Closed Bug 351261 Opened 18 years ago Closed 18 years ago

startup crash. [@ js_XDRStringAtom] / jsxdrapi.c

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
SGI
IRIX
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: g.fischer, Unassigned)

Details

(Keywords: crash)

Crash Data

Attachments

(1 obsolete file)

User-Agent: Mozilla/5.0 (X11; U; IRIX64 IP27; en-US; rv:1.9a1) Gecko/R-A-C SeaMonkey/1.5a Build Identifier: irix 6.5.30, mipspro 7.4.4, firefox 2.0b2. ------------------------------------------ direct startup crash. gtk1 and gtk2. debugger says: Process 561566: Thread 0x10000: Stopped on signal SIGBUS: Bus error (default) js_XDRStringAtom(0x10182e08, 0x0, 0x10182e08, 0x0, 0x44bc000, 0x10182e08, 0x100c38d0, 0x0) ["jsxdrapi.c":677, 0x004cc16c] and the related code part: JS_ARENA_RELEASE(&cx->tempPool, mark); thanks Reproducible: Always
Version: unspecified → 2.0 Branch
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: startup crash. js_XDRStringAtom / jsxdrapi.c → startup crash. [@ js_XDRStringAtom] / jsxdrapi.c
Version: 2.0 Branch → 1.8 Branch
Try removing your .mfasl files and restarting. Have you been running with the same profile using trunk and 1.8 branch (Minefield and Bonecho) builds? If so, this is probably a dup of bug 350787. If not, could this bug be peculiar to MIPS? Long time since I had an SGI box (I was there from '85-'92). /be
(In reply to comment #1) > Try removing your .mfasl files and restarting. Have you been running with the > same profile using trunk and 1.8 branch (Minefield and Bonecho) builds? If so, > this is probably a dup of bug 350787. no, always testing with a new profile. > > If not, could this bug be peculiar to MIPS? no clue. how should i know? > Long time since I had an SGI box > (I was there from '85-'92). nice :-) > > /be >
still present in 2.0rc1. this time: Core from signal SIGBUS: Bus error js_XDRStringAtom(0x101b2b70, 0x0, 0x101b2b70, 0x0, 0x44bc000, 0x101b2b70, 0x100b6390, 0x0) ["jsxdrapi.c":677, 0x004d032c] same code line ref.
had a look into jsxdrapi.c and noticed that the block my debugger complains about has a notice about bug #321985. looking at that shows some more or less significant rewrites. however what i don't understand is that these changes are from 2006-02-14 but i was able to build and run 2.0a3 without any issues although it came out in late may! so why wasn't the 2.0a3 affected although having the same code?
same for rc2: Core from signal SIGBUS: Bus error js_XDRStringAtom(0x101b2b70, 0x0, 0x101b2b70, 0x0, 0x44bc000, 0x101b2b70, 0x101b2b70, 0x1010df38) ["jsxdrapi.c":677, 0x004e05ec]
(In reply to comment #4) > so why wasn't the 2.0a3 affected although having the same code? Note that the crash happens inside JS_ARENA_RELEASE macro. That code is affected by changes from bug 347645 whuch was committed to the branch on 2006-08-08 and iirc later then 2.0a3. I suspect that xdr code did in fact reused the cached arena left from earlier decompilations. That arena may have "better" placement in heap that hided the problem. Could you check in the debugger what is the value of nchars?
A question about IRIX. That error, "Stopped on signal SIGBUS: Bus error (default)", just means that invalid memory was referenced? Or can it also mean an alignment violations?
Misalignment => SIGBUS (MIPS is RISC), bad address => SIGSEGV. Can anyone spot the misalignment? /be
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #6) > (In reply to comment #4) > > so why wasn't the 2.0a3 affected although having the same code? > > Note that the crash happens inside JS_ARENA_RELEASE macro. That code is > affected by changes from bug 347645 whuch was committed to the branch on > 2006-08-08 and iirc later then 2.0a3. > > I suspect that xdr code did in fact reused the cached arena left from earlier > decompilations. That arena may have "better" placement in heap that hided the > problem. > > Could you check in the debugger what is the value of nchars? > ah, thanks for looking after this! meanwhile it's quite hard to get someone for non win/lin/mac issues. i'm not very good at debugging but will try to find it ...
(In reply to comment #9) > i'm not very good at debugging but will try to find it ... And if you can the debugger into js_XDRStringAtom, can you check the value of cx->tempPool.mask. It must be 3 meaning that all allocations must be aligned on 1 << 3 == 8 bytes. And another question, the browser is compiled with GCC, right?
(In reply to comment #10) > (In reply to comment #9) > > i'm not very good at debugging but will try to find it ... > > And if you can the debugger into js_XDRStringAtom, can you check the value of > cx->tempPool.mask. It must be 3 meaning that all allocations must be aligned on > 1 << 3 == 8 bytes. No, it's a mask, so it means 0 mod 4 alignment -- that is, the arena pool will always return allocation address p such that (p & 3) == 0. /be
(In reply to comment #11) > > cx->tempPool.mask. It must be 3 meaning that all allocations must be aligned on > > 1 << 3 == 8 bytes. > > No, it's a mask, so it means 0 mod 4 alignment -- that is, the arena pool will > always return allocation address p such that (p & 3) == 0. Right, it must be 7, (1 << 3) - 1, since js_NewContext initializes the pool with the requirement to align everything on sizeof(jsdouble) bytes.
Ok, 7 -- so 0 mod 8. Should have remembered. Just wanted to point out that it was not the log2(alignment), rather alignment-1, that's stored in the mask field. /be
(In reply to comment #10) > > And another question, the browser is compiled with GCC, right? > no, never. always mipspro as i wrote in the opening post.
(In reply to comment #13) > Ok, 7 -- so 0 mod 8. Should have remembered. Just wanted to point out that it > was not the log2(alignment), rather alignment-1, that's stored in the mask > field. > > /be > okay, working on it. btw i have access to gdb as well so if you have a hint to get the values you need quickly with that be my guest :-)
What does 'info regs' say in gdb? There might be a badvaddr or some such register, or we should be able to spot the bad pointer by looking at the current instruction via x/i $pc (so show that too). /be
here we go: (gdb) r Starting program: /mnt/3/temp/bin/firefox-bin Program received signal ?, Unknown signal. 0x05f961c0 in ?? () (gdb) info registers zero at v0 v1 R0 0000000000000000 0000000000129fac 0000000000000007 0000000000000000 a0 a1 a2 a3 R4 0000000010045b20 0000000010115a00 000000001010e978 000000000417ddd0 a4 a5 a6 a7 R8 0000000005fd1730 0000000000000001 0000000000000000 0000000000000016 t0 t1 t2 t3 R12 0000000000000001 0000000000000000 0000000000000000 73746f72792d696e s0 s1 s2 s3 R16 0000000005fd1730 0000000005fd1734 0000000000000010 ffffffff80000000 s4 s5 s6 s7 R20 0000000010116348 0000000010045b20 0000000010115a00 000000001010e978 t8 t9 k0 k1 R24 00000000000008f8 0000000005f961c0 0000000000000000 00003f000002fcb0 gp sp s8 ra R28 00000000041b22ac 000000007ffe6f60 000000000417ddd0 0000000004094c2c pc cause bad hi 0000000005f961c0 0000000000000008 0000000000000000 0000000000000000 lo fsr fir 0000000000000000 00000000 00000000 (gdb) i $pc Undefined info command: "$pc". Try "help info". (gdb) x $pc 0x5f961c0: 0x3c010005
I said "x/i $pc", not "i $pc" or "x $pc" -- in gdb x/i is short for examine instruction at. Need to see the faulting instruction decoded (my MIPS book is in a box somewhere ;-). /be
(In reply to comment #18) > I said "x/i $pc", not "i $pc" or "x $pc" -- in gdb x/i is short for examine > instruction at. Need to see the faulting instruction decoded (my MIPS book is > in a box somewhere ;-). > > /be > ah sorry got that wrong. anyway here it is: (gdb) x/i $pc 0x5f961c0: lui at,0x5
Hmm, pc must be off by one. Try x/i $pc - 4 and also x/10i $pc-16 (for good measure). Thanks, /be
(In reply to comment #20) > Hmm, pc must be off by one. Try x/i $pc - 4 and also x/10i $pc-16 (for good > measure). Thanks, > > /be > i have to thank! here it is: (gdb) x/i $pc - 4 0x5f961bc: nop (gdb) x/10i $pc-16 0x5f961b0: nop 0x5f961b4: nop 0x5f961b8: nop 0x5f961bc: nop 0x5f961c0: lui at,0x5 0x5f961c4: addiu at,at,31184 0x5f961c8: addiu sp,sp,-96 0x5f961cc: sd gp,80(sp) 0x5f961d0: addu gp,t9,at 0x5f961d4: lw t9,-29680(gp)
just wanna let you know that it also occured using ff 2.0
As you are compiling with MIPSPro, this could be a duplicate of bug 79562. Try rebuilding with --disable-optimize.
Simple fix; just need to add jsxdrapi.o to the -O1 exception list for MIPSpro; hint was bug #79562. --- js/src/Makefile.in.save Thu Jul 27 15:56:20 2006 +++ js/src/Makefile.in Tue Nov 28 00:39:32 2006 @@ -297,7 +297,7 @@ ifeq ($(OS_ARCH),IRIX) ifndef GNU_CC _COMPILE_CFLAGS = $(patsubst -O%,-O1,$(COMPILE_CFLAGS)) -jsapi.o jsarena.o jsarray.o jsatom.o jsemit.o jsfun.o jsinterp.o jsregexp.o jsparse.o jsopcode.o jsscript.o: %.o: %.c Makefile.in +jsapi.o jsxdrapi.o jsarena.o jsarray.o jsatom.o jsemit.o jsfun.o jsinterp.o jsregexp.o jsparse.o jsopcode.o jsscript.o: %.o: %.c Makefile.in $(REPORT_BUILD) @$(MAKE_DEPS_AUTO) $(CC) -o $@ -c $(_COMPILE_CFLAGS) $< endif
great! anyhow the patch generated an error message here and wasn't applied. i attached a 'clean' one ...
Attached patch include jsxdrapi.o in -O1 group (obsolete) — Splinter Review
Comment on attachment 246802 [details] [diff] [review] include jsxdrapi.o in -O1 group attaching patches is much better than inlining them, thanks. but better still is using cvs diff.
Attachment #246802 - Flags: review?(brendan)
Attachment #246802 - Flags: review?(brendan) → review+
Comment on attachment 246802 [details] [diff] [review] include jsxdrapi.o in -O1 group mozilla/js/src/Makefile.in 3.108
Attachment #246802 - Attachment is obsolete: true
if you need this on a branch, ask (order: 1.8?, 1.8.0?)
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Version: 1.8 Branch → Trunk
Flags: in-testsuite-
is bug 79562 gone now that this is fixed? dupe?
Crash Signature: [@ js_XDRStringAtom]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: