Open
Bug 1375459
Opened 7 years ago
Updated 2 years ago
netwerk/test/unit/test_backgroundfilesaver.js crashes on Android 4.3 API15+ debug
Categories
(Core :: XPCOM, defect, P3)
Core
XPCOM
Tracking
()
NEW
People
(Reporter: florian, Unassigned)
References
Details
Attachments
(1 file)
|
75.02 KB,
text/plain
|
Details |
The test passes and then crashes at shutdown, I'm attaching the relevant output.
Pushed by florian@queze.net: https://hg.mozilla.org/mozilla-central/rev/74a2ff180838 disable netwerk/test/unit/test_backgroundfilesaver.js on Android 4.3 API15+ debug due to crashes, rs+a=Tomcat
|
Reporter | |
Comment 2•7 years ago
|
||
As comment 1 says, I disabled the test which became perma fail when I landed bug 1374282. It's likely that this change https://hg.mozilla.org/mozilla-central/rev/52e7befb507aa23f93b9214c65758d6d65401293#l12.1 uncovered existing timing issues.
|
||
Comment 3•7 years ago
|
||
Hi Florian, why is this filed onder JavaScript GC? If it's not GC specific maybe it should be JavaScript Engine? Thanks.
Flags: needinfo?(florian)
|
|
Reporter | |
Comment 4•7 years ago
|
||
(In reply to Paul Bone [:pbone] from comment #3) > Hi Florian, why is this filed onder JavaScript GC? If it's not GC specific > maybe it should be JavaScript Engine? > > Thanks. Because the log (attachment 8880347 [details]) has lots of error messages related to the GC before the crash.
Flags: needinfo?(florian)
|
||
Comment 5•7 years ago
|
||
Looks like JSStackFrame still has a pointer to a JSObject after the JS engine has been shut down. This causes warnings from the GC about cells being live at shutdown. I'm going to tentatively transfer this to DOM.
Component: JavaScript: GC → DOM
|
||
Comment 7•7 years ago
|
||
Not after shutdown but during shutdown, at least the stack trace. Is http://searchfox.org/mozilla-central/rev/d08b24e613cac8c9c5a4131452459241010701e0/xpcom/base/CycleCollectedJSRuntime.cpp#1107 doing something which one shouldn't do during destroying JSRuntime?
Flags: needinfo?(jcoppeard)
|
|
||
Comment 8•7 years ago
|
||
This is happening during JSRuntime::destroyRuntime(), and the crash occurs after the end of the shutdown GC in the CycleCollectedJSRuntime::OnGC() callback. We're clearing a holder which is setting a Heap<T> to nullptr, which triggers the postbarrier. This attempts to check whether the previous value of the Heap<T> was in the nursery, but the GC has been shutdown at this point and the memory freed. So we get a SEGV when we try to access it. The problem is that the holder still had a GC thing pointer in it when we destroyed the runtime. This is what all the 'found live Cell' errors are about earlier on in the log. Normally we expect there to be no live pointers into the GC heap when we do the shutdown GC. So this is a leak somewhere earlier. One possibility is that the GC should null out live grey roots on shutdown but that could prevent us catching leaks. Maybe we should do this but check for leaked GC things before we destroy the runtime.
Flags: needinfo?(jcoppeard)
|
||
Comment 9•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•