669617 - crash (SIGSEGV) in JS_ON_TRACE during test_precisegc.xul

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jonathan Kew [:jfkthame]]

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1309942636.1309945416.24035.gz

Looks to be intermittent, as it didn't happen on the following pushes. Possibly triggered by cset 58101c64c83c (bug 658738 - Schedule final GC before finishing the browser-chrome test suite), which landed immediately before the push where this occurred? But the test ran green on that push itself.

PROCESS-CRASH | chrome://mochitests/content/chrome/js/src/xpconnect/tests/chrome/test_precisegc.xul | application crashed (minidump found)
Crash dump filename: /tmp/tmpvQgUce/minidumps/49557b5c-3a57-fa66-36b7aba1-349c9f81.dmp
Operating system: Linux
                  0.0.0 Linux 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  SIGSEGV
Crash address: 0x28

Thread 0 (crashed)
 0  libxul.so!JS_ON_TRACE [jscompartment.h:7daa4cc9fb07 : 553 + 0xc]
    rbx = 0xc9bc27d0   r12 = 0x00000000   r13 = 0xa6e036c9   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa74c3187   rsp = 0xc9bc26e0   rbp = 0xc9bc26f0
    Found by: given as instruction pointer in context
 1  libxul.so!JS_IsRunning [jsapi.cpp:7daa4cc9fb07 : 5156 + 0xb]
    rbx = 0xc9bc27d0   r12 = 0x00000000   r13 = 0xa6e036c9   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa74e1142   rsp = 0xc9bc2700   rbp = 0xc9bc2720
    Found by: call frame info
 2  libxul.so!PreciseGCRunnable::Run [xpccomponents.cpp:7daa4cc9fb07 : 3797 + 0xb]
    rbx = 0xc9bc27d0   r12 = 0x00000000   r13 = 0xa6e036c9   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa692b1ba   rsp = 0xc9bc2730   rbp = 0xc9bc2770
    Found by: call frame info
 3  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:7daa4cc9fb07 : 617 + 0x1a]
    rbx = 0xc9bc27d0   r12 = 0x00000000   r13 = 0xa6e036c9   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa70ef2b8   rsp = 0xc9bc2780   rbp = 0xc9bc2850
    Found by: call frame info
 4  libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp:7daa4cc9fb07 : 245 + 0x1f]
    rbx = 0xa70eeebe   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa7082ca2   rsp = 0xc9bc2860   rbp = 0xc9bc2890
    Found by: call frame info
 5  libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp:7daa4cc9fb07 : 110 + 0x14]
    rbx = 0x00000001   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa6f669da   rsp = 0xc9bc28a0   rbp = 0xc9bc2900
    Found by: call frame info
 6  libxul.so!MessageLoop::RunInternal [message_loop.cc:7daa4cc9fb07 : 218 + 0x27]
    rbx = 0xa59e3a54   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa713cc17   rsp = 0xc9bc2910   rbp = 0xc9bc2940
    Found by: call frame info
 7  libxul.so!MessageLoop::RunHandler [message_loop.cc:7daa4cc9fb07 : 202 + 0xb]
    rbx = 0xa59e3a54   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa713cba8   rsp = 0xc9bc2950   rbp = 0xc9bc2960
    Found by: call frame info
 8  libxul.so!MessageLoop::Run [message_loop.cc:7daa4cc9fb07 : 176 + 0xb]
    rbx = 0xa59e3a54   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa713cb81   rsp = 0xc9bc2970   rbp = 0xc9bc29a0
    Found by: call frame info
 9  libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp:7daa4cc9fb07 : 189 + 0xc]
    rbx = 0xa59e3a54   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa6e031f1   rsp = 0xc9bc29b0   rbp = 0xc9bc29d0
    Found by: call frame info
10  libxul.so!nsAppStartup::Run [nsAppStartup.cpp:7daa4cc9fb07 : 222 + 0x1e]
    rbx = 0xa59e3a54   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa6b435cd   rsp = 0xc9bc29e0   rbp = 0xc9bc2a00
    Found by: call frame info
11  libxul.so!XRE_main [nsAppRunner.cpp:7daa4cc9fb07 : 3570 + 0x1d]
    rbx = 0xa59e3a54   r12 = 0x01a4d260   r13 = 0xa6ec583a   r14 = 0x010960b0
    r15 = 0x010997a0   rip = 0xa59e6a8c   rsp = 0xc9bc2a10   rbp = 0xc9bc3340
    Found by: call frame info
12  firefox-bin!do_main [nsBrowserApp.cpp:7daa4cc9fb07 : 198 + 0x21]
    rbx = 0xa59e3a54   r12 = 0xa70d7ce6   r13 = 0xc9bc5650   r14 = 0x00000000
    r15 = 0x00000000   rip = 0x004019db   rsp = 0xc9bc3350   rbp = 0xc9bc4400
    Found by: call frame info
13  firefox-bin!main [nsBrowserApp.cpp:7daa4cc9fb07 : 281 + 0x1d]
    rbx = 0x00000000   r12 = 0x00401110   r13 = 0xc9bc5650   r14 = 0x00000000
    r15 = 0x00000000   rip = 0x00401bf1   rsp = 0xc9bc4410   rbp = 0xc9bc5570
    Found by: call frame info
14  libc-2.11.so + 0x1eb1c
    rbx = 0x00000000   r12 = 0x00401110   r13 = 0xc9bc5650   r14 = 0x00000000
    r15 = 0x00000000   rip = 0xd2e1eb1d   rsp = 0xc9bc5580   rbp = 0x00000000
    Found by: call frame info
15  firefox-bin!do_main [nsBrowserApp.cpp:7daa4cc9fb07 : 201 + 0xb]
    rip = 0x00401a0e   rsp = 0xc9bc55a0
    Found by: stack scanning

Comment 1

[Josh Matthews [:jdm]]

Darn, that means that the context being used has already been destroyed by the time the scheduled event is run. I'm going to need to figure out some way to check if a JSContext is still valid before using it.

Comment 2

[Steve Fink [:sfink] [:s:]]

JS_SetContextCallback?

Comment 3

[Phil Ringnalda (:philor)]

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1310068284.1310071086.7622.gz

Comment 4

[Legacy TBPL/Treeherder Robot]

mbrubeck%mozilla.com
http://tinderbox.mozilla.org/showlog.cgi?log=Mozilla-Aurora/1311743594.1311747376.31189.gz
Rev3 WINNT 6.1 mozilla-aurora debug test mochitest-other on 2011/07/26 22:13:14

s: talos-r3-w7-036
TEST-UNEXPECTED-FAIL | chrome://mochitests/content/chrome/js/src/xpconnect/tests/chrome/test_precisegc.xul | Exited with code -1073741819 during test run
PROCESS-CRASH | chrome://mochitests/content/chrome/js/src/xpconnect/tests/chrome/test_precisegc.xul | application crashed (minidump found)
Thread 0 (crashed)
TEST-UNEXPECTED-FAIL | automationutils.processLeakLog() | missing output line for total leaks!
TEST-UNEXPECTED-FAIL | plugin process 4012 | automationutils.processLeakLog() | missing output line for total leaks!

Comment 5

[Luke Wagner [:luke]]

Attachment: need to test whether cx->thread() is null

My patch apparently makes this random bug more likely.  The fix is pretty simple: JS_IsRunning needs to test whether cx->thread() is null before accessing its thread-data (in JS_ON_TRACE).

Comment 6

[Igor Bukanov]

Comment on attachment 549269 [details] [diff] [review]
need to test whether cx->thread() is null

Review of attachment 549269 [details] [diff] [review]:
-----------------------------------------------------------------

Comment 7

[Luke Wagner [:luke]]

http://hg.mozilla.org/integration/mozilla-inbound/rev/22134b2abde4

Comment 8

[Luke Wagner [:luke]]

Oops, that only works for JS_THREADSAFE builds.  This is better:
http://hg.mozilla.org/integration/mozilla-inbound/rev/3e1a24105739

Comment 9

[Josh Matthews [:jdm]]

Thanks Luke!

Comment 10

[Marco Bonardo [:mak]]

http://hg.mozilla.org/mozilla-central/rev/22134b2abde4
http://hg.mozilla.org/mozilla-central/rev/3e1a24105739

Comment 11

[Legacy TBPL/Treeherder Robot]

philor
http://tinderbox.mozilla.org/showlog.cgi?log=Mozilla-Aurora/1312995009.1312998466.9072.gz
Rev3 WINNT 6.1 mozilla-aurora debug test mochitest-other on 2011/08/10 09:50:09

s: talos-r3-w7-034
TEST-UNEXPECTED-FAIL | chrome://mochitests/content/chrome/js/src/xpconnect/tests/chrome/test_precisegc.xul | Exited with code -1073741819 during test run
PROCESS-CRASH | chrome://mochitests/content/chrome/js/src/xpconnect/tests/chrome/test_precisegc.xul | application crashed (minidump found)
Thread 0 (crashed)
TEST-UNEXPECTED-FAIL | automationutils.processLeakLog() | missing output line for total leaks!
TEST-UNEXPECTED-FAIL | plugin process 3580 | automationutils.processLeakLog() | missing output line for total leaks!