Open
Bug 1789779
Opened 3 years ago
Updated 4 months ago
PROCESS-CRASH | pid: <bound method FirefoxBrowser.pid of <wptrunner.browsers.firefox.FirefoxBrowser object at 0x7f5d57397dd8>> | application crashed [@ mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint)]
Categories
(Firefox Build System :: Toolchains, task)
Firefox Build System
Toolchains
Tracking
(Not tracked)
REOPENED
People
(Reporter: glandium, Assigned: glandium)
References
Details
Attachments
(1 obsolete file)
This happens on all 32-bits desktop platforms when building with both PGO and LTO with clang 15:
[task 2022-09-07T00:47:29.865Z] 00:47:29 INFO - PROCESS-CRASH | pid: <bound method FirefoxBrowser.pid of <wptrunner.browsers.firefox.FirefoxBrowser object at 0x7f5d57397dd8>> | application crashed [@ mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint)]
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Crash dump filename: /tmp/tmp0_u_9ttm/minidumps/5b6016d1-f304-27ca-2c7f-764433b1751f.dmp
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Operating system: Linux
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - CPU: x86
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - GenuineIntel family 6 model 85 stepping 7
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - 4 CPUs
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Linux Ubuntu 18.04 - bionic (Ubuntu 18.04.6 LTS)
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO -
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Crash reason: SIGSEGV / SEGV_MAPERR
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Crash address: 0x0
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Process uptime: not available
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO -
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Thread 0 firefox-bin (crashed)
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - 0 libxul.so!mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint) [RestyleManager.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 2362 + 0x43]
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - eip = 0xed3ec85c esp = 0xfffcbff0 ebp = 0xfffcc068 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - esi = 0xcdd112e0 edi = 0x00000001 eax = 0x00000000 ecx = 0xce7021f0
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - edx = 0x00000000 eflags = 0x00010246
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Found by: given as instruction pointer in context
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - 1 libxul.so!nsPresContext::FlushPendingMediaFeatureValuesChanged() [nsPresContext.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 1909 + 0x88]
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - eip = 0xec369ca1 esp = 0xfffcc070 ebp = 0xfffcc0b8 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - esi = 0xdc18cf90 edi = 0xfffcc001
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - Found by: call frame info
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - 2 libxul.so!mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 4353 + 0x9]
[task 2022-09-07T00:47:29.866Z] 00:47:29 INFO - eip = 0xec318372 esp = 0xfffcc0c0 ebp = 0xfffcc238 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - esi = 0xf70ace30 edi = 0x00000000
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - 3 libxul.so!nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 2565 + 0x31]
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - eip = 0xec309ce9 esp = 0xfffcc240 ebp = 0xfffcc5e8 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - esi = 0x00000000 edi = 0xf70ace00
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - 4 libxul.so!mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 353 + 0x3a]
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - eip = 0xed3cc42e esp = 0xfffcc5f0 ebp = 0xfffcc638 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - esi = 0x00000000 edi = 0x00000001
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - 5 libxul.so!mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 369 + 0x15]
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - eip = 0xed3cc293 esp = 0xfffcc640 ebp = 0xfffcc678 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - esi = 0x00000c0b edi = 0x0d2328ef
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - 6 libxul.so!mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 810 + 0x16]
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - eip = 0xed3cbc7a esp = 0xfffcc680 ebp = 0xfffcc708 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - esi = 0xd7e95940 edi = 0x0d2328ef
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - 7 libxul.so!mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 731 + 0x1d]
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - eip = 0xed3cb7a2 esp = 0xfffcc710 ebp = 0xfffcc778 ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - esi = 0x00000c0b edi = 0xffffffff
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - 8 libxul.so!mozilla::detail::RunnableFunction<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)::{lambda()#1}>::Run() [nsThreadUtils.h:2a281a2900f524925107f249b2ddcc7234f1fc2f : 531 + 0x57]
[task 2022-09-07T00:47:29.867Z] 00:47:29 INFO - eip = 0xed3cc54a esp = 0xfffcc780 ebp = 0xfffcc7b8 ebx = 0xf0d06000
|
Assignee | |
Comment 1•3 years ago
|
||
Thanks to bug 1779631, stacktrace with inlined frames:
[task 2022-09-08T08:13:45.452Z] 08:13:45 INFO - Thread 0 firefox-bin (crashed)
[task 2022-09-08T08:13:45.452Z] 08:13:45 INFO - 0 libxul.so!mozilla::RestyleManager::IncrementUndisplayedRestyleGeneration()
[task 2022-09-08T08:13:45.452Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.452Z] 08:13:45 INFO - 1 libxul.so!mozilla::RestyleManager::PostRestyleEvent(mozilla::dom::Element*, mozilla::StyleRestyleHint, nsChangeHint) [RestyleManager.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 2308]
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - 2 libxul.so!mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint) [RestyleManager.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 2362 + 0x36]
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - eip = 0xec24513e esp = 0xffdece40 ebp = 0xffdece98 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - esi = 0xcec14830 edi = 0x00000001 eax = 0x00000000 ecx = 0xcf602a10
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - edx = 0x00000000 eflags = 0x00010246
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - Found by: given as instruction pointer in context
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - 3 libxul.so!nsPresContext::PostRebuildAllStyleDataEvent(nsChangeHint, mozilla::StyleRestyleHint const&) [nsPresContext.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1852]
[task 2022-09-08T08:13:45.453Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.454Z] 08:13:45 INFO - 4 libxul.so!nsPresContext::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint const&) [nsPresContext.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1840]
[task 2022-09-08T08:13:45.454Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.454Z] 08:13:45 INFO - 5 libxul.so!nsPresContext::FlushPendingMediaFeatureValuesChanged() [nsPresContext.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1907 + 0x88]
[task 2022-09-08T08:13:45.454Z] 08:13:45 INFO - eip = 0xeb36ea61 esp = 0xffdecea0 ebp = 0xffdecee8 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.454Z] 08:13:45 INFO - esi = 0xdc6972f0 edi = 0xffdece01
[task 2022-09-08T08:13:45.455Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.455Z] 08:13:45 INFO - 6 libxul.so!mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 4353 + 0x7]
[task 2022-09-08T08:13:45.455Z] 08:13:45 INFO - eip = 0xeb31cdd2 esp = 0xffdecef0 ebp = 0xffded068 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.456Z] 08:13:45 INFO - esi = 0xf70ab030 edi = 0x00000000
[task 2022-09-08T08:13:45.457Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.457Z] 08:13:45 INFO - 7 libxul.so!mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.h:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1470]
[task 2022-09-08T08:13:45.458Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.459Z] 08:13:45 INFO - 8 libxul.so!nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 2565 + 0x31]
[task 2022-09-08T08:13:45.460Z] 08:13:45 INFO - eip = 0xeb30b029 esp = 0xffded070 ebp = 0xffded418 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.461Z] 08:13:45 INFO - esi = 0x00000000 edi = 0xf70ab000
[task 2022-09-08T08:13:45.461Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.462Z] 08:13:45 INFO - 9 libxul.so!mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 375]
[task 2022-09-08T08:13:45.463Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.464Z] 08:13:45 INFO - 10 libxul.so!mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 353 + 0x3a]
[task 2022-09-08T08:13:45.464Z] 08:13:45 INFO - eip = 0xec225a5e esp = 0xffded420 ebp = 0xffded468 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.465Z] 08:13:45 INFO - esi = 0x00000000 edi = 0x00000001
[task 2022-09-08T08:13:45.466Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.467Z] 08:13:45 INFO - 11 libxul.so!mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 369 + 0x15]
[task 2022-09-08T08:13:45.468Z] 08:13:45 INFO - eip = 0xec2258c3 esp = 0xffded470 ebp = 0xffded4a8 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.468Z] 08:13:45 INFO - esi = 0x00000296 edi = 0x626a3cc7
[task 2022-09-08T08:13:45.469Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.470Z] 08:13:45 INFO - 12 libxul.so!mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 896]
[task 2022-09-08T08:13:45.471Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.471Z] 08:13:45 INFO - 13 libxul.so!mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 810 + 0x13]
[task 2022-09-08T08:13:45.472Z] 08:13:45 INFO - eip = 0xec2252a5 esp = 0xffded4b0 ebp = 0xffded538 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.473Z] 08:13:45 INFO - esi = 0xd8317700 edi = 0x626a3cc7
[task 2022-09-08T08:13:45.474Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.474Z] 08:13:45 INFO - 14 libxul.so!mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 731 + 0x1d]
[task 2022-09-08T08:13:45.475Z] 08:13:45 INFO - eip = 0xec224dc2 esp = 0xffded540 ebp = 0xffded5a8 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.475Z] 08:13:45 INFO - esi = 0x00000296 edi = 0xffffffff
[task 2022-09-08T08:13:45.475Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.476Z] 08:13:45 INFO - 15 libxul.so!mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 594]
[task 2022-09-08T08:13:45.476Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.476Z] 08:13:45 INFO - 16 libxul.so!mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)::{lambda()#1}::operator()() const [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 566]
[task 2022-09-08T08:13:45.476Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.476Z] 08:13:45 INFO - 17 libxul.so!mozilla::detail::RunnableFunction<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)::{lambda()#1}>::Run() [nsThreadUtils.h:688f2a22d5502c4e502e0a1db043f24771f1c24f : 531 + 0x57]
[task 2022-09-08T08:13:45.476Z] 08:13:45 INFO - eip = 0xec225b7a esp = 0xffded5b0 ebp = 0xffded5e8 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.476Z] 08:13:45 INFO - esi = 0xd8317700 edi = 0xd11d00cc
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - 18 libxul.so!mozilla::PrioritizableRunnable::Run() [nsThreadUtils.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 130 + 0x7]
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - eip = 0xeb845225 esp = 0xffded5f0 ebp = 0xffded5f8 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - esi = 0x00000043 edi = 0xcec15260
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - 19 libxul.so!mozilla::RunnableTask::Run() [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 538]
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - 20 libxul.so!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 851 + 0x342]
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - eip = 0xeb084b60 esp = 0xffded600 ebp = 0xffdedc78 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - esi = 0x00000043 edi = 0xcec15260
[task 2022-09-08T08:13:45.477Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - 21 libxul.so!mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 683]
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - 22 libxul.so!mozilla::TaskController::ProcessPendingMTTask(bool) [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 461]
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - 23 libxul.so!mozilla::TaskController::InitializeInternal()::$_0::operator()() const [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 187]
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - 24 libxul.so!mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() [nsThreadUtils.h:688f2a22d5502c4e502e0a1db043f24771f1c24f : 531]
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - 25 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1205 + 0x1e]
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - eip = 0xeb08d42d esp = 0xffdedc80 ebp = 0xffdedee8 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - esi = 0xffdedd68 edi = 0xf7049580
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - 26 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 465]
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45 INFO - 27 libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 85 + 0x2f]
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - eip = 0xeb0d39ae esp = 0xffdedef0 ebp = 0xffdee028 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - esi = 0xf4158340 edi = 0xffdedfc8
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - 28 libxul.so!MessageLoop::RunInternal() [message_loop.cc:688f2a22d5502c4e502e0a1db043f24771f1c24f : 381]
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - 29 libxul.so!MessageLoop::RunHandler() [message_loop.cc:688f2a22d5502c4e502e0a1db043f24771f1c24f : 374]
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - Found by: inlining
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - 30 libxul.so!MessageLoop::Run() [message_loop.cc:688f2a22d5502c4e502e0a1db043f24771f1c24f : 356 + 0xb]
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - eip = 0xeba3f72f esp = 0xffdee030 ebp = 0xffdee068 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - esi = 0xffdee048 edi = 0xf41289a0
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - 31 libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 150 + 0xc]
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - eip = 0xec1b03e6 esp = 0xffdee070 ebp = 0xffdee088 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - esi = 0xf701d700 edi = 0xf41289a0
[task 2022-09-08T08:13:45.479Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - 32 libxul.so!nsAppStartup::Run() [nsAppStartup.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 295 + 0x8]
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - eip = 0xeaabf24d esp = 0xffdee090 ebp = 0xffdee0b8 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - esi = 0xf70fe100 edi = 0x80004005
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - 33 libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 5720 + 0x7]
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - eip = 0xeab3afb4 esp = 0xffdee0c0 ebp = 0xffdee228 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - esi = 0x00000000 edi = 0x80004005
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - Found by: call frame info
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - 34 libxul.so!XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) [nsAppRunner.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 5913 + 0x6]
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - eip = 0xeab3b92f esp = 0xffdee230 ebp = 0xffdee298 ebx = 0xf0d06000
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - esi = 0xffdee2b0 edi = 0xf7007558
[task 2022-09-08T08:13:45.480Z] 08:13:45 INFO - Found by: call frame info
|
|
Assignee | |
Comment 2•3 years ago
|
||
Starting from
https://github.com/llvm/llvm-project/commit/6c8adc505471542be38bd71d1000062daa46d7bc,
Servo_NoteExplicitHints can end up inlined in its callers via
cross-language LTO, which didn't happen before. This yields a
miscompilation in the caller, causing crashes. Until the miscompilation
is fixed, avoid the inlining.
|
||
Updated•3 years ago
|
Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/b5f9a98c4e2e
Work around miscompilation on cross-LTO. r=emilio
|
||
Comment 4•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox106:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
|
|
||
Comment 5•3 years ago
|
||
Backed out per request. Backout link
Status: RESOLVED → REOPENED
status-firefox106:
fixed → ---
Flags: needinfo?(mh+mozilla)
Resolution: FIXED → ---
Target Milestone: 106 Branch → ---
|
|
Assignee | |
Comment 6•3 years ago
|
||
Turns out there are more miscompilations. This will need to be addressed at the compiler level because we can't be sure to find them all.
Status: REOPENED → RESOLVED
Closed: 3 years ago → 3 years ago
Flags: needinfo?(mh+mozilla)
Resolution: --- → WONTFIX
|
|
||
Updated•3 years ago
|
Attachment #9294818 -
Attachment is obsolete: true
Status: RESOLVED → REOPENED
Closed: 3 years ago → 3 years ago
Resolution: WONTFIX → ---
|
|
Assignee | |
Updated•3 years ago
|
Status: REOPENED → RESOLVED
Closed: 3 years ago → 3 years ago
Resolution: --- → WONTFIX
|
|
Assignee | |
Comment 7•3 years ago
|
||
This turns out to be a rustc bug that will need to be addressed separately from clang. For posterity, below is what I was originally typing as a llvm-project bug:
------8<-------
STR:
- Download and unpack https://drive.google.com/file/d/1NpxwPLOHxtIFrJAApM2jiWT3v1VU0jro/view?usp=sharing
cd testcasesh command
(it should be more or less self-contained, possibly cross-platform, but in case it's not, try on Linux).
I'll go with some observations first, then will dig into where this is happening.
- I bisected this down to https://github.com/llvm/llvm-project/commit/6c8adc505471542be38bd71d1000062daa46d7bc, and it stops happening if I revert it on either trunk or clang 15.
- It doesn't happen on clang 14.
- When I say "don't happen", there's one subtlety: the function that is inlined in a miscompiled way is not inlined when the bug doesn't manifest itself. I wasn't able to force inlining of the function in those cases to determine if there's an underlying (older) problem that 6c8adc505471542be38bd71d1000062daa46d7bc brought to surface by allowing the inlining to happen, but I wouldn't be surprised if that's the case.
- I also didn't manage to get the function to inline with an affected build of llvm after extracting the two functions bytecodes and manually compiling them. I'm not too knowledgeable about the tools to compile bytecode so I probably missed something to enable passes that happen during LTO or something.
- I'm not sure whether reverting 6c8adc505471542be38bd71d1000062daa46d7bc is free of other side effects. I'm happy to locally do that until this is fixed, if there's no problem doing so (which I suspect is the case).
- It only affects 32-bits platforms (confirmed on Linux and Windows).
- Depending on the platform, other similar-ish rust-originating functions are inlined in other C++ functions in a similarly wrong manner, but it's not completely consistent between platforms. The one I'll be analyzing below does happen on both Linux and Windows, but for the others that had visible crashy consequences, they only happened on Windows.
So, what goes wrong is the inlining of Servo_NoteExplicitHints into its callers. I've purposely added some attributes forcing the non-inlining the Servo_NoteExplicitHints's main callee as well as the non-inlining of its callers' into their callers. The original code doesn't have those attributes, but the miscompilation happens both with or without.
The relevant section of code from the miscompiled binary looks like this, in mozilla::RestyleManager::PostRestyleEvent:
320f92e: 8b 75 14 mov 0x14(%ebp),%esi
320f931: 89 78 0c mov %edi,0xc(%eax)
320f934: 8b 06 mov (%esi),%eax
320f936: 89 55 ec mov %edx,-0x14(%ebp)
320f939: 83 ec 04 sub $0x4,%esp
320f93c: 0f b6 c9 movzbl %cl,%ecx
320f93f: 8d 55 ec lea -0x14(%ebp),%edx
320f942: 50 push %eax
320f943: 51 push %ecx
320f944: 52 push %edx
320f945: e8 e6 c5 4a 06 call 96bbf30 <style::gecko::wrapper::GeckoElement::note_explicit_hints@plt>
(it's using the PLT because I removed plenty of flags from the real command line, but it doesn't matter)
What goes wrong here is that this crashes on the mov (%esi),%eax instruction. In the call to note_explicit_hints, it's meant to feed the third argument. That value of %esi comes from the instruction mov 0x14(%ebp),%esi (there's actually another code path that leads here but jumps back to 0x320f934, but it's also setting %esi from the same origin.
Let's compare with the same code compiled with the noinline attribute on Servo_NoteExplicitHints:
31e2d4e: 8b 75 14 mov 0x14(%ebp),%esi
31e2d51: 89 78 0c mov %edi,0xc(%eax)
31e2d54: 88 4d e0 mov %cl,-0x20(%ebp)
31e2d57: 83 ec 10 sub $0x10,%esp
31e2d5a: 0f b6 45 e0 movzbl -0x20(%ebp),%eax
31e2d5e: 88 44 24 04 mov %al,0x4(%esp)
31e2d62: 89 74 24 08 mov %esi,0x8(%esp)
31e2d66: 89 14 24 mov %edx,(%esp)
31e2d69: e8 72 00 00 00 call 31e2de0 <Servo_NoteExplicitHints>
031e2de0 <Servo_NoteExplicitHints>:
31e2de0: 55 push %ebp
31e2de1: 89 e5 mov %esp,%ebp
31e2de3: 53 push %ebx
31e2de4: 50 push %eax
31e2de5: 8b 45 08 mov 0x8(%ebp),%eax
31e2de8: e8 00 00 00 00 call 31e2ded <Servo_NoteExplicitHints+0xd>
31e2ded: 5b pop %ebx
31e2dee: 81 c3 5b 16 7e 06 add $0x67e165b,%ebx
31e2df4: 89 45 f8 mov %eax,-0x8(%ebp)
31e2df7: 83 ec 04 sub $0x4,%esp
31e2dfa: 8d 45 f8 lea -0x8(%ebp),%eax
31e2dfd: ff 75 10 pushl 0x10(%ebp)
31e2e00: ff 75 0c pushl 0xc(%ebp)
31e2e03: 50 push %eax
31e2e04: e8 47 92 4d 06 call 96bc050 <style::gecko::wrapper::GeckoElement::note_explicit_hints@plt>
(...)
Focusing again on the provenance of the the first argument to note_explicit_hints, here we have:
mov 0x14(%ebp),%esi
mov %esi,0x8(%esp)
// call decreases %esp by 4
// push decreases %esp by 4
// %ebp is set to %esp meaning that by now 0x10(%ebp) is the same as 0x8(%esp) before the call.
pushl 0x10(%ebp)
Note there is no dereference like in the miscompiled case.
------8<-------
It turns out, I hadn't been attentive enough when I looked at the IR. Well, my first (weak) excuse is that with debug info enabled, the IR was hard to read, and I only looked at the IR without debug info today. So, what did I see in the IR?
In Unified_cpp_layout_base0.o:
declare hidden void @Servo_NoteExplicitHints(ptr noundef, ptr noundef byval(%"struct.mozilla::StyleRestyleHint") align 4, i32 noundef) local_unnamed_addr #2
In geckoservo-9bc96ac3331a0a5f.geckoservo.2746d36d-cgu.0.rcgu.o:
define void @Servo_NoteExplicitHints(ptr noundef nonnull align 4 %0, ptr noalias nocapture noundef readonly byval(%0) dereferenceable(1) %1, ptr noalias nocapture noundef readonly byval(%1) dereferenceable(4) %2) unnamed_addr #0 !prof !31 {
Note how the third argument is a ptr in the Rust-compiled version (note it was compiled with nightly, because I wanted to reduce any side effects from the difference in llvm version between stable rust and clang 15). It would seem to be the root cause for the LTO fuck up. When the function is not inlined, it still compiles fine. LLVM probably doesn't like that the functions are not declared the same way on both ends.
What's going on here is that the actual type for that argument in C++ is nsChangeHint, declared as enum nsChangeHint: uint32_t. Bindgen converts that to a #[repr(C)] struct nsChangeHint(u32). In turn, the ptr byval is what rustc transforms that into.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
|
Assignee | |
Comment 9•3 years ago
|
||
Potentially dangerous differences in IR between C++ and Rust found so far:
Gecko_EnsureImageLayersLengthGecko_MediaFeatures_PrefersColorSchemeServo_EasingFunctionAtServo_NoteExplicitHintswr_dp_define_scroll_layerwr_dp_push_box_shadowwr_dp_push_linewr_dp_push_linear_gradient
|
|
Assignee | |
Comment 10•3 years ago
|
||
More on Windows 32-bits:
Gecko_MediaFeatures_DynamicRangeGecko_MediaFeatures_PrefersColorSchemeServo_ComputedValues_GetForAnonymousBoxServo_ComputedValues_InheritServo_EasingFunctionAtServo_NoteExplicitHintsServo_ResolvePseudoStyleServo_ResolveStyleServo_UseCounters_Createapz_deregister_samplerapz_post_scene_swapapz_sample_transformsomta_deregister_sampleromta_register_samplerwr_api_set_debug_flagswr_compositor_add_surfacewr_compositor_attach_external_imagewr_compositor_create_backdrop_surfacewr_compositor_create_external_surfacewr_compositor_create_surfacewr_compositor_create_tilewr_compositor_destroy_surfacewr_compositor_destroy_tilewr_compositor_start_compositingwr_dp_push_textwr_notifier_external_eventwr_notifier_new_frame_readywr_notifier_nop_frame_donewr_transaction_generate_framewr_transaction_invalidate_rendered_framewr_transaction_remove_pipelinewr_transaction_set_root_pipelinewr_transaction_update_epoch
|
||
Comment 11•3 years ago
|
||
What's going on here is that the actual type for that argument in C++ is
nsChangeHint, declared asenum nsChangeHint: uint32_t. Bindgen converts that to a#[repr(C)] struct nsChangeHint(u32). In turn, theptr byvalis what rustc transforms that into.
That should ideally be using repr(transparent) nowadays fwiw.
|
|
Assignee | |
Comment 12•3 years ago
|
||
For that specific one, repr(transparent) works, although the cbindgen we use doesn't produce that, but there are other cases that don't work like that.
|
|
Assignee | |
Comment 13•3 years ago
|
||
So, after more thorough investigation, I've convinced myself that:
- the mismatches are okay as long as they don't involve byval or completely ABI incompatible types. For the latter, that would be a problem with or without LTO. For the former, reverting https://github.com/llvm/llvm-project/commit/6c8adc505471542be38bd71d1000062daa46d7bc or applying https://reviews.llvm.org/D135738 would solve the immediate problem.
- the mismatches are, however, getting in the way of inlining, and we should do something about it. I have some WIP towards improving the situation.
|
|
Assignee | |
Comment 14•2 years ago
|
||
Let's switch this bug to a task because at this point the defect part has been evaluated to not be an immediate problem.
Severity: -- → N/A
Type: defect → task
You need to log in
before you can comment on or make changes to this bug.
Description
•