1337263 - [GCC6] Crash on ARM64 while creating startup cache

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Mike Hommey [:glandium]]

Running mach package on an ARM Linux system fails. Looking at the core dump, this is what the stack looks like:
Program terminated with signal SIGSEGV, Segmentation fault.
#0  js::Thread::~Thread (this=0xff93f3e4, __in_chrg=<optimized out>) at /home/glandium/mozilla-central/js/src/threading/Thread.h:122
122         MOZ_RELEASE_ASSERT(!joinable());
[Current thread is 1 (Thread 0xf3898c40 (LWP 6010))]
(gdb) bt
#0  js::Thread::~Thread (this=0xff93f3e4, __in_chrg=<optimized out>) at /home/glandium/mozilla-central/js/src/threading/Thread.h:122
#1  js::GlobalHelperThreadState::ensureInitialized (this=0xf368d160) at /home/glandium/mozilla-central/js/src/vm/HelperThreads.cpp:746
#2  0xf6af7fc0 in js::EnsureHelperThreadsInitialized () at /home/glandium/mozilla-central/js/src/vm/HelperThreads.cpp:65
#3  0xf6b14c66 in JSRuntime::init (this=this@entry=0xf19cf000, cx=cx@entry=0xf3610000, maxbytes=maxbytes@entry=33554432, 
    maxNurseryBytes=maxNurseryBytes@entry=16777216) at /home/glandium/mozilla-central/js/src/vm/Runtime.cpp:191
#4  0xf6a281a6 in js::NewContext (maxBytes=33554432, maxNurseryBytes=16777216, parentRuntime=<optimized out>)
    at /home/glandium/mozilla-central/js/src/jscntxt.cpp:149
#5  0xf6a10018 in JS_NewContext (maxbytes=maxbytes@entry=33554432, maxNurseryBytes=maxNurseryBytes@entry=16777216, 
    parentContext=parentContext@entry=0x0) at /home/glandium/mozilla-central/js/src/jsapi.cpp:480
#6  0xf538f14c in mozilla::CycleCollectedJSContext::Initialize (this=this@entry=0xf3648400, aParentContext=aParentContext@entry=0x0, 
    aMaxBytes=aMaxBytes@entry=33554432, aMaxNurseryBytes=aMaxNurseryBytes@entry=16777216)
    at /home/glandium/mozilla-central/xpcom/base/CycleCollectedJSContext.cpp:507
#7  0xf57bf180 in XPCJSContext::Initialize (this=this@entry=0xf3648400)
    at /home/glandium/mozilla-central/js/xpconnect/src/XPCJSContext.cpp:3321
#8  0xf57c5d80 in XPCJSContext::newXPCJSContext () at /home/glandium/mozilla-central/js/xpconnect/src/XPCJSContext.cpp:3497
#9  0xf57cf652 in nsXPConnect::nsXPConnect (this=0xf36ef150) at /home/glandium/mozilla-central/js/xpconnect/src/nsXPConnect.cpp:69
#10 0xf57cf68e in nsXPConnect::InitStatics () at /home/glandium/mozilla-central/js/xpconnect/src/nsXPConnect.cpp:112
#11 0xf57bf8da in xpcModuleCtor () at /home/glandium/mozilla-central/js/xpconnect/src/XPCModule.cpp:13
#12 0xf62eb97c in Initialize () at /home/glandium/mozilla-central/layout/build/nsLayoutModule.cpp:370
#13 0xf53b5aec in nsComponentManagerImpl::KnownModule::Load (this=0xf3657320)
    at /home/glandium/mozilla-central/xpcom/components/nsComponentManager.cpp:814
#14 0xf53b6454 in nsFactoryEntry::GetFactory (this=0xf36aea50)
    at /home/glandium/mozilla-central/xpcom/components/nsComponentManager.cpp:1836
#15 0xf53b6852 in nsComponentManagerImpl::CreateInstanceByContractID (this=0xf365a240, 
    aContractID=0xf6c88fb0 "@mozilla.org/moz/jsloader;1", aDelegate=0x0, aIID=..., aResult=0xff93f5c0)
    at /home/glandium/mozilla-central/xpcom/components/nsComponentManager.cpp:1137
#16 0xf53b7428 in nsComponentManagerImpl::GetServiceByContractID (this=0xf365a240, 
    aContractID=0xf6c88fb0 "@mozilla.org/moz/jsloader;1", aIID=..., aResult=aResult@entry=0xff93f614)
    at /home/glandium/mozilla-central/xpcom/components/nsComponentManager.cpp:1497
#17 0xf53b90d6 in CallGetService (aContractID=<optimized out>, aIID=..., aResult=aResult@entry=0xff93f614)
    at /home/glandium/mozilla-central/xpcom/components/nsComponentManagerUtils.cpp:69
#18 0xf53b90f2 in nsGetServiceByContractID::operator() (this=this@entry=0xff93f60c, aIID=..., 
    aInstancePtr=aInstancePtr@entry=0xff93f614) at /home/glandium/mozilla-central/xpcom/components/nsComponentManagerUtils.cpp:280
#19 0xf538e2d6 in nsCOMPtr_base::assign_from_gs_contractid (this=this@entry=0xff93f64c, aGS=..., aIID=...)
    at /home/glandium/mozilla-central/xpcom/base/nsCOMPtr.cpp:95
#20 0xf53cd35e in nsCOMPtr<nsISupports>::nsCOMPtr (aGS=..., this=0xff93f64c)
    at /home/glandium/mozilla-central/xpcom/base/nsCOMPtr.h:890
#21 NS_InitXPCOM2 (aResult=<optimized out>, aBinDirectory=<optimized out>, 
    aAppFileLocationProvider=aAppFileLocationProvider@entry=0xff93f814)
    at /home/glandium/mozilla-central/xpcom/build/XPCOMInit.cpp:730
#22 0xf53cd440 in NS_InitXPCOM2 (aResult=<optimized out>, aBinDirectory=<optimized out>, 
    aAppFileLocationProvider=aAppFileLocationProvider@entry=0xff93f814)
    at /home/glandium/mozilla-central/xpcom/build/XPCOMInit.cpp:482
#23 0xf57c6598 in XRE_XPCShellMain (argc=5, argv=0xff93fbb4, envp=0xff93fbcc, aShellData=<optimized out>)
    at /home/glandium/mozilla-central/js/xpconnect/src/XPCShellImpl.cpp:1449
#24 0xab1c2bee in main (argc=<optimized out>, argv=<optimized out>, envp=0xff93fbcc)
    at /home/glandium/mozilla-central/js/xpconnect/shell/xpcshell.cpp:68

Comment 1

[Mike Hommey [:glandium]]

Changing MOZ_OPTIMIZE_FLAGS from "-O3" to "-O3 -fno-schedule-insns" changes the crash to:
Program terminated with signal SIGBUS, Bus error.
#0  JS::Value::setObjectNoCheck (obj=0xf128d050, this=<optimized out>)
    at /home/glandium/mozilla-central/obj-armv8l-unknown-linux-gnueabihf/dist/include/js/Value.h:377
377             data.asBits = bitsFromTagAndPayload(JSVAL_TAG_OBJECT, PayloadType(obj));
(gdb) bt
#0  JS::Value::setObjectNoCheck (obj=0xf128d050, this=<optimized out>)
    at /home/glandium/mozilla-central/obj-armv8l-unknown-linux-gnueabihf/dist/include/js/Value.h:377
#1  JS::Value::setObject (obj=..., this=<optimized out>)
    at /home/glandium/mozilla-central/obj-armv8l-unknown-linux-gnueabihf/dist/include/js/Value.h:372
#2  js::MutableWrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >::setObject (obj=..., this=<synthetic pointer>)
    at /home/glandium/mozilla-central/obj-armv8l-unknown-linux-gnueabihf/dist/include/js/Value.h:1368
#3  mozJSComponentLoader::Import (this=0xf0f60a80, registryLocation=..., targetValArg=..., cx=0xf3910000, optionalArgc=0 '\000', 
    retval=...) at /home/glandium/mozilla-central/js/xpconnect/loader/mozJSComponentLoader.cpp:1084
#4  0xf5a2e6a4 in nsXPCComponents_Utils::Import (this=<optimized out>, registryLocation=..., targetObj=..., cx=0xf3910000, 
    optionalArgc=0 '\000', retval=...) at /home/glandium/mozilla-central/js/xpconnect/src/XPCComponents.cpp:2503
#5  0xf563f1b2 in NS_InvokeByIndex (that=0x1, methodIndex=2, paramCount=4045983824, params=0xfff8ace0)
    at /home/glandium/mozilla-central/xpcom/reflect/xptcall/md/unix/xptcinvoke_arm.cpp:413
#6  0x00000000 in ?? ()

Comment 2

[Mike Hommey [:glandium]]

(In reply to Mike Hommey [:glandium] from comment #1)
> Changing MOZ_OPTIMIZE_FLAGS from "-O3" to "-O3 -fno-schedule-insns"

in js/src/old-configure.in.

Comment 3

[Mike Hommey [:glandium]]

Note, this is in an armhf chroot on a arm64 host, thus the obj-armv8l... $objdir. But I did put an explit --target to my config.

Comment 4

[Mike Hommey [:glandium]]

(In reply to Mike Hommey [:glandium] from comment #1)
> #5  0xf563f1b2 in NS_InvokeByIndex (that=0x1, methodIndex=2,
> paramCount=4045983824, params=0xfff8ace0)
>     at
> /home/glandium/mozilla-central/xpcom/reflect/xptcall/md/unix/xptcinvoke_arm.
> cpp:413

Because that function contains assembly code and no cfi info, the stack is wrong from there, but by adding a breakpoint, here is the right backtrace:

#0  NS_InvokeByIndex (that=0xf121aab0, methodIndex=9, paramCount=5, params=0xfffecdd0)
    at /home/glandium/mozilla-central/xpcom/reflect/xptcall/md/unix/xptcinvoke_arm.cpp:359
#1  0xf5bd0624 in CallMethodHelper::Invoke (this=0xfffecda0)
    at /home/glandium/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2010
#2  CallMethodHelper::Call (this=0xfffecda0) at /home/glandium/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:1329
#3  XPCWrappedNative::CallMethod (ccx=..., mode=mode@entry=XPCWrappedNative::CALL_METHOD)
    at /home/glandium/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:1296
#4  0xf5bd3412 in XPC_WN_CallMethod (cx=<optimized out>, argc=1, vp=0xf107e0b8)
    at /home/glandium/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:983
#5  0xf6c7fc64 in js::CallJSNative (args=..., native=<optimized out>, cx=0xf3a12800)
    at /home/glandium/mozilla-central/js/src/jscntxtinlines.h:281
#6  js::InternalCallOrConstruct (cx=0xf3a12800, args=..., construct=<optimized out>)
    at /home/glandium/mozilla-central/js/src/vm/Interpreter.cpp:460
#7  0xf6c7c828 in js::CallFromStack (args=..., cx=<optimized out>) at /home/glandium/mozilla-central/js/src/vm/Interpreter.cpp:511
#8  Interpret (cx=0xf3a12800, state=...) at /home/glandium/mozilla-central/js/src/vm/Interpreter.cpp:2957
#9  0xf6c7fa2e in js::RunScript (cx=cx@entry=0xf3a12800, state=...) at /home/glandium/mozilla-central/js/src/vm/Interpreter.cpp:406
#10 0xf6c80e8a in js::ExecuteKernel (result=0x0, evalInFrame=..., newTargetValue=..., envChainArg=..., script=..., cx=0xf3a12800)
    at /home/glandium/mozilla-central/js/src/vm/Interpreter.cpp:687
#11 js::Execute (cx=cx@entry=0xf3a12800, script=..., script@entry=..., envChainArg=..., rval=rval@entry=0x0)
    at /home/glandium/mozilla-central/js/src/vm/Interpreter.cpp:720
#12 0xf6e02aba in ExecuteScript (cx=cx@entry=0xf3a12800, scope=scope@entry=..., script=..., rval=rval@entry=0x0)
    at /home/glandium/mozilla-central/js/src/jsapi.cpp:4440
#13 0xf6e0a4f4 in JS_ExecuteScript (cx=cx@entry=0xf3a12800, scriptArg=scriptArg@entry=...)
    at /home/glandium/mozilla-central/js/src/jsapi.cpp:4473
#14 0xf5bac0fc in mozJSComponentLoader::ObjectForLocation (this=this@entry=0xf1ddfa00, aInfo=..., aComponentFile=<optimized out>, 
    aObject=..., aTableScript=..., aLocation=0xf1073c84, aPropagateExceptions=aPropagateExceptions@entry=true, 
    aException=aException@entry=...) at /home/glandium/mozilla-central/js/xpconnect/loader/mozJSComponentLoader.cpp:969
#15 0xf5bac71a in mozJSComponentLoader::ImportInto (this=this@entry=0xf1ddfa00, aLocation=..., targetObj=..., targetObj@entry=..., 
    callercx=<optimized out>, callercx@entry=0xf3a12800, vp=vp@entry=...)
    at /home/glandium/mozilla-central/js/xpconnect/loader/mozJSComponentLoader.cpp:1200
#16 0xf5bacc22 in mozJSComponentLoader::Import (this=0xf1ddfa00, registryLocation=..., targetValArg=..., cx=0xf3a12800, 
    optionalArgc=0 '\000', retval=...) at /home/glandium/mozilla-central/js/xpconnect/loader/mozJSComponentLoader.cpp:1076
#17 0xf5bb16a4 in nsXPCComponents_Utils::Import (this=<optimized out>, registryLocation=..., targetObj=..., cx=0xf3a12800, 
    optionalArgc=0 '\000', retval=...) at /home/glandium/mozilla-central/js/xpconnect/src/XPCComponents.cpp:2503
#18 0xf57c21b2 in NS_InvokeByIndex (that=0xf121aab0, methodIndex=9, paramCount=5, params=0xfffed948)
    at /home/glandium/mozilla-central/xpcom/reflect/xptcall/md/unix/xptcinvoke_arm.cpp:413
#19 0x00000000 in ?? ()

(That's a different NS_InvokeByIndex, that went normally)

The crash happens because the retval in the nsXPCComponents_Utils::Import stack frame (#4 in comment 1) is:
{<js::MutableHandleBase<JS::Value, JS::MutableHandle<JS::Value> >> = {<js::MutableWrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >> = {<js::WrappedPtrOperations<JS::Value, JS::MutableHandle<JS::Value> >> = {<No data fields>}, <No data fields>}, <No data fields>}, ptr = 0x2}

Comment 5

[Mike Hommey [:glandium]]

Both crashes are unrelated to each other. I'll file the second one separately. With the bisected changeset for the second crash  backed out, I can run mach package fully with GCC6 and -fno-schedule-insns without hitting the first crash. I'm trying GCC 5 without any flags to see if it's GCC 6 only.

Comment 6

[Mike Hommey [:glandium]]

I confirmed the following:
- It doesn't happen with GCC 5 with default build flags.
- It happens with GCC 6 with default build flags
- It doesn't happen with GCC 6 with MOZ_OPTIMIZE_FLAGS="-O3 -fno-schedule-insns" in js/src/old-configure.in

(the first and last items hit bug 1337988)

Comment 7

[Iain Lane]

We're seeing this on Ubuntu too, where we also build armhf-on-arm64. Over at bug #133340 I posted this from dmesg:

[Tue Aug 29 12:16:41 2017] js[27439]: unhandled level 1 translation fault (11) at 0x00000000, esr 0x92000045
[Tue Aug 29 12:16:41 2017] pgd = ffff800101eaa000
[Tue Aug 29 12:16:41 2017] [00000000] *pgd=000000011deb8003, *pud=0000000000000000

[Tue Aug 29 12:16:41 2017] CPU: 1 PID: 27439 Comm: js Not tainted 4.4.0-83-generic #106-Ubuntu
[Tue Aug 29 12:16:41 2017] Hardware name: linux,dummy-virt (DT)
[Tue Aug 29 12:16:41 2017] task: ffff800003829a00 ti: ffff80018ebd0000 task.ti: ffff80018ebd0000
[Tue Aug 29 12:16:41 2017] PC is at 0xaabf37e0
[Tue Aug 29 12:16:41 2017] LR is at 0xf706e24d
[Tue Aug 29 12:16:41 2017] pc : [<00000000aabf37e0>] lr : [<00000000f706e24d>] pstate: 600f0010
[Tue Aug 29 12:16:41 2017] sp : 00000000ffbd16f0
[Tue Aug 29 12:16:41 2017] x12: 00000000ab561cc8 
[Tue Aug 29 12:16:41 2017] x11: 00000000f6e0d270 x10: 00000000f6e192e4 
[Tue Aug 29 12:16:41 2017] x9 : 0000000000000001 x8 : 00000000f7398ce8 
[Tue Aug 29 12:16:41 2017] x7 : 00000000ab561c7c x6 : 00000000f6e0d270 
[Tue Aug 29 12:16:41 2017] x5 : 00000000f7114e00 x4 : 0000000000000000 
[Tue Aug 29 12:16:41 2017] x3 : 00000000ab4811fc x2 : 00000000abfcae08 
[Tue Aug 29 12:16:41 2017] x1 : 0000000000000000 x0 : 0000000000000000

Comment 9

[Jason Orendorff [:jorendorff]]

Does this still happen? If so, how pressing is it? If pressing, can we please have a new stack trace?

Comment 10

[Iain Lane]

I don't *think* so for me. I believe this crashed on mozjs52:

root@helping-seahorse:~/mozilla-central/js/src# /usr/local/bin/js60
js> # hit ctrl-d here
root@helping-seahorse:~/mozilla-central/js/src#

maybe glandium could confirm.

Comment 11

[Mike Hommey [:glandium]]

This doesn't happen on m-c anymore.