Closed Bug 714545 Opened 13 years ago Closed 13 years ago

Intermittent crash [@ js::gc::Chunk::releaseArena] during shutdown

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla12
Tracking Flags:
Tracking Status
firefox10 --- unaffected
firefox11 --- unaffected
firefox12 --- fixed
firefox13 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: philor, Assigned: igor)

References

Details

(Keywords: intermittent-failure, Whiteboard: [qa-])

Attachments

(1 file)

v1
2.16 KB, patch
billm
: review+
Details | Diff | Splinter Review
I was hoping (without any actual reason to hope) that this was just another manifestation of bug 714344, but it's still happening after that fix landed. https://tbpl.mozilla.org/php/getParsedLog.php?id=8263995&tree=Mozilla-Inbound Rev3 WINNT 6.1 mozilla-inbound pgo test mochitest-other on 2012-01-01 07:05:21 PST for push da6c33eb4b16 PROCESS-CRASH | Shutdown | application crashed (minidump found) Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpzw4v55\minidumps\ebe82e25-01f2-4e00-84c4-1eb1d4376d04.dmp Operating system: Windows NT 6.1.7600 CPU: x86 GenuineIntel family 6 model 23 stepping 10 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_WRITE Crash address: 0x0 Thread 0 (crashed) 0 mozjs.dll!js::gc::Chunk::releaseArena(js::gc::ArenaHeader *) [jsgc.cpp:da6c33eb4b16 : 782 + 0xc] eip = 0x6d35885f esp = 0x0020eee8 ebp = 0x111ce000 ebx = 0x015d3000 esi = 0x11100000 edi = 0x05d15000 eax = 0x05d15038 ecx = 0x00000000 edx = 0x00000000 efl = 0x00210202 Found by: given as instruction pointer in context 1 mozjs.dll!js::gc::ArenaLists::~ArenaLists() [jsgc.h:da6c33eb4b16 : 1088 + 0xd] eip = 0x6d340467 esp = 0x0020ef04 ebp = 0x19304004 ebx = 0x015d3000 Found by: call frame info 2 mozjs.dll!js_FinishGC(JSRuntime *) [jsgc.cpp:da6c33eb4b16 : 1202 + 0xe] eip = 0x6d3589cf esp = 0x0020ef14 ebp = 0x19304004 Found by: call frame info 3 mozjs.dll!JSRuntime::~JSRuntime() [jsapi.cpp:da6c33eb4b16 : 813 + 0x5] eip = 0x6d32d80d esp = 0x0020ef38 ebp = 0x00000000 ebx = 0x00000001 Found by: call frame info 4 mozjs.dll!JS_Finish [jsapi.cpp:da6c33eb4b16 : 901 + 0xa] eip = 0x6d32fdb9 esp = 0x0020ef58 ebp = 0x00000000 ebx = 0x011c0190 Found by: call frame info with scanning 5 xul.dll!XPCJSRuntime::~XPCJSRuntime() [XPCJSRuntime.cpp:da6c33eb4b16 : 1227 + 0x6] eip = 0x6a83684c esp = 0x0020ef60 ebp = 0x00000000 Found by: call frame info 6 xul.dll!nsXPConnect::~nsXPConnect() [nsXPConnect.cpp:da6c33eb4b16 : 157 + 0x11] eip = 0x6a8445ef esp = 0x0020ef70 ebp = 0x6a83684c Found by: call frame info with scanning 7 xul.dll!nsXPConnect::`vector deleting destructor'(unsigned int) + 0x7 eip = 0x6a86a9e6 esp = 0x0020ef84 ebp = 0x00000000 Found by: call frame info with scanning https://tbpl.mozilla.org/php/getParsedLog.php?id=8249548&tree=Mozilla-Inbound Rev3 WINNT 6.1 mozilla-inbound pgo test reftest on 2011-12-31 00:12:35 PST for push ca99dd8313ce PROCESS-CRASH | file:///c:/talos-slave/test/build/reftest/tests/layout/reftests/bugs/98223-1-ref.html | application crashed (minidump found) Crash dump filename: c:\users\cltbld\appdata\local\temp\tmplee70a\minidumps\ca04c4f1-979a-4606-97b3-8b5e0901eefb.dmp Operating system: Windows NT 6.1.7600 CPU: x86 GenuineIntel family 6 model 23 stepping 10 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_WRITE Crash address: 0x0 Thread 9 (crashed) 0 mozjs.dll!js::gc::Chunk::releaseArena(js::gc::ArenaHeader *) [jsgc.cpp:ca99dd8313ce : 782 + 0xc] eip = 0x7269881f esp = 0x04b7fde8 ebp = 0x085d7000 ebx = 0x0a7d1000 esi = 0x08500000 edi = 0x04915000 eax = 0x04915038 ecx = 0x00000000 edx = 0x00000000 efl = 0x00010202 Found by: given as instruction pointer in context 1 mozjs.dll!js::gc::FinalizeTypedArenas<JSObject>(JSContext *,js::gc::ArenaLists::ArenaList *,js::gc::AllocKind,bool) [jsgc.cpp:ca99dd8313ce : 362 + 0xf] eip = 0x72699cea esp = 0x04b7fe04 ebp = 0x04b7fe48 ebx = 0x00000001 Found by: call frame info 2 mozjs.dll!js::gc::FinalizeArenas [jsgc.cpp:ca99dd8313ce : 399 + 0x8] eip = 0x72699d61 esp = 0x04b7fe24 ebp = 0x04935330 ebx = 0x0098d100 Found by: call frame info 3 mozjs.dll!js::gc::ArenaLists::backgroundFinalize(JSContext *,js::gc::ArenaHeader *) [jsgc.cpp:ca99dd8313ce : 1578 + 0x25] eip = 0x72699f2e esp = 0x04b7fe3c ebp = 0x04935330 Found by: call frame info 4 mozjs.dll!js::GCHelperThread::doSweep() [jsgc.cpp:ca99dd8313ce : 2533 + 0x8] eip = 0x7269a0bd esp = 0x04b7fe54 ebp = 0x04935330 ebx = 0x0098d100 Found by: call frame info 5 mozjs.dll!js::GCHelperThread::threadLoop() [jsgc.cpp:ca99dd8313ce : 2394 + 0x6] eip = 0x7269af1e esp = 0x04b7fe78 ebp = 0x04915000 ebx = 0x04915000 Found by: call frame info 6 nspr4.dll!_PR_NativeRunThread [pruthr.c:ca99dd8313ce : 426 + 0x8] eip = 0x732e2b70 esp = 0x04b7fe94 ebp = 0x04b7feb0 ebx = 0x0090436c Found by: call frame info 7 nspr4.dll!pr_root [w95thred.c:ca99dd8313ce : 122 + 0xc] eip = 0x732e3c3d esp = 0x04b7feb8 ebp = 0x04b7fef0 Found by: previous frame's frame pointer https://tbpl.mozilla.org/php/getParsedLog.php?id=8254659&tree=Mozilla-Inbound Rev3 WINNT 5.1 mozilla-inbound debug test reftest on 2011-12-31 06:57:31 PST for push 196f5b34b6e3 PROCESS-CRASH | file:///c:/talos-slave/test/build/reftest/tests/layout/reftests/svg/smil/anim-y-interp-2.svg | application crashed (minidump found) Crash dump filename: c:\docume~1\cltbld\locals~1\temp\tmpae2zyr\minidumps\8d27e17d-6a4a-4e45-b86c-42092855934d.dmp Operating system: Windows NT 5.1.2600 Service Pack 2 CPU: x86 GenuineIntel family 6 model 23 stepping 10 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_WRITE Crash address: 0x0 Thread 0 (crashed) 0 mozjs.dll!CrashInJS [jsutil.cpp:196f5b34b6e3 : 89 + 0x2] eip = 0x01059572 esp = 0x0012d574 ebp = 0x0012d57c ebx = 0x04b00000 esi = 0x10229380 edi = 0x04b78000 eax = 0x00000000 ecx = 0x22aa71b0 edx = 0x10313d18 efl = 0x00210206 Found by: given as instruction pointer in context 1 mozjs.dll!js::gc::Chunk::releaseArena(js::gc::ArenaHeader *) [jsgc.cpp:196f5b34b6e3 : 779 + 0x1c] eip = 0x00f74995 esp = 0x0012d584 ebp = 0x0012d57c Found by: call frame info with scanning
It should be an old bug that was exposed by the changes from the bug 702251. If, during the shutdown, we have a leak and some GC arenas are still marked as having live GC thing, the code that tries to release at least the GC part of the memory races with the background finalization. The bug 702251 could have exposed this race as it moved the chunk release, a slow operation, after all the finalization is done, so it is more likely to race with the js_FinsihGC call on the main thread.
I close this as the race in case of the shutdown leak could be exploited even if extremely unlikely.
Group: core-security
Attached patch v1Splinter Review
The fix moves the helper thread shutdown code before we forcefully release any remaining compartments and their GC arenas in the ArenaLists destructor.
Assignee: general → igor
Attachment #585223 - Flags: review?(wmccloskey)
Comment on attachment 585223 [details] [diff] [review] v1 It would be nice to track those leaks down :-).
Attachment #585223 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/9cf396847500 I guess we're calling this fixed, and dealing with the rest in bug 714562?
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
I rename the bug to properly reflect the area it covers
Summary: Intermittent crash [@ js::gc::Chunk::releaseArena] during random tests or shutdown → Intermittent crash [@ js::gc::Chunk::releaseArena] during shutdown
I'm assuming comment 1 means that older version were unaffected by this bug in practical terms.
status-firefox-esr10: --- → unaffected
status-firefox10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → fixed
status-firefox13: --- → fixed
Whiteboard: [orange] → [orange][qa-]
Group: core-security
Whiteboard: [orange][qa-] → [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: