I assume). That didn't actually fix the underlying problem for those tests, it just shifted the signature to bug 1293057.

The mochitest failures getting starred under this bug went around around the beginning of September. I'm 99% sure that whatever fixed those has already been uplifted because Aurora50/Beta50 are seeing nothing but the AES-CTR wpt failures.

So I think we should call this one fixed and uplift the patches from the bugs above now that things have stabilized enough that we won't incur an orangemageddon for our trouble. That'll at least give us a consistent set of bugs to track across the various branches.

Comment 35

[Terrence Cole [:terrence]]

I agree! Thanks for doing the legwork!

Comment 36

[Ryan VanderMeulen [:RyanVM]]

Try push to hopefully confirm the shifted signature:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=6d6d11bf08d4

Comment 37

[Ryan VanderMeulen [:RyanVM]]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #36)
> Try push to hopefully confirm the shifted signature:
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=6d6d11bf08d4

Confirmed.

Comment 38

[Intermittent Failures Robot]

15 automation job failures were associated with this bug yesterday.

Repository breakdown:
* mozilla-beta: 15

Platform breakdown:
* windows8-64: 5
* windowsxp: 4
* windows7-32-vm: 4
* linux32: 2

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-09-23&endday=2016-09-23&tree=all

Comment 39

[Intermittent Failures Robot]

81 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* mozilla-beta: 75
* mozilla-aurora: 5
* try: 1

Platform breakdown:
* windowsxp: 27
* windows7-32-vm: 26
* windows8-64: 24
* linux32: 4

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-09-19&endday=2016-09-25&tree=all

Comment 40

[Intermittent Failures Robot]

5 automation job failures were associated with this bug in the last 7 days.

Repository breakdown:
* mozilla-beta: 5

Platform breakdown:
* windowsxp: 2
* windows7-32-vm: 2
* windows8-64: 1

For more details, see:
https://brasstacks.mozilla.com/orangefactor/?display=Bug&bugid=1291776&startday=2016-09-26&endday=2016-10-02&tree=all