Closed
Bug 530958
Opened 15 years ago
Closed 13 years ago
New crash [@ TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&)] in Firefox 3.6b3
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: jst, Assigned: gal)
References
()
Details
(Keywords: regression, Whiteboard: [may be fixed by JSD/JIT connection fix?])
There's a new crash in Firefox 3.6b3 with the signature "TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&)" that hasn't been seen in any of the versions 3\.5.*. So far we've seen 74+ of these crashes in the wild. Please see http://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A3.6b3&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=TraceRecorder%3A%3AcloseLoop%28SlotMap%26%2C%20VMSideExit%2A%2C%20TypeConsensus%26%29&do_query=1 for more crash info.
Flags: blocking1.9.2?
Comment 1•15 years ago
|
||
distribution of all versions where the TraceRecorder::closeLoop crash was found on 20091122-crashdata.csv 18 Firefox 3.6b3 os breakdown 13 TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&) Mac OS X 10.6.2 10C540 3 TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&) Mac OS X 10.6.1 10B504 1 TraceRecorder::closeLoop(TypeConsensus&) Windows NT 5.1.2600 Dodatek Service Pack. 1 1 TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&) Mac OS X 10.6.0 10A432 ____________number of uniq sites found with this signature: 2 http://maps.google.com/ 6 http://maps.google.com/maps --- with specific location info removed 1 http://maps.google.it/maps? -- with location removed 1 http://maps.google.de/ 1 https://mail.google.com/a -- user data removed 2 http://en.wikipedia.org/wiki/Kohlrabi 1 http://sms.orange.pl/ 1 http://www.thebikehouse.org/ 1 http://github.com/blog 1 http://gigazine.net/index.php?/news/comments/20091120_sailing_stones/ 1 http://einestages.spiegel.de/static/topicalbumbackground/5541/leben_mit_den_toten.html
Crashes are all at 0x9, all on OS X (80 total) for the last week. Stacks appear to go through Firebug, and all I've sampled so far are using FB 1.4.5. Is 1.4.5 compatible with 3.6, or are people running with incompat turned off? (Last frame of the stack is a bit wrong, no doubt fooled by inlining.) Blocking for now, but if it requires an incompatible FB we should unblock IMO.
Flags: blocking1.9.2? → blocking1.9.2+
Comment 3•15 years ago
|
||
We tested 1.4.5 with Firefox 3.6b on Nov. 6th as part of bug 522527. We declared it compatible. I thought that the JIT tracing would be disabled if we enter jsd. Note the stack: 0 libmozjs.dylib TraceRecorder::closeLoop js/src/nanojit/Allocator.h:62 1 libmozjs.dylib JS_GetFrameThis js/src/jsdbgapi.cpp:1144 2 XUL _callHook js/jsd/jsd_step.c:133 3 XUL jsd_FunctionCallHook js/jsd/jsd_step.c:285 See also bug 519719 and bug 530198 and bug 468506, all relate to jsd and JS_GetFrameThis.
Assignee | ||
Comment 4•15 years ago
|
||
class Allocator { public: Allocator(); ~Allocator(); void reset(); /** alloc memory, never return null. */ void* alloc(size_t nbytes) { nbytes = (nbytes + 7) & ~7; // round up if (current_top + nbytes <= current_limit) { /* Allocator.h:62 */ I am guessing this is null here, but that's really strange.
Updated•15 years ago
|
Assignee: general → gal
Comment 5•15 years ago
|
||
Any updates on this?
Assignee | ||
Comment 6•15 years ago
|
||
I have not been able to reproduce this. We don't have STR. Are we sure we want to block on this?
b5 data will prove it out, but in the last 2 weeks we've only seen 10 of these crashes in b4, and none in b5pre. I can't seem to get to old enough data via crash-stats to see if we saw b4pre or b3pre crashes, so I'm not quite sure how to read it. Firebug changes, or our own JSD changes, could certainly have mitigated it.
Comment 8•15 years ago
|
||
I looked back through sept, oct, nov. and I see no crashes incoming until 11/08 then this profile of crashes per day. 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091107-crashdata 1 crashes for TraceRecorder::closeLoop(SlotMap on 20091108-crashdata 1 crashes for TraceRecorder::closeLoop(SlotMap on 20091109-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091110-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091111-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091112-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091113-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091114-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091115-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091116-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091117-crashdata 3 crashes for TraceRecorder::closeLoop(SlotMap on 20091118-crashdata 14 crashes for TraceRecorder::closeLoop(SlotMap on 20091119-crashdata 15 crashes for TraceRecorder::closeLoop(SlotMap on 20091120-crashdata 10 crashes for TraceRecorder::closeLoop(SlotMap on 20091121-crashdata 17 crashes for TraceRecorder::closeLoop(SlotMap on 20091122-crashdata 17 crashes for TraceRecorder::closeLoop(SlotMap on 20091123-crashdata 9 crashes for TraceRecorder::closeLoop(SlotMap on 20091124-crashdata 7 crashes for TraceRecorder::closeLoop(SlotMap on 20091125-crashdata 7 crashes for TraceRecorder::closeLoop(SlotMap on 20091126-crashdata 2 crashes for TraceRecorder::closeLoop(SlotMap on 20091127-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091128-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091129-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091130-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091201-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091202-crashdata 1 crashes for TraceRecorder::closeLoop(SlotMap on 20091203-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091204-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091106-crashdata 1 crashes for TraceRecorder::closeLoop(SlotMap on 20091205-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091206-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091207-crashdata 3 crashes for TraceRecorder::closeLoop(SlotMap on 20091208-crashdata 5 crashes for TraceRecorder::closeLoop(SlotMap on 20091209-crashdata 1 crashes for TraceRecorder::closeLoop(SlotMap on 20091210-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091211-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091212-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091213-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091214-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091215-crashdata 0 crashes for TraceRecorder::closeLoop(SlotMap on 20091216-crashdata
Comment 9•15 years ago
|
||
Just in case it may alter you thinking about this bug: when I run http://people.mozilla.com/~vladimir/ss/hosted/bitops-bitwise-and.html on FF 3.5.5 with Firebug 1.5 or 1.4.5, the results imply that the JIT is running even when Firebug is open and active. <5ms. FF 3.6 behaves as we would expect, <5m with Firebug off, > 100ms with Firebug on. So somewhere along between 3.5 and 3.6 the JIT connection to jsd started to work. Maybe that is when these crashes stopped.
Comment 10•15 years ago
|
||
that earliest report from 11/08 was http://crash-stats.mozilla.com/report/index/bb65cb24-6311-425f-967a-2950f2091108 Version 3.6b1 Build ID 20091014103305 and 11/09 was http://crash-stats.mozilla.com/report/index/67350871-6b95-44fe-897d-edec62091109 same build
Comment 11•15 years ago
|
||
These have been coming in slowly the past few days. There is only one that is recent enough to have a minidump available today. I looked at that one but it showed a crash storing to addr 0 on an instruction that stores to [ecx+8] with ecx != -8, which makes no sense. dvander says that could be an overclocking/overheating scenario. So if we want to look at minidumps here, we'll have to wait for more crashes.
Updated•15 years ago
|
Whiteboard: [may be fixed by JSD/JIT connection fix?]
Comment 12•15 years ago
|
||
Can't block with this level of data coming in.
Flags: wanted1.9.2+
Flags: blocking1.9.2-
Flags: blocking1.9.2+
Comment 13•13 years ago
|
||
Obsolete with the removal of tracejit.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•