Closed Bug 1434994 Opened 6 years ago Closed 6 years ago

Crash in @0x0 | std::sys_common::backtrace::__rust_begin_short_backtrace<T>

Categories

(Firefox for Android Graveyard :: General, defect, P1)

Unspecified
Android
defect

Tracking

(firefox-esr52 unaffected, firefox58 unaffected, firefox59 unaffected, firefox60+ fixed)

RESOLVED FIXED
Firefox 60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 + fixed

People

(Reporter: marcia, Assigned: bholley)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is
report bp-786f1550-91a3-4ce7-a69e-649600180201.
=============================================================

Seen while looking at Android crash stats: http://bit.ly/2nxgHok. Crash spiked using 20180201100053.

Possible regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5454ed95c82a956009db2f4b04d008ec8753e61e&tochange=17ade9f88b6ed2232be51bc02c6860562c3d31dc

Maybe https://hg.mozilla.org/mozilla-central/annotate/c3ab38db798e/third_party/rust/rayon-core/src/scope/mod.rs#l2?

209 crashes/115 installations

Top 10 frames of crashing thread:

0  @0x0 
1 libxul.so std::sys_common::backtrace::__rust_begin_short_backtrace<closure, > third_party/rust/rayon-core/src/registry.rs:559
2 dalvik-main space (region space) (deleted) dalvik-main space @0x3e62ac99 
3 NotoSansCJK-Regular.ttc NotoSansCJK-Regular.ttc@0x727117 
4 libxul.so std::sys_common::thread::min_stack src/libcore/num/mod.rs:3307
5 browser.db (deleted) browser.db @0x14eb2a 
6 libxul.so mozilla::gfx::FilterNodeLightingSoftware<mozilla::gfx::::DiffuseLightingSoftware>::Render mfbt/PodOperations.h:45
7 dalvik-main space (region space) (deleted) dalvik-main space @0x3c616c8c 
8 libxul.so std::sys::imp::thread::{{impl}}::new src/libstd/sys/unix/thread.rs
9 libxul.so alloc::boxed::{{impl}}::call_box<, closure> src/libstd/thread/mod.rs:406

=============================================================
:emilio, could you investigate please ?
Flags: needinfo?(emilio)
:jchen could this have something to do with bug 1428182?
Flags: needinfo?(nchen)
I was able to repro this on my Pixel using the latest nightly - my stack was @0x0 | rayon_core::registry::in_worker<T>

STR:
1. Load a page and scroll up or open a link a new tab. Doesn't happen 100% so I will try to get some better steps.
Crash Signature: [@ @0x0 | std::sys_common::backtrace::__rust_begin_short_backtrace<T>] → [@ @0x0 | std::sys_common::backtrace::__rust_begin_short_backtrace<T>] [@ @0x0 | rayon_core::registry::in_worker<T>]
Crash Signature: [@ @0x0 | std::sys_common::backtrace::__rust_begin_short_backtrace<T>] [@ @0x0 | rayon_core::registry::in_worker<T>] → [@ @0x0 | std::sys_common::backtrace::__rust_begin_short_backtrace<T>] [@ @0x0 | rayon_core::registry::in_worker<T>] [@ rayon_core::registry::in_worker<T>]
(In reply to Marcia Knous [:marcia - use ni] from comment #2)
> :jchen could this have something to do with bug 1428182?

I would be surprised. That bug should only involve compile-time changes.
Flags: needinfo?(nchen)
Crash Signature: [@ @0x0 | std::sys_common::backtrace::__rust_begin_short_backtrace<T>] [@ @0x0 | rayon_core::registry::in_worker<T>] [@ rayon_core::registry::in_worker<T>] → [@ @0x0 | std::sys_common::backtrace::__rust_begin_short_backtrace<T>] [@ mozalloc_abort | abort | std::sys_common::backtrace::__rust_begin_short_backtrace<T>] [@ @0x0 | rayon_core::registry::in_worker<T>] [@ rayon_core::registry::in_worker<T>] [@ coc…
:baku, could 1432963 have anything to do with this spike?
(In reply to Marcia Knous [:marcia - use ni] from comment #5)
> :baku, could 1432963 have anything to do with this spike?

Sorry Bug 1432963
Product: Core → Firefox for Android
(In reply to Marcia Knous [:marcia - use ni] from comment #6)
> (In reply to Marcia Knous [:marcia - use ni] from comment #5)
> > :baku, could 1432963 have anything to do with this spike?
> 
> Sorry Bug 1432963

Probably not.

Niko, Ralph, a rustc update landed in central recently, right? Does this crash inside rayon / coco (arm-only it seems) ring a bell?

It's late for me now, but I can try to figure out tomorrow with the repro steps of comment 3.
Flags: needinfo?(nmatsakis)
Flags: needinfo?(giles)
Crash Signature: coco::deque::{{impl}}::steal<T>] → coco::deque::{{impl}}::steal<T>] [@ @0x0 | std::sys::imp::thread::{{impl}}::new]
(In reply to Marcia Knous [:marcia - use ni] from comment #3)
> I was able to repro this on my Pixel using the latest nightly - my stack was
> @0x0 | rayon_core::registry::in_worker<T>
> 
> STR:
> 1. Load a page and scroll up or open a link a new tab. Doesn't happen 100%
> so I will try to get some better steps.

Yesterday with my Pixel I was loading stories from nfl.com/news and opening them. Usually after I scrolled I would crash, and then subsequent restarts would cause that page to keep on crashing.
Tracking this for 60.
This doesn't seem familiar to me.
Flags: needinfo?(nmatsakis)
It looks like bug 1418161 is in the regression range. That bug does relaxed atomic operations during the rayon traversal, and relaxed atomic ops behave differently on ARM than x86.

Thinking about this again, we totally need acquire/release here. Sorry for missing that. :-( I'll write a patch.
Assignee: nobody → bobbyholley
Flags: needinfo?(giles)
Flags: needinfo?(emilio)
Assignee: bobbyholley → nobody
Crash Signature: coco::deque::{{impl}}::steal<T>] [@ @0x0 | std::sys::imp::thread::{{impl}}::new] → coco::deque::{{impl}}::steal<T>] [@ @0x0 | std::sys::imp::thread::{{impl}}::new] [@ @0x0 | libGLESv2_adreno.so@0x887e] [@ @0x0 | libhidltransport.so@0x187e] [@ @0x0 | libjavacrypto.so@0x87e] [@ @0x0 | libc++.so@0x187e]
Assignee: nobody → bobbyholley
Priority: -- → P1
MozReview-Commit-ID: 3gtoLRf8TNl
Attachment #8947935 - Flags: review?(emilio)
Comment on attachment 8947935 [details] [diff] [review]
Use ReleaseAcquire for the cached serialization atomic. v1

Review of attachment 8947935 [details] [diff] [review]:
-----------------------------------------------------------------

r=me, though the stacks don't point particularly here. Sorry for overlooking it :(.
Attachment #8947935 - Flags: review?(emilio) → review+
Pushed by bholley@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/358a2df0b630
Use ReleaseAcquire for the cached serialization atomic. r=emilio
See Also: → 1431448
Keywords: topcrash
Crash Signature: coco::deque::{{impl}}::steal<T>] [@ @0x0 | std::sys::imp::thread::{{impl}}::new] [@ @0x0 | libGLESv2_adreno.so@0x887e] [@ @0x0 | libhidltransport.so@0x187e] [@ @0x0 | libjavacrypto.so@0x87e] [@ @0x0 | libc++.so@0x187e] → coco::deque::{{impl}}::steal<T>] [@ @0x0 | std::sys::imp::thread::{{impl}}::new] [@ @0x0 | libGLESv2_adreno.so@0x887e] [@ @0x0 | libjavacrypto.so@0x87e] [@ @0x0 | libc++.so@0x187e] [@ @0x0 | libart-compiler.so@0xd87e] [@ @0x0 | libGLESv2_adreno.so@…
https://hg.mozilla.org/mozilla-central/rev/358a2df0b630
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 60
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: