Closed Bug 728962 Opened 12 years ago Closed 12 years ago

Intermittent crash [@ JS::AutoCheckRequestDepth::AutoCheckRequestDepth] or [@ js::detail::HashTable] or "Assertion failure: !entered, at ./../../dist/include/js/Utility.h:840" during test_fullscreen-api.html

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: philor, Assigned: billm)

References

Details

(Keywords: crash, intermittent-failure)

Attachments

(1 file)

fix
1.84 KB, patch
igor
: review+
Details | Diff | Splinter Review 
https://tbpl.mozilla.org/php/getParsedLog.php?id=9473159&tree=Mozilla-Inbound
Rev3 MacOSX Leopard 10.5.8 mozilla-inbound debug test mochitests-1/5 on 2012-02-20 09:24:56 PST for push 6a43d088a2b4

TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_fullscreen-api.html | Exited with code 1 during test run
INFO | automation.py | Application ran for: 0:09:36.094469
INFO | automation.py | Reading PID log: /var/folders/Xr/Xr--yJnSEY0U11ET5NZuMU+++TM/-Tmp-/tmp404oc7pidlog
PROCESS-CRASH | /tests/content/html/content/test/test_fullscreen-api.html | application crashed (minidump found)
Crash dump filename: /var/folders/Xr/Xr--yJnSEY0U11ET5NZuMU+++TM/-Tmp-/tmpQqy_hg/minidumps/ADADB4F6-F3BA-403E-A07A-C8676AC28056.dmp
Operating system: Mac OS X
                  10.5.8 9L31a
CPU: x86
     GenuineIntel family 6 model 23 stepping 10
     2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0xffffffffc000007b

Thread 0 (crashed)
 0  XUL!JS::AutoCheckRequestDepth::AutoCheckRequestDepth [jscntxt.cpp:6a43d088a2b4 : 1301 + 0x2]
    eip = 0x05579dfc   esp = 0xbfff3c40   ebp = 0xbfff3c58   ebx = 0x05579df1
    esi = 0x290c3750   edi = 0xbfff3c7c   eax = 0xc0000003   ecx = 0xbfff3dbc
    edx = 0x0072017c   efl = 0x00210282
    Found by: given as instruction pointer in context
 1  XUL!JS_GetCompartmentPrivate [jsapi.cpp:6a43d088a2b4 : 1512 + 0x11]
    eip = 0x055088ce   esp = 0xbfff3c60   ebp = 0xbfff3c88   ebx = 0x0477c28e
    esi = 0x00000000   edi = 0xbfff3c7c
    Found by: call frame info
 2  XUL!TraceCompartment [XPCJSRuntime.cpp:6a43d088a2b4 : 404 + 0x14]
    eip = 0x0477c2a4   esp = 0xbfff3c90   ebp = 0xbfff3cd8   ebx = 0x0477c28e
    esi = 0x00000000   edi = 0x3109de00
    Found by: call frame info
 3  XUL!nsBaseHashtable<xpc::PtrAndPrincipalHashKey,JSCompartment*,JSCompartment*>::s_EnumReadStub [nsBaseHashtable.h : 395 + 0x12]
    eip = 0x047873bb   esp = 0xbfff3ce0   ebp = 0xbfff3d08   ebx = 0x047873a1
    esi = 0x00000000   edi = 0x3109de00
    Found by: call frame info
 4  XUL!PL_DHashTableEnumerate [pldhash.cpp:6a43d088a2b4 : 754 + 0x1d]
    eip = 0x032c862a   esp = 0xbfff3d10   ebp = 0xbfff3d78   ebx = 0x032c853e
    esi = 0x00000000   edi = 0x3109de00
    Found by: call frame info
 5  XUL!XPCJSRuntime::TraceXPConnectRoots [nsBaseHashtable.h : 206 + 0x20]
    eip = 0x0477f2f9   esp = 0xbfff3d80   ebp = 0xbfff3de8   ebx = 0x0477f16e
    esi = 0x05f2ddc0   edi = 0x0072017c
    Found by: call frame info
 6  XUL!js::MarkRuntime [jsgc.cpp:6a43d088a2b4 : 2396 + 0x14]
    eip = 0x055e1505   esp = 0xbfff3df0   ebp = 0xbfff3ee8   ebx = 0x055e0b11
    esi = 0x0477f350   edi = 0x269f4894
    Found by: call frame info
 7  XUL!ValidateIncrementalMarking [jsgc.cpp:6a43d088a2b4 : 3089 + 0xf]
    eip = 0x055e1d20   esp = 0xbfff3ef0   ebp = 0xbfff7fc8   ebx = 0x055e18b1
    esi = 0x22f7ec00   edi = 0x22f7ec00
    Found by: call frame info
 8  XUL!EndMarkPhase [jsgc.cpp:6a43d088a2b4 : 3041 + 0x6]
    eip = 0x055e324a   esp = 0xbfff7fd0   ebp = 0xbfff8058   ebx = 0x055e2e9e
    esi = 0x00720200   edi = 0x00172e30
    Found by: call frame info
 9  XUL!IncrementalGCSlice [jsgc.cpp:6a43d088a2b4 : 3503 + 0x7]
    eip = 0x055f3a7c   esp = 0xbfff8060   ebp = 0xbfff8138   ebx = 0x055f3651
Not exclusively Mac or 32 bit, though, apparently:

https://tbpl.mozilla.org/php/getParsedLog.php?id=9445557&tree=Mozilla-Inbound
Rev3 Fedora 12x64 mozilla-inbound debug test mochitests-1/5 on 2012-02-18 12:17:23 PST for push 2742dd95aa74

TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_fullscreen-api.html | Exited with code 1 during test run
INFO | automation.py | Application ran for: 0:11:01.097186
INFO | automation.py | Reading PID log: /tmp/tmpcN0zK0pidlog
==> process 2290 launched child process 2335
INFO | automation.py | Checking for orphan process with PID: 2335
PROCESS-CRASH | /tests/content/html/content/test/test_fullscreen-api.html | application crashed (minidump found)
Crash dump filename: /tmp/tmp2tVAYp/minidumps/1e97bbdc-0834-7aea-0d824eff-0a46b1f1.dmp
Operating system: Linux
                  0.0.0 Linux 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  SIGABRT
Crash address: 0x1f4000008f2

Thread 0 (crashed)
 0  libpthread-2.11.so + 0xee6b
    rbx = 0x07a7db50   r12 = 0x059fefe0   r13 = 0x00000040   r14 = 0x05974480
    r15 = 0x00000000   rip = 0xd360ee6b   rsp = 0x1cc91da8   rbp = 0x1cc91dc0
    Found by: given as instruction pointer in context
 1  libxul.so!JS::AutoCheckRequestDepth::AutoCheckRequestDepth [jscntxt.cpp:2742dd95aa74 : 1302 + 0x20]
    rip = 0x36f238c6   rsp = 0x1cc91db0
    Found by: stack scanning
 2  libxul.so!JS_GetCompartmentPrivate [jsapi.cpp:2742dd95aa74 : 1512 + 0xa]
    rip = 0x36ee9cd2   rsp = 0x1cc91dd0
    Found by: stack scanning
 3  libxul.so!js::gc::MarkInternal<JSObject> [jsgcmark.cpp:2742dd95aa74 : 83 + 0x7]
    rip = 0x36f7d566   rsp = 0x1cc91de0
    Found by: stack scanning
 4  libxul.so!TraceCompartment [XPCJSRuntime.cpp:2742dd95aa74 : 404 + 0x8]
    rip = 0x36740506   rsp = 0x1cc91e00
    Found by: stack scanning
 5  libxul.so!nsBaseHashtable<xpc::PtrAndPrincipalHashKey, JSCompartment*, JSCompartment*>::s_EnumReadStub [nsBaseHashtable.h : 395 + 0x9]
    rip = 0x367441b6   rsp = 0x1cc91e20
    Found by: stack scanning
 6  libxul.so!PL_DHashTableEnumerate [pldhash.cpp:2742dd95aa74 : 754 + 0x17]
    rip = 0x36bd1a41   rsp = 0x1cc91e40
    Found by: stack scanning
 7  libxul.so + 0x109519f
    rip = 0x367441a0   rsp = 0x1cc91e60
    Found by: stack scanning
 8  libxul.so!XPCRootSetElem::RemoveFromRootSet [XPCJSRuntime.cpp:2742dd95aa74 : 2258 + 0x8]
    rip = 0x367404f3   rsp = 0x1cc91e90
    Found by: stack scanning
 9  0x7fff1cc91f07
    rbx = 0x012828e8   r12 = 0x012ad788   rip = 0x1cc91f08   rsp = 0x1cc91e98
    rbp = 0x367404f3
    Found by: call frame info
10  libxul.so!nsBaseHashtable<xpc::PtrAndPrincipalHashKey, JSCompartment*, JSCompartment*>::EnumerateRead [nsBaseHashtable.h : 206 + 0x4]
    rip = 0x36744730   rsp = 0x1cc91eb0
    Found by: stack scanning
11  libxul.so!XPCRootSetElem::RemoveFromRootSet [XPCJSRuntime.cpp:2742dd95aa74 : 2258 + 0x8]
    rip = 0x367404f3   rsp = 0x1cc91eb8
    Found by: stack scanning
OS: Mac OS X → All
Hardware: x86 → All
Maybe the same root cause, maybe not:

https://tbpl.mozilla.org/php/getParsedLog.php?id=9485880&tree=Mozilla-Inbound

Thread 0 (crashed)
 0  XUL!js::detail::HashTable<js::gc::Chunk* const,js::HashSet<js::gc::Chunk*, js::GCChunkHasher, js::SystemAllocPolicy>::SetOps,js::SystemAllocPolicy>::lookup [HashTable.h : 88 + 0x0]
    rbx = 0x0147d60e   r12 = 0x47a2db39   r13 = 0x00000337   r14 = 0x04d06228
    r15 = 0x1b800000   rip = 0x030f6619   rsp = 0x5fbf1eb0   rbp = 0x5fbf1f00
    Found by: given as instruction pointer in context
 1  XUL!js::MarkRuntime [HashTable.h : 671 + 0x1e]
    rbx = 0x00bf8a40   r12 = 0x1b8c6d80   r13 = 0x00bfaa00   r14 = 0x04d06228
    r15 = 0x1b800000   rip = 0x030e40ec   rsp = 0x5fbf1f10   rbp = 0x5fbf20a0
    Found by: call frame info
 2  XUL!ValidateIncrementalMarking [jsgc.cpp:c3e591a5b867 : 3089 + 0x10]
    rbx = 0x1c355c00   r12 = 0x1c355c00   r13 = 0x00000093   r14 = 0x000000ff
    r15 = 0x00000000   rip = 0x030e5abe   rsp = 0x5fbf20b0   rbp = 0x5fbf6100
    Found by: call frame info
 3  XUL!EndMarkPhase [jsgc.cpp:c3e591a5b867 : 3041 + 0x7]
    rbx = 0x04d06310   r12 = 0x00163cf0   r13 = 0x00000001   r14 = 0x27c581d8
    r15 = 0x04d06000   rip = 0x030e666a   rsp = 0x5fbf6110   rbp = 0x5fbf6180
    Found by: call frame info
 4  XUL!IncrementalGCSlice [jsgc.cpp:c3e591a5b867 : 3503 + 0xb]
    rbx = 0x27c581d8   r12 = 0x27c581d8   r13 = 0x00000001   r14 = 0x27c581d8
    r15 = 0x00000001   rip = 0x030e9b08   rsp = 0x5fbf6190   rbp = 0x5fbf6230
    Found by: call frame info
 5  XUL!GCCycle [jsgc.cpp:c3e591a5b867 : 3620 + 0x18]
    rbx = 0x4674c940   r12 = 0x4674c940   r13 = 0x00000040   r14 = 0x00000014
    r15 = 0x44c04000   rip = 0x030ea586   rsp = 0x5fbf6240   rbp = 0x5fbf6340
    Found by: call frame info
 6  XUL!Collect [jsgc.cpp:c3e591a5b867 : 3683 + 0x11]
    rbx = 0x04d06000   r12 = 0x04d089b0   r13 = 0x00163cf0   r14 = 0x00000000
    r15 = 0x00000000   rip = 0x030f3acd   rsp = 0x5fbf6350   rbp = 0x5fbf63c0
    Found by: call frame info
Summary: Intermittent crash [@ JS::AutoCheckRequestDepth::AutoCheckRequestDepth] during test_fullscreen-api.html → Intermittent crash [@ JS::AutoCheckRequestDepth::AutoCheckRequestDepth] or [@ js::detail::HashTable] during test_fullscreen-api.html
Juicier than most, managing to assert instead of crashing directly:

https://tbpl.mozilla.org/php/getParsedLog.php?id=9552827&tree=Mozilla-Inbound
Rev3 Fedora 12x64 mozilla-inbound debug test mochitests-1/5 on 2012-02-22 22:11:53 PST for push 3d8fc342348b

72483 INFO TEST-PASS | /tests/content/html/content/test/test_fullscreen-api.html | [denied] Should not ever grant a fullscreen request in this doc.
++DOCSHELL 0x7d44fe0 == 15
++DOMWINDOW == 639 (0x811b0f8) [serial = 2229] [outer = (nil)]
++DOMWINDOW == 640 (0x5cab2e8) [serial = 2230] [outer = 0x811b080]
WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x8000FFFF: file /builds/slave/m-in-lnx64-dbg/build/content/base/src/nsContentUtils.cpp, line 2630
WARNING: NS_ENSURE_TRUE(pusher.Push(aBoundElement)) failed: file /builds/slave/m-in-lnx64-dbg/build/content/xbl/src/nsXBLProtoImplMethod.cpp, line 359
WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x8000FFFF: file /builds/slave/m-in-lnx64-dbg/build/content/base/src/nsContentUtils.cpp, line 2630
WARNING: NS_ENSURE_TRUE(pusher.Push(aBoundElement)) failed: file /builds/slave/m-in-lnx64-dbg/build/content/xbl/src/nsXBLProtoImplMethod.cpp, line 359
WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x8000FFFF: file /builds/slave/m-in-lnx64-dbg/build/content/base/src/nsContentUtils.cpp, line 2630
WARNING: NS_ENSURE_TRUE(pusher.Push(aBoundElement)) failed: file /builds/slave/m-in-lnx64-dbg/build/content/xbl/src/nsXBLProtoImplMethod.cpp, line 359
WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x8000FFFF: file /builds/slave/m-in-lnx64-dbg/build/content/base/src/nsContentUtils.cpp, line 2630
WARNING: NS_ENSURE_TRUE(pusher.Push(aBoundElement)) failed: file /builds/slave/m-in-lnx64-dbg/build/content/xbl/src/nsXBLProtoImplMethod.cpp, line 359
WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x8000FFFF: file /builds/slave/m-in-lnx64-dbg/build/content/base/src/nsContentUtils.cpp, line 2630
WARNING: NS_ENSURE_TRUE(pusher.Push(aBoundElement)) failed: file /builds/slave/m-in-lnx64-dbg/build/content/xbl/src/nsXBLProtoImplMethod.cpp, line 359
WARNING: NS_ENSURE_SUCCESS(rv, false) failed with result 0x8000FFFF: file /builds/slave/m-in-lnx64-dbg/build/content/base/src/nsContentUtils.cpp, line 2630
WARNING: NS_ENSURE_TRUE(pusher.Push(aBoundElement)) failed: file /builds/slave/m-in-lnx64-dbg/build/content/xbl/src/nsXBLProtoImplMethod.cpp, line 359
++DOCSHELL 0x94073b0 == 16
++DOMWINDOW == 641 (0x89d3038) [serial = 2231] [outer = (nil)]
++DOCSHELL 0x5d47590 == 17
++DOMWINDOW == 642 (0x6cba868) [serial = 2232] [outer = (nil)]
Assertion failure: !entered, at ./../../dist/include/js/Utility.h:840
WARNING: shutting down early because of crash!: file /builds/slave/m-in-lnx64-dbg/build/dom/plugins/ipc/PluginModuleChild.cpp, line 743
WARNING: plugin process _exit()ing: file /builds/slave/m-in-lnx64-dbg/build/dom/plugins/ipc/PluginModuleChild.cpp, line 708
TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_fullscreen-api.html | Exited with code 1 during test run
INFO | automation.py | Application ran for: 0:11:00.057980
INFO | automation.py | Reading PID log: /tmp/tmpZveNjCpidlog
==> process 2211 launched child process 2255
INFO | automation.py | Checking for orphan process with PID: 2255
PROCESS-CRASH | /tests/content/html/content/test/test_fullscreen-api.html | application crashed (minidump found)
Crash dump filename: /tmp/tmpROW6Ys/minidumps/29e99821-70b7-8a7b-76acaf5a-68ac53bc.dmp
Operating system: Linux
                  0.0.0 Linux 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  SIGABRT
Crash address: 0x1f4000008a3

Thread 0 (crashed)
 0  libpthread-2.11.so + 0xee6b
    rbx = 0x16636560   r12 = 0x4d921200   r13 = 0x18033390   r14 = 0x1803344c
    r15 = 0x16636560   rip = 0xd360ee6b   rsp = 0x18033338   rbp = 0x18033360
    Found by: given as instruction pointer in context
 1  libxul.so!js::detail::HashTable<js::gc::Chunk* const, js::HashSet<js::gc::Chunk*, js::GCChunkHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::lookup [Utility.h : 840 + 0x19]
    rip = 0x4c840e88   rsp = 0x18033340
    Found by: stack scanning
 2  libxul.so!js::IsAddressableGCThing [HashTable.h : 1327 + 0x4]
    rip = 0x4c840f7e   rsp = 0x18033370
    Found by: stack scanning
 3  libxul.so!js::MarkIfGCThingWord [jsgc.cpp:3d8fc342348b : 1073 + 0x13]
    rip = 0x4c846802   rsp = 0x180333e0
    Found by: stack scanning
 4  libxul.so!js::gc::MarkInternal<JSObject> [jsgcmark.cpp:3d8fc342348b : 107 + 0xa]
    rip = 0x4c84fb3b   rsp = 0x180333f0
    Found by: stack scanning
 5  libxul.so!js::MarkConservativeStackRoots [jsgc.cpp:3d8fc342348b : 1138 + 0x4]
    rip = 0x4c832517   rsp = 0x18033450
    Found by: stack scanning
 6  libxul.so!js::MarkRuntime [jsgc.cpp:3d8fc342348b : 2149 + 0x15]
    rip = 0x4c832dc5   rsp = 0x18033480
    Found by: stack scanning
 7  libxul.so!js::detail::HashTable<js::HashMapEntry<js::gc::Chunk*, long unsigned int*>, js::HashMap<js::gc::Chunk*, long unsigned int*>::MapHashPolicy, js::TempAllocPolicy>::changeTableSize [Utility.h : 152 + 0x7]
    rip = 0x4c848508   rsp = 0x180334a0
    Found by: stack scanning
 8  libxul.so!js::HashMap<JSFunction*, JSString*, js::DefaultHasher<JSFunction*>, js::SystemAllocPolicy>::put<JSFunction*, JSString*> [HashTable.h : 1026 + 0x8]
    rip = 0x4c82a920   rsp = 0x180334e8
    Found by: stack scanning
 9  libxul.so!js::HashMap<js::gc::Chunk*, long unsigned int*, js::DefaultHasher<js::gc::Chunk*>, js::TempAllocPolicy>::putNew [HashTable.h : 737 + 0xa]
    rip = 0x4c8487bb   rsp = 0x18033520
    Found by: stack scanning
10  libxul.so!ValidateIncrementalMarking [jsgc.cpp:3d8fc342348b : 3089 + 0xc]
    rip = 0x4c8355e3   rsp = 0x18033570
    Found by: stack scanning
Summary: Intermittent crash [@ JS::AutoCheckRequestDepth::AutoCheckRequestDepth] or [@ js::detail::HashTable] during test_fullscreen-api.html → Intermittent crash [@ JS::AutoCheckRequestDepth::AutoCheckRequestDepth] or [@ js::detail::HashTable] or "Assertion failure: !entered, at ./../../dist/include/js/Utility.h:840" during test_fullscreen-api.html
Hopefully my patch for the bug 723286 addresses this as it removes few unnecessary request checks.
Assignee: general → igor
Attached patch fixSplinter Review 
You're right about the cause, Igor. In between incremental GC slices, I wasn't resetting the context of rt->gcMarker. So in some cases we were using a freed context. Usually this wasn't an issue because most code has been changed to use trc->runtime rather than trc->context->runtime. But there are still a few places where trc->context is used.

I agree that the right fix is to stop using the context during GC. However, I would like to fix this right away since it's triggering so much. This patch seems to fix it on a try run.
Assignee: igor → wmccloskey
Status: NEW → ASSIGNED
Attachment #600733 - Flags: review?(igor)
Attachment #600733 - Flags: review?(igor) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/f09084db292c

Let's make sure this fixes it before closing.
Whiteboard: [orange] → [orange][leave-open]
Target Milestone: --- → mozilla13
https://hg.mozilla.org/mozilla-central/rev/f09084db292c

(You don't really have to leave a bug open to see whether it fixes something - most people are entirely too happy to just star with a closed bug.)
Whiteboard: [orange][leave-open] → [orange]
I'm going to close this so we don't accidentally lump anything else in here. The assertion failure in comment 93 is unrelated to this bug.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [orange]
Duplicate of this bug: 709231
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: