Intermittent js\src\jit-test\tests\ctypes\conversion-finalizer.js | Unknown (code -1073741819, args "--baseline-eager")

RESOLVED FIXED in Firefox 50

Status

()

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: intermittent-bug-filer, Assigned: arai)

Tracking

({intermittent-failure})

unspecified
mozilla52
intermittent-failure
Points:
---

Firefox Tracking Flags

(firefox50 fixed, firefox51 fixed, firefox52 fixed)

Details

Attachments

(1 attachment)

Closing as non-actionable: it's a single failure without any useful information for reproducing it.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
An interesting approach to intermittent failures, since it will tend to just get the exact same failure refiled over and over and over again.
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
(In reply to Phil Ringnalda (:philor) from comment #2)
> An interesting approach to intermittent failures, since it will tend to just
> get the exact same failure refiled over and over and over again.

For us it doesn't make sense to have 30+ intermittent open bugs in our system which has happened once or twice. Especially in P3. We talked about this briefly on chat where you suggested it might be okay to close them. And they would get opened again if a bug happened again.

> philor> h4writer: probably not, we tend to just star as closed bugs and pretend that's okay, but if it seriously starts up eventually someone will reopen it

I did count on this behavior. This "incomplete" is just a signal that we aren't able to do something about this bug as is. If that changes. I.e. more intermittent those bugs definitely need to get reopened and we will try to diagnose them.

If this doesn't work we should definitely talk about a different approach.
(Assignee)

Comment 4

2 years ago
I think I found the issue.
will investigate the more details and post a patch.
(Assignee)

Comment 5

2 years ago
Created attachment 8802089 [details] [diff] [review]
Root an object that lives across ffi_call.

objCTypes lives across ffi_call. ffi_call can invoke JavaScript function, and GC may happen there.
Assignee: nobody → arai.unmht
Status: REOPENED → ASSIGNED
Attachment #8802089 - Flags: review?(jcoppeard)
(Assignee)

Comment 6

2 years ago
forgot to write that, ffi_call happens inside CDataFinalizer::CallFinalizer.
Comment on attachment 8802089 [details] [diff] [review]
Root an object that lives across ffi_call.

Review of attachment 8802089 [details] [diff] [review]:
-----------------------------------------------------------------

This patch looks good.  I'd like to know why the analysis didn't catch this though.
Attachment #8802089 - Flags: review?(jcoppeard) → review+
Flags: needinfo?(sphink)
The analysis didn't catch this because ffi_call calls ffi_call_unix64, which is implemented in a file unix64.S. Sadly, the analysis only sees C/C++ code. :( I guess not too many things implemented in assembly code are going to GC.

File bug 1311227. Thanks!
Flags: needinfo?(sphink)

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/512ee9dd9a40
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago2 years ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Worth backporting to Aurora/Beta? If so, please nominate :)
Flags: needinfo?(arai.unmht)
(Assignee)

Comment 12

2 years ago
Comment on attachment 8802089 [details] [diff] [review]
Root an object that lives across ffi_call.

Same patch is applicabe to aurora/beta.

Approval Request Comment
> [Feature/regressing bug #]
bug 720771 added this code.
but haven't checked when this started happening.

> [User impact if declined]
Can cause use after free.
Only chrome-priv code can call this, and this feature is used only in migration from IE/Edge, that happens before opening main browser window, so almost no risk except simple crash.

https://dxr.mozilla.org/mozilla-central/rev/01ab78dd98805e150b0311cce2351d5b408f3001/browser/components/migration/MSMigrationUtils.jsm#720

and maybe in some add-on.

> [Describe test coverage new/current, TreeHerder]
A code that will intermittently hit this issue is already in test.

> [Risks and why]
Low. Just added a root for an object.

> [String/UUID change made/needed]
None
Flags: needinfo?(arai.unmht)
Attachment #8802089 - Flags: approval-mozilla-beta?
Attachment #8802089 - Flags: approval-mozilla-aurora?
status-firefox50: --- → affected
status-firefox51: --- → affected
Comment on attachment 8802089 [details] [diff] [review]
Root an object that lives across ffi_call.

Fixes an intermittent, Aurora51+, Beta50+
Attachment #8802089 - Flags: approval-mozilla-beta?
Attachment #8802089 - Flags: approval-mozilla-beta+
Attachment #8802089 - Flags: approval-mozilla-aurora?
Attachment #8802089 - Flags: approval-mozilla-aurora+

Comment 14

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/a0c8270776df
status-firefox51: affected → fixed

Comment 15

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-beta/rev/1a13f8a2fa91
status-firefox50: affected → fixed
Comment hidden (Intermittent Failures Robot)
You need to log in before you can comment on or make changes to this bug.