Closed
Bug 1599436
Opened 5 years ago
Closed 4 years ago
Test failures with ccov build with clang opt
Categories
(Testing :: Code Coverage, task)
Tracking
(firefox73 fixed)
RESOLVED
FIXED
mozilla73
| Tracking | Status | |
|---|---|---|
| firefox73 | --- | fixed |
People
(Reporter: calixte, Assigned: calixte)
References
Details
Crash Data
Attachments
(1 file)
There are several failures on the llvm functions used to dump counters.
For example:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=278141214&repo=try&lineNumber=1160
The stack trace is:
Crash reason: SIGSEGV /SEGV_MAPERR
Crash address: 0x7f5601269f48
Process uptime: not available
Thread 61 (crashed)
0 libxul.so!llvm_gcda_emit_arcs + 0x135
rax = 0x0000000059f65ecd rdx = 0x0000000059f65ecd
rcx = 0x0000000001a10000 rbx = 0x0000000000001f48
rsi = 0x00007f56291adb30 rdi = 0x0000000000000002
rbp = 0x00007f55f7081650 rsp = 0x00007f55f7081520
r8 = 0x00000000a13c07ab r9 = 0x0000000000000000
r10 = 0x0000000000000001 r11 = 0x0000000000000246
r12 = 0x00007f55ffff6350 r13 = 0x0000000000000002
r14 = 0x0000000000001f44 r15 = 0x00007f5601268000
rip = 0x00007f561cca6f65
Found by: given as instruction pointer in context
1 libxul.so!__llvm_gcov_writeout + 0x5b
rbx = 0x0000000000000840 rbp = 0x00007f55f7081650
rsp = 0x00007f55f7081570 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f5620eb18a0
r15 = 0x00007f56250533e0 rip = 0x00007f561ac5e19b
Found by: call frame info
2 libxul.so!__llvm_gcov_flush + 0x6
rbx = 0x00007f56346df2c0 rbp = 0x00007f55f7081650
rsp = 0x00007f55f7081590 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55f708166c
r15 = 0x00007f55fff143a0 rip = 0x00007f561ac5e1c6
Found by: call frame info
3 libxul.so!__gcov_flush + 0x15
rbx = 0x00007f56346df2c0 rbp = 0x00007f55f7081650
rsp = 0x00007f55f70815a0 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55f708166c
r15 = 0x00007f55fff143a0 rip = 0x00007f561cca7e65
Found by: call frame info
4 libxul.so!LaunchApp [process_util_linux.cc:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 41 + 0xd]
rbx = 0x00007f55fbd2b6b0 rbp = 0x00007f55f7081650
rsp = 0x00007f55f70815b0 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55f708166c
r15 = 0x00007f55fff143a0 rip = 0x00007f560fd66a4b
Found by: call frame info
5 libxul.so!DoLaunch [GeckoChildProcessHost.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 1186 + 0x6b]
rbx = 0x00007f55f70816a0 rbp = 0x00007f55f7081680
rsp = 0x00007f55f7081660 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55f7081740
r15 = 0x00007f55f7081718 rip = 0x00007f560fdf7713
Found by: call frame info
6 libxul.so!PerformAsyncLaunch [GeckoChildProcessHost.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 945 + 0xd]
rbx = 0x00007f55fbd2b600 rbp = 0x00007f55f7081700
rsp = 0x00007f55f7081690 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55f7081740
r15 = 0x00007f55f7081718 rip = 0x00007f560fdf39ae
Found by: call frame info
7 libxul.so!Run [MozPromise.h:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 1343 + 0xd2]
rbx = 0x00007f5600885740 rbp = 0x00007f55f7081730
rsp = 0x00007f55f7081710 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55f7081740
r15 = 0x00007f55fc1fdd30 rip = 0x00007f560fe187eb
Found by: call frame info
8 libxul.so!Run [TaskQueue.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 202 + 0x29]
rbx = 0x00007f5600885740 rbp = 0x00007f55f70817e0
rsp = 0x00007f55f7081740 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55f7081740
r15 = 0x00007f55fc1fdd30 rip = 0x00007f560eefdb70
Found by: call frame info
9 libxul.so!Run [nsThreadPool.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 304 + 0x2a]
rbx = 0x00007f55fff63100 rbp = 0x00007f55f70818a0
rsp = 0x00007f55f70817f0 r12 = 0x00007f55ffff6350
r13 = 0x00007f55fc1fdd30 r14 = 0x00007f55ffff6380
r15 = 0x0000000000000000 rip = 0x00007f560ef297d4
Found by: call frame info
10 libxul.so!non-virtual thunk to nsThreadPool::Run() + 0xd
rbx = 0x0000000000000001 rbp = 0x00007f55f70818b0
rsp = 0x00007f55f70818b0 r12 = 0x00000000ffffffff
r13 = 0x00007f55ffff6360 r14 = 0x00007f55fff63100
r15 = 0x00007f55fff631f0 rip = 0x00007f560ef2a15d
Found by: call frame info
11 libxul.so!ProcessNextEvent [nsThread.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 1250 + 0x2a]
rbx = 0x0000000000000001 rbp = 0x00007f55f7081dd0
rsp = 0x00007f55f70818c0 r12 = 0x00000000ffffffff
r13 = 0x00007f55ffff6360 r14 = 0x00007f55fff63100
r15 = 0x00007f55fff631f0 rip = 0x00007f560ef1d555
Found by: call frame info
12 libxul.so!<name omitted> [nsThreadUtils.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 486 + 0xd]
rbx = 0x0000000000000001 rbp = 0x00007f55f7081e00
rsp = 0x00007f55f7081de0 r12 = 0x00007f56008a00a0
r13 = 0x00007f55f6577bc0 r14 = 0x00007f56008a0080
r15 = 0x00007f55fff63100 rip = 0x00007f560ef2530b
Found by: call frame info
13 libxul.so!Run [MessagePump.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 333 + 0x15]
rbx = 0x0000000000000000 rbp = 0x00007f55f7081e40
rsp = 0x00007f55f7081e10 r12 = 0x00007f56008a00a0
r13 = 0x00007f55f6577bc0 r14 = 0x00007f56008a0080
r15 = 0x00007f55fff63100 rip = 0x00007f560fe4c90d
Found by: call frame info
14 libxul.so!Run [message_loop.cc:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 290 + 0x60]
rbx = 0x00007f55fc1fdd60 rbp = 0x00007f55f7081e70
rsp = 0x00007f55f7081e50 r12 = 0x00007f55fff63100
r13 = 0x0000000000000002 r14 = 0x00007f55f6577bc0
r15 = 0x00007f55fffbf7e8 rip = 0x00007f560fd71724
Found by: call frame info
15 libxul.so!ThreadFunc [nsThread.cpp:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 458 + 0x24]
rbx = 0x00007f55fc1fdd60 rbp = 0x00007f55f7081ec0
rsp = 0x00007f55f7081e80 r12 = 0x00007f55fff63100
r13 = 0x0000000000000002 r14 = 0x00007f55f6577bc0
r15 = 0x00007f55fffbf7e8 rip = 0x00007f560ef17240
Found by: call frame info
16 libnspr4.so!_pt_root [ptthread.c:7abc6fa6d3c91f764ca094b5c7876bd131ba610a : 201 + 0xa]
rbx = 0x00007f56346619d0 rbp = 0x00007f55f7081f10
rsp = 0x00007f55f7081ed0 r12 = 0x00007f55f6fd9b80
r13 = 0x0000000000000002 r14 = 0x00007f55f7082700
r15 = 0x000000000000045c rip = 0x00007f5635d08ea1
Found by: call frame info
17 libpthread-2.23.so!start_thread [pthread_create.c : 333 + 0x11]
rbx = 0x0000000000000000 rbp = 0x0000000000000000
rsp = 0x00007f55f7081f20 r12 = 0x0000000000000000
r13 = 0x00007f560a28f7af r14 = 0x00007f55f70829c0
r15 = 0x0000000000000001 rip = 0x00007f563596f6ba
Found by: call frame info
18 libc-2.23.so!__clone + 0x6d
rbx = 0x00007f55f7082700 rbp = 0x0000000000000000
rsp = 0x00007f55f7081fc0 r12 = 0x0000000000000000
r13 = 0x00007f560a28f7af r14 = 0x00007f55f70829c0
r15 = 0x0000000000000001 rip = 0x00007f56349f841d
Found by: call frame info
The disassembly code (crash address is +309) is:
...
0x0000000011b5af3a <+266>: mov 0xd766337(%rip),%r15 # 0x1f2c1278 <write_buffer>
0x0000000011b5af41 <+273>: mov (%r15,%r14,1),%ecx
0x0000000011b5af45 <+277>: lea 0x4(%r14),%rbx
0x0000000011b5af49 <+281>: mov %rbx,0xd766338(%rip) # 0x1f2c1288 <cur_pos>
0x0000000011b5af50 <+288>: cmp $0xffffffff,%ecx
0x0000000011b5af53 <+291>: je 0x11b5b001 <llvm_gcda_emit_arcs+465>
0x0000000011b5af59 <+297>: cmp $0x1a10000,%ecx
0x0000000011b5af5f <+303>: jne 0x11b5b00a <llvm_gcda_emit_arcs+474>
0x0000000011b5af65 <+309>: mov 0x4(%r15,%r14,1),%ecx
0x0000000011b5af6a <+314>: lea 0x8(%r14),%rbp
0x0000000011b5af6e <+318>: mov %rbp,0xd766313(%rip) # 0x1f2c1288 <cur_pos>
0x0000000011b5af75 <+325>: cmp $0xffffffff,%ecx
0x0000000011b5af78 <+328>: je 0x11b5b024 <llvm_gcda_emit_arcs+500>
...
So it should correspond to:
https://github.com/llvm/llvm-project/blob/master/compiler-rt/lib/profile/GCDAProfiling.c#L478 (read a 32 bit integer in the buffer).
So for any reason the buffer has been corrupted.
|
Assignee | |
Comment 1•5 years ago
•
|
||
The issue is in llvm/compiler-rt:
- to have good counters value there's a call to
gcov_flushbefore eachforkcall:
https://github.com/llvm/llvm-project/blob/master/llvm/lib/Transforms/Instrumentation/GCOVProfiling.cpp#L659 - since in a process we can have several threads which are forking (it's what's happening here) then we've several call to
gcov_flushwhich is not synchronized.
So the fix is probably easy: just add a locked section ingcov_flush.
|
|
Assignee | |
Comment 2•4 years ago
|
||
The bug has been fixed on llvm side:
https://github.com/llvm/llvm-project/commit/88f5bf77f92899b19fdafdffc7b060f930c1cb8b
So in waiting for a new release of clang, I'll backport the patch in m-c.
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → cdenizet
|
|
Assignee | |
Comment 3•4 years ago
|
||
In order to avoid crashes when we're dumping gcda files, we backport a llvm/compiler-rt patch which fix this issue in adding a critical section around flush.
|
|
Assignee | |
Comment 4•4 years ago
|
||
|
||
Comment 5•4 years ago
|
||
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox73:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73
|
||
Updated•4 years ago
|
Crash Signature: [@ _IO_new_fclose]
You need to log in
before you can comment on or make changes to this bug.
Description
•