Closed Bug 530958 Opened 15 years ago Closed 13 years ago

New crash [@ TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&)] in Firefox 3.6b3

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.2 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jst, Assigned: gal)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: [may be fixed by JSD/JIT connection fix?]) 

There's a new crash in Firefox 3.6b3 with the signature "TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&)" that hasn't been seen in any of the versions 3\.5.*. So far we've seen 74+ of these crashes in the wild.

Please see http://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A3.6b3&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=TraceRecorder%3A%3AcloseLoop%28SlotMap%26%2C%20VMSideExit%2A%2C%20TypeConsensus%26%29&do_query=1 for more crash info.
Flags: blocking1.9.2?
distribution of all versions where the TraceRecorder::closeLoop crash was found on 20091122-crashdata.csv
  18 Firefox 3.6b3


os breakdown
  13 TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&) Mac OS X 10.6.2 10C540
   3 TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&) Mac OS X 10.6.1 10B504
   1 TraceRecorder::closeLoop(TypeConsensus&) Windows NT 5.1.2600 Dodatek Service Pack. 1
   1 TraceRecorder::closeLoop(SlotMap&, VMSideExit*, TypeConsensus&) Mac OS X 10.6.0 10A432

____________number of uniq sites found with this signature:
      
   2 http://maps.google.com/
   6 http://maps.google.com/maps --- with specific location info removed
   1 http://maps.google.it/maps? -- with location removed
   1 http://maps.google.de/

   1 https://mail.google.com/a -- user data removed

   2 http://en.wikipedia.org/wiki/Kohlrabi
   1 http://sms.orange.pl/
   1 http://www.thebikehouse.org/
   1 http://github.com/blog
   1 http://gigazine.net/index.php?/news/comments/20091120_sailing_stones/
   1 http://einestages.spiegel.de/static/topicalbumbackground/5541/leben_mit_den_toten.html
Crashes are all at 0x9, all on OS X (80 total) for the last week.  Stacks appear to go through Firebug, and all I've sampled so far are using FB 1.4.5.  Is 1.4.5 compatible with 3.6, or are people running with incompat turned off?  (Last frame of the stack is a bit wrong, no doubt fooled by inlining.)

Blocking for now, but if it requires an incompatible FB we should unblock IMO.
Flags: blocking1.9.2? → blocking1.9.2+
We tested 1.4.5 with Firefox 3.6b on Nov. 6th as part of bug 522527. We declared it compatible. 

I thought that the JIT tracing would be disabled if we enter jsd. Note the stack:
0  	libmozjs.dylib  	TraceRecorder::closeLoop  	 js/src/nanojit/Allocator.h:62
1 	libmozjs.dylib 	JS_GetFrameThis 	js/src/jsdbgapi.cpp:1144
2 	XUL 	_callHook 	js/jsd/jsd_step.c:133
3 	XUL 	jsd_FunctionCallHook 	js/jsd/jsd_step.c:285

See also bug 519719 and bug 530198 and bug 468506, all relate to jsd and JS_GetFrameThis.
    class Allocator {
    public:
        Allocator();
        ~Allocator();
        void reset();

        /** alloc memory, never return null. */
        void* alloc(size_t nbytes) {
            nbytes = (nbytes + 7) & ~7; // round up                             
            if (current_top + nbytes <= current_limit) { /* Allocator.h:62 */
 
I am guessing this is null here, but that's really strange.
Assignee: general → gal
Any updates on this?
I have not been able to reproduce this. We don't have STR. Are we sure we want to block on this?
b5 data will prove it out, but in the last 2 weeks we've only seen 10 of these crashes in b4, and none in b5pre.  I can't seem to get to old enough data via crash-stats to see if we saw b4pre or b3pre crashes, so I'm not quite sure how to read it.

Firebug changes, or our own JSD changes, could certainly have mitigated it.
I looked back through sept, oct, nov. and I see no crashes incoming until 11/08 then this profile of crashes per day.

0  crashes for TraceRecorder::closeLoop(SlotMap on  20091107-crashdata
1  crashes for TraceRecorder::closeLoop(SlotMap on  20091108-crashdata
1  crashes for TraceRecorder::closeLoop(SlotMap on  20091109-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091110-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091111-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091112-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091113-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091114-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091115-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091116-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091117-crashdata
3  crashes for TraceRecorder::closeLoop(SlotMap on  20091118-crashdata
14  crashes for TraceRecorder::closeLoop(SlotMap on  20091119-crashdata
15  crashes for TraceRecorder::closeLoop(SlotMap on  20091120-crashdata
10  crashes for TraceRecorder::closeLoop(SlotMap on  20091121-crashdata
17  crashes for TraceRecorder::closeLoop(SlotMap on  20091122-crashdata
17  crashes for TraceRecorder::closeLoop(SlotMap on  20091123-crashdata
9  crashes for TraceRecorder::closeLoop(SlotMap on  20091124-crashdata
7  crashes for TraceRecorder::closeLoop(SlotMap on  20091125-crashdata
7  crashes for TraceRecorder::closeLoop(SlotMap on  20091126-crashdata
2  crashes for TraceRecorder::closeLoop(SlotMap on  20091127-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091128-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091129-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091130-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091201-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091202-crashdata
1  crashes for TraceRecorder::closeLoop(SlotMap on  20091203-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091204-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091106-crashdata
1  crashes for TraceRecorder::closeLoop(SlotMap on  20091205-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091206-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091207-crashdata
3  crashes for TraceRecorder::closeLoop(SlotMap on  20091208-crashdata
5  crashes for TraceRecorder::closeLoop(SlotMap on  20091209-crashdata
1  crashes for TraceRecorder::closeLoop(SlotMap on  20091210-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091211-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091212-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091213-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091214-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091215-crashdata
0  crashes for TraceRecorder::closeLoop(SlotMap on  20091216-crashdata
Just in case it may alter you thinking about this bug:
when I run 
http://people.mozilla.com/~vladimir/ss/hosted/bitops-bitwise-and.html
on FF 3.5.5 with Firebug 1.5 or 1.4.5, the results imply that the JIT is running even when Firebug is open and active.  <5ms.

FF 3.6 behaves as we would expect, <5m with Firebug off, > 100ms with Firebug on.

So somewhere along between 3.5 and 3.6 the JIT connection to jsd started to work. Maybe that is when these crashes stopped.
These have been coming in slowly the past few days. There is only one that is recent enough to have a minidump available today. I looked at that one but it showed a crash storing to addr 0 on an instruction that stores to [ecx+8] with ecx != -8, which makes no sense. dvander says that could be an overclocking/overheating scenario. So if we want to look at minidumps here, we'll have to wait for more crashes.
Whiteboard: [may be fixed by JSD/JIT connection fix?]
Can't block with this level of data coming in.
Flags: wanted1.9.2+
Flags: blocking1.9.2-
Flags: blocking1.9.2+
Obsolete with the removal of tracejit.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.