Closed Bug 1308125 Opened 8 years ago Closed 7 years ago

Crash in js::gc::MakePagesReadOnly

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: Tabs16, Assigned: ehoogeveen)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file, 1 obsolete file)

v1.1 - Diagnose MakePagesReadOnly crashes and fix crash reporter annotations.
6.02 KB, patch
ehoogeveen
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-b79b9b98-9f10-4ca2-9cb1-1677c2161005.
=============================================================
It started with Build ID 20161004030204 on 2016-10-05 13:03:14 and it is still continuing, latest crash on Build ID 20161005030211  .
The crash is on Firefox 52.0a1 version,Firefox 50 version and Firefox 49 version,Windows NT
Maximum crashes encountered on October 3,2016.
Uptime range: <1 min   
The link to recent crashes http://bit.ly/2duBANu
Correction: Maximum crashes occured on 5th October at 00:00.
URL: http://bit.ly/2duBANu
Hi Emanuel,
Since you were the last one to touch code in this area, perhaps you can shed some light on the crash?
Flags: needinfo?(emanuel.hoogeveen)
Thanks for the heads up! Hmm, I'm not sure what could be going on here - nothing should have changed on the build from the 4th in particular, but more importantly I'm not sure why VirtualProtect would fail. The new buffer shouldn't be null - even on OOM we just return the old buffer, which we should still be able to protect.

I wonder if this somehow explains our missing crashes, even if it's only on Windows. I can try adding some more assertions here and add the last error code to the MOZ_CRASH reason.
Assignee: nobody → emanuel.hoogeveen
Component: Untriaged → JavaScript Engine
Flags: needinfo?(emanuel.hoogeveen)
OS: Windows 10 → Windows
Product: Firefox → Core
Version: unspecified → Trunk
Ugh, I don't think this explains the missing crashes, but I think I just figured it out. Turns out I misread how MOZ_CRASH_ANNOTATE() is used: the macros using it add a MOZ_CRASH() or a MOZ_RELEASE_ASSERT() around the string literal passed in. This patch fixes that, so hopefully socorro will be able to parse them now.

For this bug, I added two release assertions and added the error code to the crash reason. You can't pass a dynamic string to MOZ_CRASH(), so that was a bit finicky (which is how I figured out my mistake), but this should work. I added the same code to ProtectPages() and UnprotectPages() for good measure.
Attachment #8798402 - Flags: review?(jdemooij)
Blocks: 1306972
Comment on attachment 8798402 [details] [diff] [review]
Diagnose MakePagesReadOnly crashes and fix crash reporter annotations.

Review of attachment 8798402 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Memory.cpp
@@ +853,4 @@
>  #if defined(XP_WIN)
>      DWORD oldProtect;
> +    if (!VirtualProtect(p, size, PAGE_NOACCESS, &oldProtect)) {
> +        snprintf(sCrashReason, 256,

Nit: s/256/sizeof(sCrashReason)/, and below ?
Attachment #8798402 - Flags: review?(jdemooij) → review+
Thanks! Carrying forward r+.

From discussion on IRC, this probably won't change anything for Socorro after all, but it's probably worth being explicit anyway (in addition to the diagnostics for this bug).

(In reply to Jan de Mooij [:jandem] from comment #5)
> > +        snprintf(sCrashReason, 256,
> 
> Nit: s/256/sizeof(sCrashReason)/, and below ?

Good point, done. I also changed from %x to %u, since it was either that or add 0x in front, and the error codes are listed as decimal numbers anyway [1].

[1] https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381.aspx
Attachment #8798402 - Attachment is obsolete: true
Attachment #8798792 - Flags: review+
Try run looks good: https://treeherder.mozilla.org/#/jobs?repo=try&revision=39fbd07324ff3fa313b01288d90b97a1ec125e21

Pretty much build-only, but if we were seeing crashes from this in automation they would have showed up already.
Keywords: checkin-needed, leave-open
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3d0a761ff566
Diagnose MakePagesReadOnly crashes and fix crash reporter annotations. r=jandem
Keywords: checkin-needed
I set this as blocking the wrong bug, and the instrumentation I added won't be useful until bug 1309573 is fixed (we also haven't seen any more of these crashes though).
Blocks: 1305360
No longer blocks: 1306972
Depends on: 1309573
We've gotten a few crashes in UnprotectPages that say the address is invalid, which may be due to bitflips. No more crashes in MakePagesReadOnly though, and we don't use it anymore right now anyway.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: