Closed Bug 626361 Opened 14 years ago Closed 14 years ago

Fennec crash [@ EqualityCompiler::update ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- -
fennec 2.0+ ---

People

(Reporter: scoobidiver, Assigned: cdleary)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [fennec-related-jscript-crashers] [fixed-in-tracemonkey])

Crash Data

Attachments

(2 files)

Protect equality IC stub from heinous constant pool dumpage.
2.53 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
Call MIC reservation.
1.47 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
It is a new crash signature. Crashes first appeared in Fennec 4.0b4pre/20110115. It is #5 top crasher in Fennec 4.0b4pre for the last 3 days. Signature EqualityCompiler::update UUID 3ecd901b-adc8-42c5-813b-184442110116 Time 2011-01-16 08:34:26.175409 Uptime 15 Install Age 60 seconds since version was first installed. Product Fennec Version 4.0b4pre Build ID 20110116042335 Branch 2.0 OS Linux OS Version 0.0.0 Linux 2.6.32.17-g9a2fc16 #1 PREEMPT Thu Sep 30 18:42:08 CST 2010 armv7l CPU arm Crash Reason SIGSEGV Crash Address 0x43d102d1 Processor Notes WARNING: Json file missing Add-ons Frame Module Signature [Expand] Source 0 libxul.so EqualityCompiler::update js/src/assembler/assembler/ARMAssembler.h:1014 1 libxul.so js::mjit::ic::Equality js/src/methodjit/MonoIC.cpp:391 2 libxul.so libxul.so@0xb16386 3 libxul.so js::mjit::ic::Equality js/src/methodjit/MonoIC.cpp:389 4 libxul.so js::mjit::JaegerShot js/src/jscntxt.h:2835 5 libxul.so js::Execute js/src/jsinterp.cpp:654 6 libxul.so JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:4930 7 libxul.so JS_EvaluateUCScriptForPrincipalsVersion js/src/jsapi.cpp:151 8 libxul.so nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1551 9 libxul.so nsScriptLoader::EvaluateScript nsCOMPtr.h:655 10 libxul.so nsScriptLoader::ProcessRequest nsCOMPtr.h:800 11 libxul.so nsScriptLoader::ProcessScriptElement content/base/src/nsScriptLoader.cpp:729 12 libxul.so nsScriptElement::MaybeProcessScript content/base/src/nsScriptElement.cpp:185 13 libxul.so nsHTMLScriptElement::MaybeProcessScript content/html/content/src/nsHTMLScriptElement.cpp:584 14 libxul.so nsHTMLScriptElement::DoneAddingChildren content/html/content/src/nsHTMLScriptElement.cpp:511 15 libxul.so nsHtml5TreeOpExecutor::RunScript parser/html/nsHtml5TreeOpExecutor.cpp:734 16 libxul.so nsHtml5TreeOpExecutor::RunFlushLoop parser/html/nsHtml5TreeOpExecutor.cpp:528 17 libxul.so nsHtml5ExecutorFlusher::Run parser/html/nsHtml5StreamParser.cpp:155 18 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 19 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:250 20 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:111 21 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:230 22 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:220 23 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:512 24 libxul.so nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:198 25 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:640 26 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:222 27 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:220 28 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:512 29 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:519 30 libmozutils.so ChildProcessInit other-licenses/android/APKOpen.cpp:710 31 plugin-container main ipc/app/MozillaRuntimeMainAndroid.cpp:69 32 libc.so libc.so@0xd432 The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f24f049857a5&tochange=4df430b64d1b More reports at: http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=EqualityCompiler%3A%3Aupdate
tracking-fennec: --- → ?
blocking2.0: --- → ?
tracking-fennec: ? → 2.0+
blocking2.0: ? → -
received this crash when closing and opening web sites in regards to a google search for time based on Bug 606074, including http://lassey.us/date.html, and http://people.mozilla.com/~nhirata/html_tp/Bug606074.html last website before crash : http://wwp.greenwichmeantime.com Cannot seem to reproduce http://crash-stats.mozilla.com/report/index/6a593168-2663-43f0-ba09-d43ea2110121 Frame Module Signature [Expand] Source 0 libxul.so EqualityCompiler::update js/src/assembler/assembler/ARMAssembler.h:1014 1 libxul.so js::mjit::ic::Equality js/src/methodjit/MonoIC.cpp:391 2 libxul.so libxul.so@0xb1a902 3 libxul.so js::mjit::ic::Equality js/src/methodjit/MonoIC.cpp:389 4 libxul.so js::mjit::JaegerShot js/src/jscntxt.h:2889 5 libxul.so js::Execute js/src/jsinterp.cpp:654 6 libxul.so JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:4930 7 libxul.so JS_EvaluateUCScriptForPrincipalsVersion js/src/jsapi.cpp:151 8 libxul.so nsJSContext::EvaluateString dom/base/nsJSEnvironment.cpp:1551 9 libxul.so nsScriptLoader::EvaluateScript nsCOMPtr.h:655 10 libxul.so nsScriptLoader::ProcessRequest nsCOMPtr.h:800 11 libxul.so nsScriptLoader::ProcessScriptElement content/base/src/nsScriptLoader.cpp:729 12 libxul.so nsScriptElement::MaybeProcessScript content/base/src/nsScriptElement.cpp:185 13 libxul.so nsHTMLScriptElement::MaybeProcessScript content/html/content/src/nsHTMLScriptElement.cpp:584 14 libxul.so nsHTMLScriptElement::DoneAddingChildren content/html/content/src/nsHTMLScriptElement.cpp:511 15 libxul.so nsHtml5TreeOpExecutor::RunScript parser/html/nsHtml5TreeOpExecutor.cpp:734 16 libxul.so nsHtml5TreeOpExecutor::RunFlushLoop parser/html/nsHtml5TreeOpExecutor.cpp:528 17 libxul.so nsHtml5ExecutorReflusher::Run parser/html/nsHtml5TreeOpExecutor.cpp:92 18 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 19 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:250 20 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:111 21 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:230 22 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:220 23 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:512 24 libxul.so nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:198 25 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:640 26 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:222 27 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:220 28 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:512 29 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:519 30 libmozutils.so ChildProcessInit other-licenses/android/APKOpen.cpp:765 31 plugin-container main ipc/app/MozillaRuntimeMainAndroid.cpp:69 32 libc.so libc.so@0xd412
Version used : Mozilla/5.0 (Android; Linux armv71; rv2.0b10pre) Gecko/20110121 Firefox/4.0b10pre Fennec/4.0b4pre
Whiteboard: fennec-related-jscript-crashers
Looks like I can consistently reproduce this or a related issue by visiting www.greenwichmeantime.com. Got this assertion in a debug build: "Assertion failure: (inst & mask) == expected, at /media/data/mozilla/mozilla-central/js/src/methodjit/ICChecker.h:56" which means CheckIsStubCall() fails in http://mxr.mozilla.org/mozilla-central/source/js/src/methodjit/ICRepatcher.h#89 Here's the stack: #0 0xafd0ec9c in kill () from /media/data/mozilla/debug/lib/libc.so #1 0xafd13746 in raise () from /media/data/mozilla/debug/lib/libc.so #2 0x82ee56b0 in JS_Assert (s=0x8341bdb4 "(inst & mask) == expected", file=0x8341bdd0 "/media/data/mozilla/mozilla-central/js/src/methodjit/ICChecker.h", ln=56) at /media/data/mozilla/mozilla-central/js/src/jsutil.cpp:90 #3 0x82fa1e32 in js::mjit::ic::Repatcher::relink(JSC::CodeLocationCall, JSC::FunctionPtr) () from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so #4 0x82fa38f0 in EqualityCompiler::update() () from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so #5 0x82fa0b60 in js::mjit::ic::Equality (f=..., ic=0x6) at /media/data/mozilla/mozilla-central/js/src/methodjit/MonoIC.cpp:392 #6 0x82f6c0b6 in JaegerStubVeneer () from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so Does this shed any light to the problem for people who know JS engine internals?
Adding some ARM enPICerators.
Now #3 top crasher in 4.0b4, 13% of all crashes.
Keywords: topcrash
Trying to reproduce this using a debug build on this Droid 2 I was lent but I can't get it to load any internet page without the "There was an error loading this page," dialog. May have to start working it out tomorrow.
Assignee: general → cdleary
Status: NEW → ASSIGNED
Debugging environment is set out, workaround for bug 605758 is applied: I should be ready to make some real progress root-causing this tomorrow.
This was missed in the PIC port because it was part of the fast arithmetic ops.
Attachment #510790 - Flags: review?(dmandelin)
Also saw a CallCompiler::update related crash on crash-stats. These kinds of failures would be pretty easily caught if there were fennec debug test runs -- we have a lot of checks in debug mode that the IC repatching and constant pool reservation are working as expected.
Attachment #510797 - Flags: review?(dmandelin)
Attachment #510790 - Flags: review?(dmandelin) → review+
Attachment #510797 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/662d6b3a0f87
Whiteboard: fennec-related-jscript-crashers → [fennec-related-jscript-crashers] [fixed-in-tracemonkey]
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Blocks: 632840
Blocks: 623188
Blocks: 631913
Blocks: 615993
Crash Signature: [@ EqualityCompiler::update ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: