Closed Bug 1323207 Opened 8 years ago Closed 8 years ago

Add better crash signatures for known places that call JS during painting

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox51 --- wontfix
firefox52 --- wontfix
firefox53 --- wontfix

People

(Reporter: mccr8, Assigned: mccr8)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1323207, part 1 - Add method to check AllocGCBarriers.
58 bytes, text/x-review-board-request
jonco
: review+
Details
Bug 1323207, part 2 - Assert early if we're painting at various points we enter JS.
58 bytes, text/x-review-board-request
billm
: review+
Details 
There are various assertions that check that we don't enter the JS engine during painting. This is useful to find new places that do this, but we have a number of existing unfixed issues (bug 1310335 and various bugs blocking bug 1279086) that hit this, and unfortunately the crash signatures these generate are very generic, and can shift over time. This is bad because it makes it hard for anybody looking at crash lists how frequent these crashes are, or if a crash signature is new or not.

One way to improve these signatures would be to set a flag while we're in InterruptCallback, and do a release assert at known points that the flag is not set (like at the start of nsContentUtils::IsPatternMatching). Anybody fixing one of these issues would have to remove the assertion.
This should get backported to branches with bug 1308039 (52) and maybe bug 1279086 (51).
status-firefox51: --- → affected
status-firefox52: --- → affected
status-firefox53: --- → affected
Is the crash reason field not sufficient?
(In reply to Bill McCloskey (:billm) from comment #2)
> Is the crash reason field not sufficient?

That does not address the problem of distinguishing the different reasons that we are entering the JS engine during painting. (Arguably, the crash reason field is not really sufficient to distinguish painting crashes from other crashes, given that crash triagers mostly look at signatures, but that has not yet been a problem in practice.)

For example, how do we tell apart instances of bug 1310335 from instances of bug 1311843 without looking at individual crash reports, and without having to come up with some custom super search that looks at proto signatures? (And more importantly, how do we tell if somebody adds a new place that starts hitting this assert.)
Comment on attachment 8819024 [details]
Bug 1323207, part 2 - Assert early if we're painting at various points we enter JS.

https://reviewboard.mozilla.org/r/98902/#review99162

::: xpcom/ds/nsObserverList.cpp:109
(Diff revision 1)
> +  MOZ_RELEASE_ASSERT(js::AllowGCBarriers(CycleCollectedJSContext::Get()->Context()),
> +                     "Observers can be implement in JS, so they should not be called during painting.");

I'm worried you're going to find a lot more stuff with this, but let's see what happens :-).
Attachment #8819024 - Flags: review?(wmccloskey) → review+
Comment on attachment 8819023 [details]
Bug 1323207, part 1 - Add method to check AllocGCBarriers.

https://reviewboard.mozilla.org/r/98900/#review99372
Attachment #8819023 - Flags: review?(jcoppeard) → review+
(In reply to Bill McCloskey (:billm) from comment #6)
> I'm worried you're going to find a lot more stuff with this, but let's see
> what happens :-).

Yeah, it may have to get backed out, but I figured I'd try it.
Pushed by amccreight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a04031da95dc
part 1 - Add method to check AllocGCBarriers. r=jonco
https://hg.mozilla.org/integration/autoland/rev/491237dbcb5d
part 2 - Assert early if we're painting at various points we enter JS. r=billm
This breaks, but only on Windows 8 (!?):
  https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=491237dbcb5d29543e2f9bacf37f7eefbbf650b2

It is hitting the observer service assert, but during shutdown, when it does the NS_XPCOM_SHUTDOWN_OBSERVER_ID notification. I have no idea why it is asserting there.
Oh I see, I think maybe this is happening in the GPU process...
Backed out for mass-crashing on Windows 8 x64 debug e10s:

https://hg.mozilla.org/integration/autoland/rev/6cea439a7674fdc4e0f0c6c62f9a035c4f10e633
https://hg.mozilla.org/integration/autoland/rev/e8014faca57975f249d5b4b62331c51c315d7a90

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=491237dbcb5d29543e2f9bacf37f7eefbbf650b2
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=8027895&repo=autoland

10:30:09     INFO - PROCESS-CRASH | Main app process exited normally | application crashed [@ nsObserverList::NotifyObservers(nsISupports *,char const *,char16_t const *)]
10:30:09     INFO - Crash dump filename: c:\users\cltbld~1.t-w\appdata\local\temp\tmp8cevqd.mozrunner\minidumps\4cb1637c-5ce6-433c-8757-c42b148dff6b.dmp
10:30:09     INFO - Operating system: Windows NT
10:30:09     INFO -                   6.2.9200 
10:30:09     INFO - CPU: amd64
10:30:09     INFO -      family 6 model 30 stepping 5
10:30:09     INFO -      8 CPUs
10:30:09     INFO - 
10:30:09     INFO - GPU: UNKNOWN
10:30:09     INFO - 
10:30:09     INFO - Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
10:30:09     INFO - Crash address: 0x120
10:30:09     INFO - Assertion: Unknown assertion type 0x00000000
10:30:09     INFO - Process uptime: 17 seconds
10:30:09     INFO - 
10:30:09     INFO - Thread 0 (crashed)
10:30:09     INFO -  0  xul.dll!nsObserverList::NotifyObservers(nsISupports *,char const *,char16_t const *) [nsObserverList.cpp:491237dbcb5d : 110 + 0x7]
10:30:09     INFO -     rax = 0x0000000000000000   rdx = 0x0000005989dab188
10:30:09     INFO -     rcx = 0x000000000000002a   rbx = 0x0000000000000000
10:30:09     INFO -     rsi = 0x0000000000000000   rdi = 0x0000005989dab4c8
10:30:09     INFO -     rbp = 0x000007fc3814b110   rsp = 0x000000598995f2b0
10:30:09     INFO -      r8 = 0x000007fc3814b110    r9 = 0x0000000000000000
10:30:09     INFO -     r10 = 0x000007fc38163cb0   r11 = 0x000000598995f240
10:30:09     INFO -     r12 = 0x000000598995f6b0   r13 = 0x0000000000000000
10:30:09     INFO -     r14 = 0x0000005989dab188   r15 = 0x0000000000000003
10:30:09     INFO -     rip = 0x000007fc337113bc
10:30:09     INFO -     Found by: given as instruction pointer in context
10:30:09     INFO -  1  xul.dll!nsObserverService::NotifyObservers(nsISupports *,char const *,char16_t const *) [nsObserverService.cpp:491237dbcb5d : 281 + 0x11]
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f2f0   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007fc33711637
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  2  xul.dll!mozilla::ShutdownXPCOM(nsIServiceManager *) [XPCOMInit.cpp:491237dbcb5d : 909 + 0x63]
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f330   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007fc3379e382
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  3  xul.dll!XRE_InitChildProcess [nsEmbedFunctions.cpp:491237dbcb5d : 760 + 0x9]
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f3c0   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007fc36c42589
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  4  firefox.exe!content_process_main(int,char * * const) [plugin-container.cpp:491237dbcb5d : 115 + 0x10]
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f680   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007f63df61d45
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  5  firefox.exe!NS_internal_main(int,char * *,char * *) [nsBrowserApp.cpp:491237dbcb5d : 430 + 0xa]
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f6e0   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007f63df618f9
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  6  firefox.exe!wmain [nsWindowsWMain.cpp:491237dbcb5d : 115 + 0x14]
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f760   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007f63df6266f
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  7  firefox.exe!__scrt_common_main_seh [exe_common.inl : 253 + 0x22]
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f7c0   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007f63dfa115d
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  8  kernel32.dll!BaseThreadInitThunk + 0x1a
10:30:09     INFO -     rbx = 0x0000000000000000   rbp = 0x000007fc3814b110
10:30:09     INFO -     rsp = 0x000000598995f800   r12 = 0x000000598995f6b0
10:30:09     INFO -     r13 = 0x0000000000000000   r14 = 0x0000005989dab188
10:30:09     INFO -     r15 = 0x0000000000000003   rip = 0x000007fc533f167e
10:30:09     INFO -     Found by: call frame info
10:30:09     INFO -  9  ntdll.dll!RtlUserThreadStart + 0x21
10:30:09     INFO -     rbp = 0x000007fc3814b110   rsp = 0x000000598995f830
10:30:09     INFO -     rip = 0x000007fc557ac3f1
10:30:09     INFO -     Found by: stack scanning
10:30:09     INFO - 10  KERNELBASE.dll!GetLegacyComposition + 0x1180
10:30:09     INFO -     rbp = 0x000007fc3814b110   rsp = 0x000000598995f860
10:30:09     INFO -     rip = 0x000007fc52aa09d0
10:30:09     INFO -     Found by: stack scanning
Flags: needinfo?(continuation)
(In reply to Andrew McCreight [:mccr8] from comment #12)
> Oh I see, I think maybe this is happening in the GPU process...

and it looks like it isn't hitting the assert per se. I'm guessing CycleCollectedJSContext::Get()->Context() is doing a null deref or something.
Flags: needinfo?(continuation)
I added a null check on Context(). Hopefully that will be enough.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=253a2861ac5b64c89f929b125c72928485c09e3d
Blocks: 1324237
For now, I'll land it without the observer service changes.
Pushed by amccreight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/40440a0e3073
part 1 - Add method to check AllocGCBarriers. r=jonco
https://hg.mozilla.org/integration/autoland/rev/5f06a88bdc86
part 2 - Assert early if we're painting at various points we enter JS. r=billm
Are you sure CycleCollectedJSContext::Get() isn't returning null?
(In reply to Bill McCloskey (:billm) from comment #21)
> Are you sure CycleCollectedJSContext::Get() isn't returning null?

The stub XPCOM the GPU process uses does start the CC, or so I thought, but that does seem like the most likely remaining explanation.
https://hg.mozilla.org/mozilla-central/rev/40440a0e3073
https://hg.mozilla.org/mozilla-central/rev/5f06a88bdc86
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
(In reply to Andrew McCreight [:mccr8] from comment #22)
> (In reply to Bill McCloskey (:billm) from comment #21)
> > Are you sure CycleCollectedJSContext::Get() isn't returning null?
> 
> The stub XPCOM the GPU process uses does start the CC, or so I thought, but
> that does seem like the most likely remaining explanation.

It doesn't get nulled out at shutdown?
(In reply to Bill McCloskey (:billm) from comment #24)
> It doesn't get nulled out at shutdown?

The observer service is called much earlier than that. Plus things are fine except for the GPU process.
Blocks: 1324308
Depends on: 1324642
Backout by wmccloskey@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/335c5d74c1a1
Back out, part 2 - Assert early if we're painting at various points we enter JS (a=backout)
https://hg.mozilla.org/integration/mozilla-inbound/rev/51d359b72c57
Back out, part 1 - Add method to check AllocGCBarriers (a=backout)
Seems that this was backed out. This is the last week before the merge of FF53. Do we need to get this in?
status-firefox53: fixedaffected
Flags: needinfo?(continuation)
This was backed out because the patch that was causing this issue was also backed out, so there's no need for it any more.
status-firefox51: affectedwontfix
status-firefox52: affectedwontfix
status-firefox53: affectedwontfix
Flags: needinfo?(continuation)
Resolution: FIXED → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: