crash at js3250.dll!nanojit::CodeAlloc::alloc

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P1
blocker
RESOLVED FIXED
8 years ago
5 years ago

People

(Reporter: dougt, Assigned: dougt)

Tracking

unspecified
All
Windows Mobile 6 Professional
Points:
---

Firefox Tracking Flags

(status1.9.2 beta1-fixed, fennec1.0b1-wm+)

Details

(Whiteboard: [sg:dos?][ccbr][a testcase would be nice])

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

8 years ago
>	js3250.dll!nanojit::CodeAlloc::alloc(int*& start = 0x00000000, int*& end = 0x00000000) Line: 125, Byte Offsets: 0x78	C++
 	js3250.dll!nanojit::Assembler::codeAlloc(int*& start = 0x00000000, int*& end = 0x00000000, int*& eip = 0x00000000) Line: 188, Byte Offsets: 0x3c	C++
 	js3250.dll!nanojit::Assembler::nativePageSetup(void) Line: 1313, Byte Offsets: 0x20	C++
 	js3250.dll!nanojit::Assembler::beginAssembly(nanojit::Fragment* frag = 0x00000ff0, nanojit::HashMap<nanojit::SideExit *,nanojit::RegAlloc *,nanojit::DefaultHash<nanojit::SideExit *> >* branchStateMap = 0x00000010) Line: 599, Byte Offsets: 0x3c	C++
 	js3250.dll!nanojit::compile(nanojit::Assembler* assm = 0x00000000, nanojit::Fragment* frag = 0x00000ff0, nanojit::Allocator& alloc = {...}) Line: 2015, Byte Offsets: 0x64	C++
 	js3250.dll!TraceRecorder::compile(JSTraceMonitor* tm = 0x00000ff0) Line: 3578, Byte Offsets: 0x84	C++
 	js3250.dll!TraceRecorder::closeLoop(SlotMap& slotMap = {...}, VMSideExit* exit = 0x00000010, TypeConsensus& consensus = 0) Line: 3955, Byte Offsets: 0x1d8	C++
 	js3250.dll!TraceRecorder::closeLoop(TypeConsensus& consensus = 0) Line: 3863, Byte Offsets: 0x128	C++
 	js3250.dll!TraceRecorder::checkTraceEnd(unsigned char* pc = 0x00000ff0) Line: 4375, Byte Offsets: 0xfc	C++
 	js3250.dll!TraceRecorder::monitorRecording(JSContext* cx = 0x00000000, TraceRecorder* tr = 0x00000ff0, JSOp op = 16) Line: 120, Byte Offsets: 0x33c	C++
 	js3250.dll!js_Interpret(JSContext* cx = 0x00000000) Line: 79, Byte Offsets: 0x8f0	C++
 	js3250.dll!js_Invoke(JSContext* cx = 0x00000000, unsigned int argc = 4080, int* vp = 0x00000010, unsigned int flags = 1) Line: 1384, Byte Offsets: 0x5ec	C++
 	js3250.dll!js_InternalInvoke(JSContext* cx = 0x00000000, JSObject* obj = 0x00000ff0, int fval = 16, unsigned int flags = 1, unsigned int argc = 1, int* argv = 0x637d3020, int* rval = 0x2411df88) Line: 1427, Byte Offsets: 0x74	C++
 	js3250.dll!JS_CallFunctionValue(JSContext* cx = 0x00000000, JSObject* obj = 0x00000ff0, int fval = 16, unsigned int argc = 1, int* argv = 0x637d3020, int* rval = 0x2411df88) Line: 5132, Byte Offsets: 0x2c	C++
 	xul.dll!nsJSContext::CallEventHandler(nsISupports* aTarget = 0x00000ff0, void* aScope = 0x00000010, void* aHandler = 0x00000001, nsIArray* aargv = 0x63b5c280, nsIVariant** arv = 0x2411e01c) Line: 2092, Byte Offsets: 0x240	C++
 	xul.dll!nsJSEventListener::HandleEvent(nsIDOMEvent* aEvent = 0x00000ff0) Line: 247, Byte Offsets: 0x5d4	C++
 	xul.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct* aListenerStruct = 0x00000ff0, nsIDOMEventListener* aListener = 0x00000010, nsIDOMEvent* aDOMEvent = 0x00000001, nsPIDOMEventTarget* aCurrentTarget = 0x635f2ac0, unsigned int aPhaseFlags = 6) Line: 1038, Byte Offsets: 0x144	C++
 	xul.dll!nsEventListenerManager::HandleEvent(nsPresContext* aPresContext = 0x00000ff0, nsEvent* aEvent = 0x00000010, nsIDOMEvent** aDOMEvent = 0x00000001, nsPIDOMEventTarget* aCurrentTarget = 0x635f2ac0, unsigned int aFlags = 6, nsEventStatus* aEventStatus = 0x2411e3c4) Line: 1140, Byte Offsets: 0x420	C++
 	xul.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor& aVisitor = {...}, unsigned int aFlags = 16, int aMayHaveNewListenerManagers = 1) Line: 248, Byte Offsets: 0xb8	C++
 	xul.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor& aVisitor = {...}, unsigned int aFlags = 16, nsDispatchingCallback* aCallback = 0x00000001, int aMayHaveNewListenerManagers = 1) Line: 310, Byte Offsets: 0x21c	C++
 	xul.dll!nsEventDispatcher::Dispatch(nsISupports* aTarget = 0x00000000, nsPresContext* aPresContext = 0x00000ff0, nsEvent* aEvent = 0x00000010, nsIDOMEvent* aDOMEvent = 0x00000001, nsEventStatus* aEventStatus = 0x2411e430, nsDispatchingCallback* aCallback = 0x00000000) Line: 541, Byte Offsets: 0x3f8	C++
 	xul.dll!DocumentViewerImpl::LoadComplete(unsigned int aStatus = 4080) Line: 1048, Byte Offsets: 0x1e0	C++
 	xul.dll!nsDocShell::EndPageLoad(nsIWebProgress* aProgress = 0x00000ff0, nsIChannel* aChannel = 0x00000010, unsigned int aStatus = 1) Line: 5728, Byte Offsets: 0xf8	C++
 	xul.dll!nsDocShell::OnStateChange(nsIWebProgress* aProgress = 0x00000ff0, nsIRequest* aRequest = 0x00000010, unsigned int aStateFlags = 1, unsigned int aStatus = 2153578529) Line: 5599, Byte Offsets: 0x214	C++
 	xul.dll!nsDocLoader::FireOnStateChange(nsIWebProgress* aProgress = 0x00000ff0, nsIRequest* aRequest = 0x00000010, int aStateFlags = 1, unsigned int aStatus = 2153578529) Line: 1314, Byte Offsets: 0x110	C++
 	xul.dll!nsDocLoader::doStopDocumentLoad(nsIRequest* request = 0x00000ff0, unsigned int aStatus = 16) Line: 937, Byte Offsets: 0x34	C++
 	xul.dll!nsDocLoader::DocLoaderIsEmpty(int aFlushLayout = 4080) Line: 804, Byte Offsets: 0x194	C++
 	xul.dll!nsDocLoader::OnStopRequest(nsIRequest* aRequest = 0x00000ff0, nsISupports* aCtxt = 0x00000010, unsigned int aStatus = 1) Line: 700, Byte Offsets: 0x22c	C++
 	xul.dll!nsLoadGroup::RemoveRequest(nsIRequest* request = 0x00000ff0, nsISupports* ctxt = 0x00000010, unsigned int aStatus = 1) Line: 680, Byte Offsets: 0x128	C++
 	xul.dll!imgRequestProxy::OnStopRequest(nsIRequest* request = 0x00000ff0, nsISupports* ctxt = 0x00000010, unsigned int statusCode = 1, int lastPart = 1) Line: 561, Byte Offsets: 0xbc	C++
 	xul.dll!imgRequest::OnStopRequest(nsIRequest* aRequest = 0x00000ff0, nsISupports* ctxt = 0x00000010, unsigned int status = 1) Line: 860, Byte Offsets: 0x1d4	C++
 	xul.dll!ProxyListener::OnStopRequest(nsIRequest* aRequest = 0x00000ff0, nsISupports* ctxt = 0x00000010, unsigned int status = 1) Line: 1794, Byte Offsets: 0x34	C++
 	xul.dll!nsJARChannel::OnStopRequest(nsIRequest* req = 0x00000ff0, nsISupports* ctx = 0x00000010, unsigned int status = 1) Line: 881, Byte Offsets: 0x40	C++
 	xul.dll!nsInputStreamPump::OnStateStop(void) Line: 577, Byte Offsets: 0x84	C++
 	xul.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream* stream = 0x00000ff0) Line: 402, Byte Offsets: 0x5c	C++
 	xul.dll!nsInputStreamReadyEvent::Run(void) Line: 113, Byte Offsets: 0x2c	C++
 	xul.dll!nsThread::ProcessNextEvent(int mayWait = 4080, int* result = 0x00000010) Line: 527, Byte Offsets: 0x170	C++
 	xul.dll!NS_ProcessNextEvent_P(nsIThread* thread = 0x00000000, int mayWait = 4080) Line: 230, Byte Offsets: 0x38	C++
 	xul.dll!nsBaseAppShell::Run(void) Line: 170, Byte Offsets: 0x48	C++
 	xul.dll!nsAppStartup::Run(void) Line: 183, Byte Offsets: 0x38	C++
 	xul.dll!XRE_main(int argc = 0, char** argv = 0x00000ff0, nsXREAppData* aAppData = 0x00000010) Line: 3481, Byte Offsets: 0x2084	C++
 	0x00011fc4	
 	0x000121a8	
 	0x000126f0	
 	0x03f67764	


OOM failure.  nanojit has its own allocation scheme.  we will probably need to adjust it for windows mobile / wince.
(Assignee)

Updated

8 years ago
tracking-fennec: --- → ?
Whiteboard: [needs testcase?]

Comment 1

8 years ago
This is an OOM failure.
Whiteboard: [needs testcase?] → [ccbr][a testcase would be nice]

Comment 2

8 years ago
I remember Brendan mentioning that someone had an OOM failure injection tool. That would be probably pretty useful for mobile. The tracer is still a bit shaky under memory pressure.
See bug 383932.

/be
Keywords: testcase-wanted
Whiteboard: [ccbr][a testcase would be nice] → [sg:dos?][ccbr][a testcase would be nice]
(Assignee)

Comment 4

8 years ago
Created attachment 400205 [details] [diff] [review]
patch v.1

VirtualAlloc on windows mobile allocates out of the processes slot.  Using JEMalloc, we can use a larger pool of memory.  This patch forces the nanojit allocator to use jemalloc on windows mobile.

This patch also passes down the ifdef WINCE_WINDOWS_MOBILE which is set on Windows Mobile.

I tested this by simply running these changes in fennec and browsing around.
Assignee: general → doug.turner
Attachment #400205 - Flags: review?(gal)

Comment 5

8 years ago
Comment on attachment 400205 [details] [diff] [review]
patch v.1

>diff --git a/js/src/config/autoconf.mk.in b/js/src/config/autoconf.mk.in
>--- a/js/src/config/autoconf.mk.in
>+++ b/js/src/config/autoconf.mk.in
>@@ -329,16 +329,17 @@ MSMANIFEST_TOOL = @MSMANIFEST_TOOL@
> MSMANIFEST_TOOL = @MSMANIFEST_TOOL@
> WIN32_REDIST_DIR = @WIN32_REDIST_DIR@
> MOZ_MEMORY_LDFLAGS = @MOZ_MEMORY_LDFLAGS@
> 
> # Codesighs tools option, enables win32 mapfiles.
> MOZ_MAPINFO	= @MOZ_MAPINFO@
> 
> WINCE		= @WINCE@
>+WINCE_WINDOWS_MOBILE = @WINCE_WINDOWS_MOBILE@
> 
> MACOS_SDK_DIR	= @MACOS_SDK_DIR@
> NEXT_ROOT	= @NEXT_ROOT@
> GCC_VERSION	= @GCC_VERSION@
> XCODEBUILD_VERSION= @XCODEBUILD_VERSION@
> HAS_XCODE_2_1	= @HAS_XCODE_2_1@
> UNIVERSAL_BINARY= @UNIVERSAL_BINARY@
> HAVE_DTRACE= @HAVE_DTRACE@
>diff --git a/js/src/configure.in b/js/src/configure.in
>--- a/js/src/configure.in
>+++ b/js/src/configure.in
>@@ -394,16 +394,17 @@ if test "$GCC" = yes; then
>    fi
> fi
> 
> if test "$GXX" = yes; then
>    if test "`$CXX -help 2>&1 | grep -c 'Intel(R) C++ Compiler'`" != "0"; then
>      INTEL_CXX=1
>    fi
> fi
>+

Seems like an accidental change.

> 
> dnl Special win32 checks
> dnl ========================================================
> case "$target" in
> *-wince)
>     WINVER=500
>     ;;
> *)
>@@ -1852,16 +1853,29 @@ case "$target" in
>     AC_DEFINE(WIN32_LEAN_AND_MEAN)
> 
>     TARGET_MD_ARCH=win32
>     _PLATFORM_DEFAULT_TOOLKIT='windows'
>     BIN_SUFFIX='.exe'
>     USE_SHORT_LIBNAME=1
>     MOZ_ENABLE_POSTSCRIPT=
>     MOZ_USER_DIR="Mozilla"
>+
>+    dnl Default to Windows Mobile components enabled
>+    WINCE_WINDOWS_MOBILE=1
>+
>+    MOZ_ARG_DISABLE_BOOL(windows-mobile-components,
>+    [  --disable-windows-mobile-components
>+         Disable Windows Mobile specific components from CE build],
>+    WINCE_WINDOWS_MOBILE=,
>+    WINCE_WINDOWS_MOBILE=1)
>+
>+    if test "$WINCE_WINDOWS_MOBILE"; then
>+        AC_DEFINE(WINCE_WINDOWS_MOBILE)
>+    fi
> ;;
> 
> *-symbian*)
> 
>     AC_DEFINE(XP_UNIX)
>     AC_DEFINE(SYMBIAN)
>     AC_DEFINE(__arm__)
>     AC_DEFINE(__SYMBIAN32__)
>diff --git a/js/src/nanojit/avmplus.cpp b/js/src/nanojit/avmplus.cpp
>--- a/js/src/nanojit/avmplus.cpp
>+++ b/js/src/nanojit/avmplus.cpp
>@@ -172,18 +172,34 @@ void VMPI_setPageProtection(void *addres
>   int retval = mprotect((maddr_ptr)beginPage, (unsigned int)sizePaged, flags);
>   AvmAssert(retval == 0);
>   (void)retval;
> }
> 
> #endif // WIN32
> 
> 
>+#ifdef WINCE_WINDOWS_MOBILE
>+// One windows mobile (running CE < 6.0),
>+// use the standard allocator which is
>+// probably using jemalloc.

We need some sort of NJ_xxx constant for this since nanojit is shared code with Adobe. CC'ing Rick.

>+void*
>+nanojit::CodeAlloc::allocCodeChunk(size_t nbytes) {
>+    void * buffer;
>+    posix_memalign(&buffer, 4096, nbytes);
>+    return buffer;
>+}
> 
>-#ifdef WIN32
>+void
>+nanojit::CodeAlloc::freeCodeChunk(void *p, size_t nbytes) {
>+    ::free(p);
>+}
>+
>+#elif defined(WIN32)
>+
> void*
> nanojit::CodeAlloc::allocCodeChunk(size_t nbytes) {
>     return VirtualAlloc(NULL,
>                         nbytes,
>                         MEM_COMMIT | MEM_RESERVE,
>                         PAGE_EXECUTE_READWRITE);
> }
>
(Assignee)

Comment 6

8 years ago
we may want to consider just using the default allocator (e.g. malloc/free) on WINCE, not just Windows Mobile.
(In reply to comment #6)
> we may want to consider just using the default allocator (e.g. malloc/free) on
> WINCE, not just Windows Mobile.

Yes, I would just do that -- then you don't need the configure.in changes at all, and can just ifdef WINCE this.  I'd maybe add a #ifndef MOZ_MEMORY in there that does #error WinCE builds without jemalloc are not supported or something similar.

Comment 8

8 years ago
Actual avmplus.cpp is _not_ shared with adobe, so we can just do whatever there. MOZ_MEMORY is fine.
(Assignee)

Comment 9

8 years ago
Created attachment 400235 [details] [diff] [review]
patch v.2
Attachment #400205 - Attachment is obsolete: true
Attachment #400235 - Flags: review?(gal)
Attachment #400205 - Flags: review?(gal)
(Assignee)

Comment 10

8 years ago
I am open to suggestions on the comment above the check for MOZ_MEMORY.

Updated

8 years ago
tracking-fennec: ? → 1.0b1-wm+

Updated

8 years ago
Attachment #400235 - Flags: review?(gal) → review+
(Assignee)

Comment 11

8 years ago
http://hg.mozilla.org/mozilla-central/rev/45af0be8da6c
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Attachment #400235 - Flags: approval1.9.2?

Comment 12

8 years ago
Comment on attachment 400235 [details] [diff] [review]
patch v.2

you might want to change this comment to something like (on both trunk and branch):

Due to the per-process heap slots on Windows Mobile, we can often run in to OOM situations.  jemalloc has worked around this problem, and so we use it here.  Using posix_memalign (or other malloc)functions) here only works because the OS and hardware doesn't check for the execute bit being set.
Attachment #400235 - Flags: approval1.9.2? → approval1.9.2+
(Assignee)

Comment 13

8 years ago
comment clean up:

http://hg.mozilla.org/mozilla-central/rev/6f80eb3e15b6
(Assignee)

Comment 14

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b4e9a303949d

and comment change:
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1e4baadf1d35

Updated

8 years ago
status1.9.2: --- → beta1-fixed

Updated

5 years ago
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.