Closed Bug 634332 Opened 14 years ago Closed 12 years ago

JSAPI Garbage Collector Crash During js_Destroy Context under heavy multi-threaded load

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: hans.uhlig, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 Build Identifier: While Executing Large numbers of short lifespan JS Contexts JSAPI will cause Segfault during JS_DestroyContext. Appears to be a reoccurrence of https://bugzilla.mozilla.org/show_bug.cgi?id=604782. Reproducible: Always Actual Results: Program Segfaulted Expected Results: Not Segfaulted. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff1e24700 (LWP 26906)] MarkRangeConservatively (trc=0x7ffff1e15240) at jsgc.cpp:742 742 for (const jsuword *i = begin; i != end; ++i) (gdb) bt #0 MarkRangeConservatively (trc=0x7ffff1e15240) at jsgc.cpp:742 #1 MarkThreadDataConservatively (trc=0x7ffff1e15240) at jsgc.cpp:760 #2 MarkConservativeStackRoots (trc=0x7ffff1e15240) at jsgc.cpp:800 #3 js::MarkRuntime (trc=0x7ffff1e15240) at jsgc.cpp:1651 #4 0x000000000047cb34 in MarkAndSweep (cx=0xadc1e0, comp=0x0, gckind=<value optimized out>) at jsgc.cpp:2407 #5 GCUntilDone (cx=0xadc1e0, comp=0x0, gckind=<value optimized out>) at jsgc.cpp:2750 #6 js_GC (cx=0xadc1e0, comp=0x0, gckind=<value optimized out>) at jsgc.cpp:2819 #7 0x00000000004371f4 in js_DestroyContext (cx=0xadc1e0, mode=JSDCM_FORCE_GC) at jscntxt.cpp:1078 #8 0x0000000000408896 in js_execute (session=0x7ffff1e19530) at jsengine.c:330 #9 0x0000000000407219 in servletHandler (cls=0x0, connection=0xa64d60, url=0xa65544 "/5071.2/1", method=0xa65540 "GET", version=0xa6555a "HTTP/1.1", upload_data=0x0, upload_data_size=0x7ffff1e23ba8, con_cls=0xa64d88) at httpd.c:336 #10 0x0000000000653a19 in call_connection_handler (connection=0xa64d60) at connection.c:1223 #11 0x0000000000654aed in MHD_connection_handle_idle (connection=0xa64d60) at connection.c:2122 #12 0x0000000000657e35 in MHD_handle_connection (data=<value optimized out>) at daemon.c:619 #13 0x00007ffff72328ba in start_thread (arg=<value optimized out>) at pthread_create.c:300 #14 0x00007ffff653d02d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #15 0x0000000000000000 in ?? ()
See Also: → 604782
Version: unspecified → Trunk
==28288== Thread 9: ==28288== Invalid read of size 8 ==28288== at 0x47BA80: js::MarkRuntime(JSTracer*) (jsgc.cpp:742) ==28288== by 0x47CBA3: js_GC(JSContext*, JSCompartment*, JSGCInvocationKind) (jsgc.cpp:2407) ==28288== by 0x437263: js_DestroyContext(JSContext*, JSDestroyContextMode) (jscntxt.cpp:1078) ==28288== by 0x408895: js_execute (jsengine.c:333) ==28288== by 0x407218: servletHandler (httpd.c:336) ==28288== by 0x653A88: call_connection_handler (connection.c:1223) ==28288== by 0x654B5C: MHD_connection_handle_idle (connection.c:2122) ==28288== by 0x657EA4: MHD_handle_connection (daemon.c:619) ==28288== by 0x57C68B9: start_thread (pthread_create.c:300) ==28288== by 0x650802C: clone (clone.S:112) ==28288== Address 0xebf0000 is not stack'd, malloc'd or (recently) free'd ==28288== ==28288== Thread 8: ==28288== Invalid read of size 8 ==28288== at 0x484264: js_UnwindScope(JSContext*, int, int) (jsobj.h:427) ==28288== by 0x630848: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:6870) ==28288== by 0x4865CA: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:640) ==28288== by 0x4190DF: EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, unsigned long*, JSVersion) (jsapi.cpp:5038) ==28288== by 0x4191E4: JS_EvaluateUCScriptForPrincipals (jsapi.cpp:5065) ==28288== by 0x419287: JS_EvaluateScriptForPrincipals (jsapi.cpp:5088) ==28288== by 0x4192E1: JS_EvaluateScript (jsapi.cpp:5108) ==28288== by 0x40A58B: js_run (jsengine.c:212) ==28288== by 0x408854: js_execute (jsengine.c:327) ==28288== by 0x407218: servletHandler (httpd.c:336) ==28288== by 0x653A88: call_connection_handler (connection.c:1223) ==28288== by 0x654B5C: MHD_connection_handle_idle (connection.c:2122) ==28288== Address 0xfffa80000417f908 is not stack'd, malloc'd or (recently) free'd ==28288== ==28288== ==28288== Process terminating with default action of signal 11 (SIGSEGV) ==28288== General Protection Fault ==28288== at 0x484264: js_UnwindScope(JSContext*, int, int) (jsobj.h:427) ==28288== by 0x630848: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:6870) ==28288== by 0x4865CA: js::Execute(JSContext*, JSObject*, JSScript*, JSStackFrame*, unsigned int, js::Value*) (jsinterp.cpp:640) ==28288== by 0x4190DF: EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, unsigned long*, JSVersion) (jsapi.cpp:5038) ==28288== by 0x4191E4: JS_EvaluateUCScriptForPrincipals (jsapi.cpp:5065) ==28288== by 0x419287: JS_EvaluateScriptForPrincipals (jsapi.cpp:5088) ==28288== by 0x4192E1: JS_EvaluateScript (jsapi.cpp:5108) ==28288== by 0x40A58B: js_run (jsengine.c:212) ==28288== by 0x408854: js_execute (jsengine.c:327) ==28288== by 0x407218: servletHandler (httpd.c:336) ==28288== by 0x653A88: call_connection_handler (connection.c:1223) ==28288== by 0x654B5C: MHD_connection_handle_idle (connection.c:2122) ==28288== ==28288== HEAP SUMMARY: ==28288== in use at exit: 5,668,958 bytes in 6,337 blocks ==28288== total heap usage: 8,519 allocs, 2,182 frees, 6,930,493 bytes allocated ==28288== ==28288== LEAK SUMMARY: ==28288== definitely lost: 8 bytes in 1 blocks ==28288== indirectly lost: 0 bytes in 0 blocks ==28288== possibly lost: 848,987 bytes in 324 blocks ==28288== still reachable: 4,819,963 bytes in 6,012 blocks ==28288== suppressed: 0 bytes in 0 blocks ==28288== Rerun with --leak-check=full to see details of leaked memory ==28288== ==28288== For counts of detected and suppressed errors, rerun with: -v ==28288== Use --track-origins=yes to see where uninitialised values come from ==28288== ERROR SUMMARY: 1628 errors from 3 contexts (suppressed: 6 from 6) Killed root@dasedev:/opt/dased#
Hans, do you still see this? If so, we should change to confirmed
Flags: needinfo?(hans.uhlig)
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Flags: needinfo?(hans.uhlig)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.