Closed Bug 1306669 Opened 8 years ago Closed 8 years ago

Intermittent js\src\jit-test\tests\ctypes\conversion-finalizer.js | Unknown (code -1073741819, args "--baseline-eager")

Categories

(Core :: JavaScript Engine: JIT, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox50 --- fixed
firefox51 --- fixed
firefox52 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: arai)

Details

(Keywords: intermittent-failure)

Attachments

(1 file)

Closing as non-actionable: it's a single failure without any useful information for reproducing it.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
An interesting approach to intermittent failures, since it will tend to just get the exact same failure refiled over and over and over again.
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
(In reply to Phil Ringnalda (:philor) from comment #2)
> An interesting approach to intermittent failures, since it will tend to just
> get the exact same failure refiled over and over and over again.

For us it doesn't make sense to have 30+ intermittent open bugs in our system which has happened once or twice. Especially in P3. We talked about this briefly on chat where you suggested it might be okay to close them. And they would get opened again if a bug happened again.

> philor> h4writer: probably not, we tend to just star as closed bugs and pretend that's okay, but if it seriously starts up eventually someone will reopen it

I did count on this behavior. This "incomplete" is just a signal that we aren't able to do something about this bug as is. If that changes. I.e. more intermittent those bugs definitely need to get reopened and we will try to diagnose them.

If this doesn't work we should definitely talk about a different approach.
I think I found the issue.
will investigate the more details and post a patch.
objCTypes lives across ffi_call. ffi_call can invoke JavaScript function, and GC may happen there.
Assignee: nobody → arai.unmht
Status: REOPENED → ASSIGNED
Attachment #8802089 - Flags: review?(jcoppeard)
forgot to write that, ffi_call happens inside CDataFinalizer::CallFinalizer.
Comment on attachment 8802089 [details] [diff] [review]
Root an object that lives across ffi_call.

Review of attachment 8802089 [details] [diff] [review]:
-----------------------------------------------------------------

This patch looks good.  I'd like to know why the analysis didn't catch this though.
Attachment #8802089 - Flags: review?(jcoppeard) → review+
Flags: needinfo?(sphink)
The analysis didn't catch this because ffi_call calls ffi_call_unix64, which is implemented in a file unix64.S. Sadly, the analysis only sees C/C++ code. :( I guess not too many things implemented in assembly code are going to GC.

File bug 1311227. Thanks!
Flags: needinfo?(sphink)
https://hg.mozilla.org/mozilla-central/rev/512ee9dd9a40
Status: ASSIGNED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Worth backporting to Aurora/Beta? If so, please nominate :)
Flags: needinfo?(arai.unmht)
Comment on attachment 8802089 [details] [diff] [review]
Root an object that lives across ffi_call.

Same patch is applicabe to aurora/beta.

Approval Request Comment
> [Feature/regressing bug #]
bug 720771 added this code.
but haven't checked when this started happening.

> [User impact if declined]
Can cause use after free.
Only chrome-priv code can call this, and this feature is used only in migration from IE/Edge, that happens before opening main browser window, so almost no risk except simple crash.

https://dxr.mozilla.org/mozilla-central/rev/01ab78dd98805e150b0311cce2351d5b408f3001/browser/components/migration/MSMigrationUtils.jsm#720

and maybe in some add-on.

> [Describe test coverage new/current, TreeHerder]
A code that will intermittently hit this issue is already in test.

> [Risks and why]
Low. Just added a root for an object.

> [String/UUID change made/needed]
None
Flags: needinfo?(arai.unmht)
Attachment #8802089 - Flags: approval-mozilla-beta?
Attachment #8802089 - Flags: approval-mozilla-aurora?
Comment on attachment 8802089 [details] [diff] [review]
Root an object that lives across ffi_call.

Fixes an intermittent, Aurora51+, Beta50+
Attachment #8802089 - Flags: approval-mozilla-beta?
Attachment #8802089 - Flags: approval-mozilla-beta+
Attachment #8802089 - Flags: approval-mozilla-aurora?
Attachment #8802089 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.