Closed Bug 729238 Opened 12 years ago Closed 12 years ago

test_bug514732.html, test_cursor_update_updates_indexes.html, test_cursors.html, test_deleteDatabase.html, test_deleteDatabase_interactions.html, test_file_cross_database_copying.html, ... [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: msucan, Assigned: billm)

References

Details

(Keywords: crash, intermittent-failure)

Attachments

(2 files)

fix
909 bytes, patch
igor
: review+
Details | Diff | Splinter Review
alternate fix, applies on top of the first
5.29 KB, patch
igor
: review+
Details | Diff | Splinter Review 
https://hg.mozilla.org/integration/fx-team/rev/ac5158b80fdf


Rev3 Fedora 12x64 fx-team debug test mochitests-2/5

TEST-UNEXPECTED-FAIL | /tests/dom/indexedDB/test/test_deleteDatabase.html | Exited with code 1 during test run
PROCESS-CRASH | /tests/dom/indexedDB/test/test_deleteDatabase.html | application crashed (minidump found)
Thread 0 (crashed)
TEST-UNEXPECTED-FAIL | automationutils.processLeakLog() | missing output line for total leaks!
CCing the write barriers and WeakMap suspects:

 0  libxul.so!JSObject::writeBarrierPre [jsobjinlines.h:ac5158b80fdf : 2140 + 0x0]
    rbx = 0x6dcb4fd0   r12 = 0x00000000   r13 = 0x0471dc50   r14 = 0x01b12b88
    r15 = 0x6da77000   rip = 0xbd15be86   rsp = 0xe33b80b0   rbp = 0xe33b80c0
    Found by: given as instruction pointer in context
 1  libxul.so!js::WeakMap<js::HeapPtr<JSObject, long unsigned int>, js::HeapValue, js::DefaultHasher<js::HeapPtr<JSObject, long unsigned int> >, js::DefaultMarkPolicy<js::HeapPtr<JSObject, long unsigned int> >, js::DefaultMarkPolicy<js::HeapValue>, js::DefaultTracePolicy<js::HeapPtr<JSObject, long unsigned int>, js::HeapValue> >::~WeakMap [Barrier.h:ac5158b80fdf : 241 + 0x4]
    rbx = 0x0471dd58   r12 = 0x0471df50   r13 = 0x0471dc50   r14 = 0x01b12b88
    r15 = 0x6da77000   rip = 0xbd2b0046   rsp = 0xe33b80d0   rbp = 0xe33b80f0
    Found by: call frame info
 2  libxul.so!WeakMap_finalize [jsweakmap.cpp:ac5158b80fdf : 320 + 0x8]
    rbx = 0x01b94cd0   r12 = 0x05664c20   r13 = 0x6da76040   r14 = 0x01b12b88
    r15 = 0x6da77000   rip = 0xbd2ae8d7   rsp = 0xe33b8100   rbp = 0xe33b8110
    Found by: call frame info
 3  libxul.so!js::gc::Arena::finalize<JSObject> [jsobjinlines.h:ac5158b80fdf : 290 + 0xb]
    rbx = 0x00000030   r12 = 0x6da763d0   r13 = 0x6da76040   r14 = 0x01b12b88
    r15 = 0x6da77000   rip = 0xbd1a2530   rsp = 0xe33b8120   rbp = 0xe33b8200
    Found by: call frame info
 4  libxul.so!js::gc::FinalizeTypedArenas<JSObject> [jsgc.cpp:ac5158b80fdf : 411 + 0x16]
    rbx = 0x6da76000   r12 = 0x6dcc7008   r13 = 0x00076000   r14 = 0x00000000
    r15 = 0x00000002   rip = 0xbd1a5737   rsp = 0xe33b8210   rbp = 0xe33b8270
    Found by: call frame info
 5  libxul.so!js::gc::ArenaLists::finalizeObjects [jsgc.cpp:ac5158b80fdf : 1572 + 0x15]
    rbx = 0x01bc9850   r12 = 0x01b94cd0   r13 = 0x01b10110   r14 = 0xe33b8300
    r15 = 0x01b10110   rip = 0xbd190d9e   rsp = 0xe33b8280   rbp = 0xe33b8290
    Found by: call frame info
 6  libxul.so!SweepPhase [jsgc.cpp:ac5158b80fdf : 3189 + 0xe]
    rbx = 0x01b94cd0   r12 = 0x00000000   r13 = 0x01b10110   r14 = 0xe33b8300
    r15 = 0x01b10110   rip = 0xbd191134   rsp = 0xe33b82a0   rbp = 0xe33b8350
    Found by: call frame info
 7  libxul.so!GCCycle [jsgc.cpp:ac5158b80fdf : 3504 + 0xd]
    rbx = 0x01b445c0   r12 = 0x01b12b88   r13 = 0x01b10110   r14 = 0x01b94cd0
    r15 = 0x01b10110   rip = 0xbd1965ee   rsp = 0xe33b8360   rbp = 0xe33b8450
    Found by: call frame info
 8  libxul.so!Collect [jsgc.cpp:ac5158b80fdf : 3683 + 0x4]
    rbx = 0x01b10110   r12 = 0x01b94cd0   r13 = 0x01b12ac0   r14 = 0x00000000
    r15 = 0x00000000   rip = 0xbd196c9d   rsp = 0xe33b8460   rbp = 0xe33b84c0
    Found by: call frame info
 9  libxul.so!nsXPConnect::Collect [nsXPConnect.cpp:ac5158b80fdf : 426 + 0x9]
    rbx = 0x00000018   r12 = 0x00000002   r13 = 0x01b94cd0   r14 = 0x00000002
    r15 = 0x0176aaa0   rip = 0xbc950079   rsp = 0xe33b84d0   rbp = 0xe33b85f0
    Found by: call frame info
10  libxul.so!nsXPConnect::GarbageCollect [nsXPConnect.cpp:ac5158b80fdf : 436 + 0x5]
    rbx = 0x0176aaa0   r12 = 0x00000018   r13 = 0x00000002   r14 = 0x00000002
    r15 = 0x0176aaa0   rip = 0xbc94f0f3   rsp = 0xe33b8600   rbp = 0xe33b8600
    Found by: call frame info
11  libxul.so!nsJSContext::GarbageCollectNow [nsJSEnvironment.cpp:ac5158b80fdf : 3258 + 0xe]
    rbx = 0x0176aaa0   r12 = 0x00000018   r13 = 0x00000002   r14 = 0x00000002
    r15 = 0x0176aaa0   rip = 0xbc633ac6   rsp = 0xe33b8610   rbp = 0xe33b8630
    Found by: call frame info
Assignee: nobody → general
Component: DOM → JavaScript Engine
QA Contact: general → general
https://tbpl.mozilla.org/php/getParsedLog.php?id=9520802&tree=Fx-Team
Rev3 Fedora 12 fx-team debug test mochitests-2/5 on 2012-02-22 01:43:37 PST for push 5cd5b1f24670

PROCESS-CRASH | /tests/dom/indexedDB/test/test_cursors.html | application crashed (minidump found)
Crash dump filename: /tmp/tmpvzdlpp/minidumps/26b41f95-ee29-7863-6ce20cbc-1d09ca88.dmp
Operating system: Linux
                  0.0.0 Linux 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686
CPU: x86
     GenuineIntel family 6 model 23 stepping 10
     2 CPUs

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  libxul.so!IsAboutToBeFinalized [jsgc.cpp : 898 + 0x0]
    eip = 0x020e0135   esp = 0xbfb8f4c0   ebp = 0xbfb8f4d8   ebx = 0x028dbee8
    esi = 0xa758ba80   edi = 0x0e41f7a8   eax = 0xa758b000   ecx = 0x00000005
    edx = 0x00000000   efl = 0x00210286
    Found by: given as instruction pointer in context
 1  libxul.so!js::WeakMap<js::HeapPtr<JSObject, unsigned int>, js::HeapValue, js::DefaultHasher<js::HeapPtr<JSObject, unsigned int> >, js::DefaultMarkPolicy<js::HeapPtr<JSObject, unsigned int> >, js::DefaultMarkPolicy<js::HeapValue>, js::DefaultTracePolicy<js::HeapPtr<JSObject, unsigned int>, js::HeapValue> >::markIteratively [jsweakmap.h : 284 + 0xa]
    eip = 0x0221470a   esp = 0xbfb8f4e0   ebp = 0xbfb8f528   ebx = 0x028dbee8
    esi = 0x0e41f550   edi = 0x0e41f7a8
    Found by: call frame info
 2  libxul.so!js::WeakMapBase::markAllIteratively [jsweakmap.cpp : 67 + 0xe]
    eip = 0x0221377f   esp = 0xbfb8f530   ebp = 0xbfb8f548   ebx = 0x028dbee8
    esi = 0x0becb3d0   edi = 0x00000000
    Found by: call frame info
 3  libxul.so!MarkWeakReferences [jsgc.cpp : 2990 + 0x7]
    eip = 0x020e1e67   esp = 0xbfb8f550   ebp = 0xbfb8f588   ebx = 0x028dbee8
    esi = 0x09c5901c   edi = 0xbfb8f564
    Found by: call frame info
 4  libxul.so!MarkGrayAndWeak [jsgc.cpp : 3006 + 0x7]
    eip = 0x020e3d36   esp = 0xbfb8f590   ebp = 0xbfb8f5c8   ebx = 0x028dbee8
    esi = 0x09c58ea0   edi = 0x09c5901c
    Found by: call frame info
 5  libxul.so!EndMarkPhase [jsgc.cpp : 3034 + 0x6]
    eip = 0x020eb3ad   esp = 0xbfb8f5d0   ebp = 0xbfb8f638   ebx = 0x028dbee8
    esi = 0x09c58ea0   edi = 0x09c590a0
    Found by: call frame info
 6  libxul.so!GCCycle [jsgc.cpp : 3503 + 0x7]
    eip = 0x020ebf48   esp = 0xbfb8f640   ebp = 0xbfb8f6e8   ebx = 0x028dbee8
    esi = 0x09c58ea0   edi = 0x09c5b704
    Found by: call frame info
 7  libxul.so!Collect [jsgc.cpp : 3683 + 0x14]
    eip = 0x020ec660   esp = 0xbfb8f6f0   ebp = 0xbfb8f748   ebx = 0x028dbee8
    esi = 0x09c58ea0   edi = 0x09c9a4c8
    Found by: call frame info
 8  libxul.so!js::NotifyDidPaint [jsfriendapi.cpp : 725 + 0x21]
    eip = 0x020cdfe2   esp = 0xbfb8f750   ebp = 0xbfb8f768   ebx = 0x028dbee8
    esi = 0x09c58ea0   edi = 0x0a4c82d0
    Found by: call frame info
 9  libxul.so!nsXPConnect::NotifyDidPaint [nsXPConnect.cpp : 2841 + 0xa]
    eip = 0x018ce1f2   esp = 0xbfb8f770   ebp = 0xbfb8f818   ebx = 0x028dbee8
Summary: TEST-UNEXPECTED-FAIL | /tests/dom/indexedDB/test/test_deleteDatabase.html | Exited with code 1 during test run → TEST-UNEXPECTED-FAIL | /tests/dom/indexedDB/test/test_deleteDatabase.html or indexedDB/test/test_cursors.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized]
https://tbpl.mozilla.org/php/getParsedLog.php?id=9550444&tree=Mozilla-Inbound
Rev3 Fedora 12 mozilla-inbound debug test mochitests-4/5 on 2012-02-22 20:20:59 PST for push b94c2a93142c

PROCESS-CRASH | /tests/layout/generic/test/test_bug514732.html | application crashed (minidump found)
Crash dump filename: /tmp/tmpEZ7PD0/minidumps/699d21f1-f045-bd30-31c45852-7b190eff.dmp
Operating system: Linux
                  0.0.0 Linux 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686
CPU: x86
     GenuineIntel family 6 model 23 stepping 10
     2 CPUs

Crash reason:  SIGSEGV
Crash address: 0x198

Thread 0 (crashed)
 0  libxul.so!JSObject::writeBarrierPre [jsobjinlines.h : 2072 + 0x0]
    eip = 0x023a9f23   esp = 0xbfbe8260   ebp = 0xbfbe8288   ebx = 0x02bd4d6c
    esi = 0xa47cb760   edi = 0x00000000   eax = 0xa47cb000   ecx = 0x00000005
    edx = 0x0cba76b0   efl = 0x00010286
    Found by: given as instruction pointer in context
 1  libxul.so!js::WeakMap<js::HeapPtr<JSObject, unsigned int>, js::HeapValue, js::DefaultHasher<js::HeapPtr<JSObject, unsigned int> >, js::DefaultMarkPolicy<js::HeapPtr<JSObject, unsigned int> >, js::DefaultMarkPolicy<js::HeapValue>, js::DefaultTracePolicy<js::HeapPtr<JSObject, unsigned int>, js::HeapValue> >::~WeakMap [Barrier.h : 241 + 0x7]
    eip = 0x0250e709   esp = 0xbfbe8290   ebp = 0xbfbe82c8   ebx = 0x02bd4d6c
    esi = 0x0cba7890   edi = 0x0cba79b0
    Found by: call frame info
 2  libxul.so!WeakMap_finalize [jsweakmap.cpp : 320 + 0x4]
    eip = 0x0250cf16   esp = 0xbfbe82d0   ebp = 0xbfbe82f8   ebx = 0x02bd4d6c
    esi = 0x0cbc59f0   edi = 0x0cbc59f0
    Found by: call frame info
 3  libxul.so!js::gc::Arena::finalize<JSObject> [jsobjinlines.h : 290 + 0xb]
    eip = 0x023f1d34   esp = 0xbfbe8300   ebp = 0xbfbe8388   ebx = 0x02bd4d6c
    esi = 0xa461d020   edi = 0xa461d020
    Found by: call frame info
 4  libxul.so!js::gc::FinalizeTypedArenas<JSObject> [jsgc.cpp : 411 + 0x23]
    eip = 0x023f4b59   esp = 0xbfbe8390   ebp = 0xbfbe83f8   ebx = 0x02bd4d6c
    esi = 0xa461d000   edi = 0x0001d000
    Found by: call frame info
 5  libxul.so!js::gc::FinalizeArenas [jsgc.cpp : 451 + 0x19]
    eip = 0x023def7a   esp = 0xbfbe8400   ebp = 0xbfbe8428   ebx = 0x02bd4d6c
    esi = 0x00000000   edi = 0x023def60
    Found by: call frame info
 6  libxul.so!js::gc::ArenaLists::finalizeObjects [jsgc.cpp : 1572 + 0x1b]
    eip = 0x023dfb06   esp = 0xbfbe8430   ebp = 0xbfbe8458   ebx = 0x02bd4d6c
    esi = 0x087eb128   edi = 0x087cbab0
    Found by: call frame info
 7  libxul.so!SweepPhase [jsgc.cpp : 3189 + 0x10]
    eip = 0x023dff23   esp = 0xbfbe8460   ebp = 0xbfbe84f8   ebx = 0x02bd4d6c
    esi = 0x087cbab0   edi = 0x029f2e3d
    Found by: call frame info
 8  libxul.so!GCCycle [jsgc.cpp : 3504 + 0xa]
    eip = 0x023e58d3   esp = 0xbfbe8500   ebp = 0xbfbe85a8   ebx = 0x02bd4d6c
    esi = 0x0878a258   edi = 0x0878cabc
    Found by: call frame info
 9  libxul.so!Collect [jsgc.cpp : 3683 + 0x14]
    eip = 0x023e5fe0   esp = 0xbfbe85b0   ebp = 0xbfbe8608   ebx = 0x02bd4d6c
Summary: TEST-UNEXPECTED-FAIL | /tests/dom/indexedDB/test/test_deleteDatabase.html or indexedDB/test/test_cursors.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized] → test_deleteDatabase.html, test_cursors.html, test_bug514732.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized]
https://tbpl.mozilla.org/php/getParsedLog.php?id=9557104&tree=Mozilla-Inbound
Summary: test_deleteDatabase.html, test_cursors.html, test_bug514732.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized] → test_deleteDatabase.html, test_deleteDatabase_interactions.html, test_cursors.html, test_bug514732.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized]
https://tbpl.mozilla.org/php/getParsedLog.php?id=9577825&tree=Mozilla-Inbound
Summary: test_deleteDatabase.html, test_deleteDatabase_interactions.html, test_cursors.html, test_bug514732.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized] → test_deleteDatabase.html, test_cursor_update_updates_indexes.html, test_deleteDatabase_interactions.html, test_cursors.html, test_bug514732.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized]
https://tbpl.mozilla.org/php/getParsedLog.php?id=9578772&tree=Mozilla-Inbound
Summary: test_deleteDatabase.html, test_cursor_update_updates_indexes.html, test_deleteDatabase_interactions.html, test_cursors.html, test_bug514732.html | Exited with code 1 during test run [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized] → test_deleteDatabase.html, test_file_cross_database_copying.html, test_cursor_update_updates_indexes.html, test_deleteDatabase_interactions.html, test_cursors.html, test_bug514732.html [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized]
Assignee: general → wmccloskey
Blocks: 730503
Summary: test_deleteDatabase.html, test_file_cross_database_copying.html, test_cursor_update_updates_indexes.html, test_deleteDatabase_interactions.html, test_cursors.html, test_bug514732.html [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized] → test_bug514732.html, test_cursor_update_updates_indexes.html, test_cursors.html, test_deleteDatabase.html, test_deleteDatabase_interactions.html, test_file_cross_database_copying.html, ... [@ JSObject::writeBarrierPre] or [@ IsAboutToBeFinalized]
https://tbpl.mozilla.org/php/getParsedLog.php?id=9618209&tree=Firefox
Rev3 Fedora 12 mozilla-central debug test mochitests-3/5 on 2012-02-24 21:48:43 PST for push 7cb1e4c50145
{
TEST-UNEXPECTED-FAIL | /tests/dom/tests/mochitest/localstorage/test_localStorageOriginsDomainDiffs.html | Exited with code 1 during test run
...
Thread 0 (crashed)
 0  libxul.so!JSObject::writeBarrierPre [jsobjinlines.h : 2072 + 0x0]
}
tracking-firefox13: --- → ?
Keywords: crash, regression, regressionwindow-wanted
Hardware: x86_64 → All
Severity: normal → critical
Attached patch fixSplinter Review 
Here's what I think was happening in this bug. Inside ValidateIncrementalMarking, we would reset the weakmap list and then re-do the marking non-incrementally. It's expected that the non-incremental marking will mark a subset of objects that incremental marking does. This is because the write barriers are conservative and because we allocate object black during incremental GC. After re-marking, we would do some checks and then restore the original mark bits (the ones from the incremental marking). This caused the weakmap list to become out of sync with the mark bits.

In particular, a weakmap could be marked but not be in the weakmap list. Consequently, we would not finalize the weakmap and we also wouldn't sweep out its finalized entries. Then, in the next GC, we would find garbage values in the weakmap and crash.

The fix is to not reset the weakmap list during validation. It used to be important to do this because it prevented maps from being added to the list twice. But now we use a special sentinel value to ensure that doesn't happen. So I think it's fine to re-do the marking without resetting the weakmap list.

I tested a related patch on tryserver (one that saved and restored the original weakmap list) and it seemed to fix the problem. This patch seems simpler and I think it will have the same effect.
Attachment #600735 - Flags: review?(igor)
Comment on attachment 600735 [details] [diff] [review]
fix

I would prefer for ValidateIncrementalMarking to be stateless with anything it needs stored in a temporary allocated memory that is released when validating is done. For example, the weak map list should be stored in that temporary. But for now what the patch does sounds reasonable.
Attachment #600735 - Flags: review?(igor) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/5ee59d0f5848

Let's leave this open to make sure it fixes the problem.

Igor, I'm not sure how ValidateIncrementalMarking can be stateless. It has to update the mark bits and the weakmap list no matter what. Would you prefer that we save and restore the weakmap list, as we do for the mark bits? I already have a fix for that if you'd prefer it.
Whiteboard: [orange] → [orange][leave-open]
Target Milestone: --- → mozilla13
(In reply to Bill McCloskey (:billm) from comment #82)
> 
> Igor, I'm not sure how ValidateIncrementalMarking can be stateless. It has
> to update the mark bits and the weakmap list no matter what. Would you
> prefer that we save and restore the weakmap list, as we do for the mark
> bits? I already have a fix for that if you'd prefer it.

By stateless I really meant "not observable". So restoring restoring the original weakmap list would be better.
Comment on attachment 600803 [details] [diff] [review]
alternate fix, applies on top of the first

Review of attachment 600803 [details] [diff] [review]:
-----------------------------------------------------------------

Yes, this is much nicer!

::: js/src/jsweakmap.cpp
@@ +105,5 @@
> +bool
> +WeakMapBase::saveWeakMapList(JSRuntime *rt, WeakMapVector &vector)
> +{
> +    WeakMapBase *m = rt->gcWeakMapList;
> +    while (m) {

Nit: Use for (WeakMapBase *m = rt->gcWeakMapList; m; m = m->next)

@@ +119,5 @@
> +{
> +    JS_ASSERT(!rt->gcWeakMapList);
> +    for (WeakMapBase **p = vector.begin(); p != vector.end(); p++) {
> +        WeakMapBase *m = *p;
> +        JS_ASSERT(m->next == WeakMapNotInList);

Comment before the assert that it is expected that resetWeakMapList is called between save-restore.
Attachment #600803 - Flags: review?(igor) → review+
https://hg.mozilla.org/mozilla-central/rev/5ee59d0f5848 for the first one, because I didn't want to wait to see it merge around :)
Blocks: 438871
Whiteboard: [orange][leave-open] → [orange]
(In reply to Serge Gautherie (:sgautherie) from comment #64)
> https://tbpl.mozilla.org/php/getParsedLog.php?id=9618209&tree=Firefox
> Rev3 Fedora 12 mozilla-central debug test mochitests-3/5 on 2012-02-24
> 21:48:43 PST for push 7cb1e4c50145
> {
> TEST-UNEXPECTED-FAIL |
> /tests/dom/tests/mochitest/localstorage/test_localStorageOriginsDomainDiffs.
> html | Exited with code 1 during test run
> ...
> Thread 0 (crashed)
>  0  libxul.so!JSObject::writeBarrierPre [jsobjinlines.h : 2072 + 0x0]
> }


Can we have some background as to why this should be tracked for FF13?
There haven't been any more reports, so I'm going to mark this as fixed. I see no reason to track it.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
No longer blocks: 730503
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: