If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Fennec crash [@ EqualityCompiler::update ]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Scoobidiver (away), Assigned: cdleary)

Tracking

({crash, regression, topcrash})

Trunk
ARM
Android
crash, regression, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 -, fennec2.0+)

Details

(Whiteboard: [fennec-related-jscript-crashers] [fixed-in-tracemonkey], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
It is a new crash signature. Crashes first appeared in Fennec 4.0b4pre/20110115.
It is #5 top crasher in Fennec 4.0b4pre for the last 3 days.

Signature	EqualityCompiler::update
UUID	3ecd901b-adc8-42c5-813b-184442110116
Time 	2011-01-16 08:34:26.175409
Uptime	15
Install Age	60 seconds since version was first installed.
Product	Fennec
Version	4.0b4pre
Build ID	20110116042335
Branch	2.0
OS	Linux
OS Version	0.0.0 Linux 2.6.32.17-g9a2fc16 #1 PREEMPT Thu Sep 30 18:42:08 CST 2010 armv7l
CPU	arm
Crash Reason	SIGSEGV
Crash Address	0x43d102d1
Processor Notes 	WARNING: Json file missing Add-ons

Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	EqualityCompiler::update 	js/src/assembler/assembler/ARMAssembler.h:1014
1 	libxul.so 	js::mjit::ic::Equality 	js/src/methodjit/MonoIC.cpp:391
2 	libxul.so 	libxul.so@0xb16386 	
3 	libxul.so 	js::mjit::ic::Equality 	js/src/methodjit/MonoIC.cpp:389
4 	libxul.so 	js::mjit::JaegerShot 	js/src/jscntxt.h:2835
5 	libxul.so 	js::Execute 	js/src/jsinterp.cpp:654
6 	libxul.so 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:4930
7 	libxul.so 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:151
8 	libxul.so 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1551
9 	libxul.so 	nsScriptLoader::EvaluateScript 	nsCOMPtr.h:655
10 	libxul.so 	nsScriptLoader::ProcessRequest 	nsCOMPtr.h:800
11 	libxul.so 	nsScriptLoader::ProcessScriptElement 	content/base/src/nsScriptLoader.cpp:729
12 	libxul.so 	nsScriptElement::MaybeProcessScript 	content/base/src/nsScriptElement.cpp:185
13 	libxul.so 	nsHTMLScriptElement::MaybeProcessScript 	content/html/content/src/nsHTMLScriptElement.cpp:584
14 	libxul.so 	nsHTMLScriptElement::DoneAddingChildren 	content/html/content/src/nsHTMLScriptElement.cpp:511
15 	libxul.so 	nsHtml5TreeOpExecutor::RunScript 	parser/html/nsHtml5TreeOpExecutor.cpp:734
16 	libxul.so 	nsHtml5TreeOpExecutor::RunFlushLoop 	parser/html/nsHtml5TreeOpExecutor.cpp:528
17 	libxul.so 	nsHtml5ExecutorFlusher::Run 	parser/html/nsHtml5StreamParser.cpp:155
18 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
19 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
20 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
21 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
22 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
23 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
24 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
25 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:640
26 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
27 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
28 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
29 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:519
30 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:710
31 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
32 	libc.so 	libc.so@0xd432 	

The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f24f049857a5&tochange=4df430b64d1b

More reports at:
http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=EqualityCompiler%3A%3Aupdate
(Reporter)

Updated

7 years ago
tracking-fennec: --- → ?

Updated

7 years ago
blocking2.0: --- → ?
tracking-fennec: ? → 2.0+
blocking2.0: ? → -
received this crash when closing and opening web sites in regards to a google search for time based on Bug 606074, including http://lassey.us/date.html, and http://people.mozilla.com/~nhirata/html_tp/Bug606074.html

last website before crash : http://wwp.greenwichmeantime.com
Cannot seem to reproduce

http://crash-stats.mozilla.com/report/index/6a593168-2663-43f0-ba09-d43ea2110121

Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	EqualityCompiler::update 	js/src/assembler/assembler/ARMAssembler.h:1014
1 	libxul.so 	js::mjit::ic::Equality 	js/src/methodjit/MonoIC.cpp:391
2 	libxul.so 	libxul.so@0xb1a902 	
3 	libxul.so 	js::mjit::ic::Equality 	js/src/methodjit/MonoIC.cpp:389
4 	libxul.so 	js::mjit::JaegerShot 	js/src/jscntxt.h:2889
5 	libxul.so 	js::Execute 	js/src/jsinterp.cpp:654
6 	libxul.so 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:4930
7 	libxul.so 	JS_EvaluateUCScriptForPrincipalsVersion 	js/src/jsapi.cpp:151
8 	libxul.so 	nsJSContext::EvaluateString 	dom/base/nsJSEnvironment.cpp:1551
9 	libxul.so 	nsScriptLoader::EvaluateScript 	nsCOMPtr.h:655
10 	libxul.so 	nsScriptLoader::ProcessRequest 	nsCOMPtr.h:800
11 	libxul.so 	nsScriptLoader::ProcessScriptElement 	content/base/src/nsScriptLoader.cpp:729
12 	libxul.so 	nsScriptElement::MaybeProcessScript 	content/base/src/nsScriptElement.cpp:185
13 	libxul.so 	nsHTMLScriptElement::MaybeProcessScript 	content/html/content/src/nsHTMLScriptElement.cpp:584
14 	libxul.so 	nsHTMLScriptElement::DoneAddingChildren 	content/html/content/src/nsHTMLScriptElement.cpp:511
15 	libxul.so 	nsHtml5TreeOpExecutor::RunScript 	parser/html/nsHtml5TreeOpExecutor.cpp:734
16 	libxul.so 	nsHtml5TreeOpExecutor::RunFlushLoop 	parser/html/nsHtml5TreeOpExecutor.cpp:528
17 	libxul.so 	nsHtml5ExecutorReflusher::Run 	parser/html/nsHtml5TreeOpExecutor.cpp:92
18 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
19 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
20 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
21 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
22 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
23 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
24 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:198
25 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:640
26 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
27 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:220
28 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:512
29 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:519
30 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:765
31 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
32 	libc.so 	libc.so@0xd412
Version used : 
Mozilla/5.0 (Android; Linux armv71; rv2.0b10pre) Gecko/20110121 Firefox/4.0b10pre Fennec/4.0b4pre
Whiteboard: fennec-related-jscript-crashers
Looks like I can consistently reproduce this or a related issue by visiting www.greenwichmeantime.com.

Got this assertion in a debug build:
"Assertion failure: (inst & mask) == expected, at /media/data/mozilla/mozilla-central/js/src/methodjit/ICChecker.h:56"
which means CheckIsStubCall() fails in http://mxr.mozilla.org/mozilla-central/source/js/src/methodjit/ICRepatcher.h#89

Here's the stack:

#0  0xafd0ec9c in kill () from /media/data/mozilla/debug/lib/libc.so
#1  0xafd13746 in raise () from /media/data/mozilla/debug/lib/libc.so
#2  0x82ee56b0 in JS_Assert (s=0x8341bdb4 "(inst & mask) == expected", 
    file=0x8341bdd0 "/media/data/mozilla/mozilla-central/js/src/methodjit/ICChecker.h", ln=56) at /media/data/mozilla/mozilla-central/js/src/jsutil.cpp:90
#3  0x82fa1e32 in js::mjit::ic::Repatcher::relink(JSC::CodeLocationCall, JSC::FunctionPtr) ()
   from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so
#4  0x82fa38f0 in EqualityCompiler::update() () from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so
#5  0x82fa0b60 in js::mjit::ic::Equality (f=..., ic=0x6) at /media/data/mozilla/mozilla-central/js/src/methodjit/MonoIC.cpp:392
#6  0x82f6c0b6 in JaegerStubVeneer () from /media/data/mozilla/mozilla-central/objdir/dist/bin/libxul.so


Does this shed any light to the problem for people who know JS engine internals?
Adding some ARM enPICerators.
(Reporter)

Comment 5

7 years ago
Now #3 top crasher in 4.0b4, 13% of all crashes.
Keywords: topcrash
Trying to reproduce this using a debug build on this Droid 2 I was lent but I can't get it to load any internet page without the "There was an error loading this page," dialog. May have to start working it out tomorrow.
Assignee: general → cdleary
Status: NEW → ASSIGNED
Debugging environment is set out, workaround for bug 605758 is applied: I should be ready to make some real progress root-causing this tomorrow.
Created attachment 510790 [details] [diff] [review]
Protect equality IC stub from heinous constant pool dumpage.

This was missed in the PIC port because it was part of the fast arithmetic ops.
Attachment #510790 - Flags: review?(dmandelin)
Created attachment 510797 [details] [diff] [review]
Call MIC reservation.

Also saw a CallCompiler::update related crash on crash-stats.

These kinds of failures would be pretty easily caught if there were fennec debug test runs -- we have a lot of checks in debug mode that the IC repatching and constant pool reservation are working as expected.
Attachment #510797 - Flags: review?(dmandelin)
Attachment #510790 - Flags: review?(dmandelin) → review+
Attachment #510797 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/tracemonkey/rev/662d6b3a0f87
Whiteboard: fennec-related-jscript-crashers → [fennec-related-jscript-crashers] [fixed-in-tracemonkey]
http://hg.mozilla.org/tracemonkey/rev/fe7ffea4dda1
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/662d6b3a0f87
http://hg.mozilla.org/mozilla-central/rev/fe7ffea4dda1
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Reporter)

Updated

7 years ago
Blocks: 632840
(Reporter)

Updated

7 years ago
Blocks: 623188
(Reporter)

Updated

7 years ago
Blocks: 631913
(Reporter)

Updated

7 years ago
Blocks: 615993
Crash Signature: [@ EqualityCompiler::update ]
You need to log in before you can comment on or make changes to this bug.