Closed Bug 733372 Opened 14 years ago Closed 14 years ago

intermittent mochitest crash in browser_aboutHome.js due to stack overflow during GC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: jfkthame, Assigned: terrence)

References

Details

(Keywords: intermittent-failure)

Attachments

(1 file)

v0: trivial fix
1.51 KB, patch
billm
: review+
Details | Diff | Splinter Review
This just occurred twice in fairly quick succession on inbound (Win32/debug), but I don't see an existing bug report for it. Possibly some recent change has increased our stack usage to the point where we're running dangerously close to the limit? https://tbpl.mozilla.org/php/getParsedLog.php?id=9846974&tree=Mozilla-Inbound PROCESS-CRASH | chrome://mochitests/content/browser/browser/base/content/test/browser_aboutHome.js | application crashed (minidump found) Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpkaix19\minidumps\78e6ba21-77bb-4b9c-9141-9ddb06cb9222.dmp Operating system: Windows NT 6.1.7600 CPU: x86 GenuineIntel family 6 model 23 stepping 10 2 CPUs Crash reason: EXCEPTION_STACK_OVERFLOW Crash address: 0x6ca555b7 Thread 0 (crashed) 0 mozjs.dll!js::gc::ChunkBitmap::getMarkWordAndMask(js::gc::Cell const *,unsigned int,unsigned int * *,unsigned int *) [jsgc.h:4bc3e20ff0e0 : 946 + 0x3] eip = 0x6ca555b7 esp = 0x00083000 ebp = 0x00083004 ebx = 0x113c9928 esi = 0x113fc0c4 edi = 0x113c9928 eax = 0x00083024 ecx = 0x113fc0c4 edx = 0x05765f20 efl = 0x00010202 Found by: given as instruction pointer in context 1 mozjs.dll!js::gc::ChunkBitmap::markIfUnmarked(js::gc::Cell const *,unsigned int) [jsgc.h:4bc3e20ff0e0 : 673 + 0x16] eip = 0x6ca6826d esp = 0x0008300c ebp = 0x00083028 Found by: call frame info 2 mozjs.dll!js::gc::PushMarkStack [jsgcmark.cpp:4bc3e20ff0e0 : 494 + 0x3a] eip = 0x6ca8dab2 esp = 0x00083030 ebp = 0x00083050 Found by: call frame info 3 mozjs.dll!js::gc::MarkInternal<js::Shape>(JSTracer *,js::Shape *) [jsgcmark.cpp:4bc3e20ff0e0 : 107 + 0x6] eip = 0x6ca8f777 esp = 0x00083044 ebp = 0x00083050 Found by: stack scanning 4 mozjs.dll!js::gc::MarkShapeUnbarriered(JSTracer *,js::Shape * *,char const *) [jsgcmark.cpp:4bc3e20ff0e0 : 211 + 0x25] eip = 0x6ca90e46 esp = 0x00083058 ebp = 0x00083060 Found by: call frame info 5 mozjs.dll!prop_iter_trace [jsapi.cpp:4bc3e20ff0e0 : 4269 + 0x14] eip = 0x6c9f23e7 esp = 0x00083068 ebp = 0x00083088 Found by: call frame info 6 mozjs.dll!js::ObjectImpl::privateWriteBarrierPre(void * *) [ObjectImpl-inl.h:4bc3e20ff0e0 : 105 + 0x4a] eip = 0x6c9f0e14 esp = 0x00083090 ebp = 0x000830a4 Found by: call frame info 7 mozjs.dll!prop_iter_trace [jsapi.cpp:4bc3e20ff0e0 : 4270 + 0x1f] eip = 0x6c9f2407 esp = 0x000830ac ebp = 0x000830c4 Found by: call frame info https://tbpl.mozilla.org/php/getParsedLog.php?id=9849232&tree=Mozilla-Inbound PROCESS-CRASH | chrome://mochitests/content/browser/browser/base/content/test/browser_aboutHome.js | application crashed (minidump found) Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpifyvt4\minidumps\05fc2f57-ec53-40e6-83d8-afb0151ecf7a.dmp Operating system: Windows NT 6.1.7600 CPU: x86 GenuineIntel family 6 model 23 stepping 10 2 CPUs Crash reason: EXCEPTION_STACK_OVERFLOW Crash address: 0x6a114e85 Thread 0 (crashed) 0 mozjs.dll!js::gc::CheckMarkedThing<js::Shape> [jsgcmark.cpp:074a6a85dab6 : 83 + 0x2] eip = 0x6a114e85 esp = 0x001c3000 ebp = 0x001c3010 ebx = 0x12ec9928 esi = 0x72ad100f edi = 0x06f260d8 eax = 0x06f25f48 ecx = 0x12ec9928 edx = 0x001c306c efl = 0x00010246 Found by: given as instruction pointer in context 1 mozjs.dll!js::gc::MarkInternal<js::Shape>(JSTracer *,js::Shape *) [jsgcmark.cpp:074a6a85dab6 : 93 + 0xe] eip = 0x6a11f714 esp = 0x001c3018 ebp = 0x001c3028 Found by: call frame info 2 mozjs.dll!js::gc::MarkShapeUnbarriered(JSTracer *,js::Shape * *,char const *) [jsgcmark.cpp:074a6a85dab6 : 211 + 0x25] eip = 0x6a120e46 esp = 0x001c3030 ebp = 0x001c3038 Found by: call frame info 3 mozjs.dll!prop_iter_trace [jsapi.cpp:074a6a85dab6 : 4269 + 0x14] eip = 0x6a0823e7 esp = 0x001c3040 ebp = 0x001c3060 Found by: call frame info 4 mozjs.dll!js::ObjectImpl::privateWriteBarrierPre(void * *) [ObjectImpl-inl.h:074a6a85dab6 : 105 + 0x4a] eip = 0x6a080e14 esp = 0x001c3068 ebp = 0x001c307c Found by: call frame info 5 mozjs.dll!prop_iter_trace [jsapi.cpp:074a6a85dab6 : 4270 + 0x1f] eip = 0x6a082407 esp = 0x001c3084 ebp = 0x001c309c Found by: call frame info 6 mozjs.dll!js::ObjectImpl::privateWriteBarrierPre(void * *) [ObjectImpl-inl.h:074a6a85dab6 : 105 + 0x4a] eip = 0x6a080e14 esp = 0x001c30a4 ebp = 0x001c30b8 Found by: call frame info 7 mozjs.dll!prop_iter_trace [jsapi.cpp:074a6a85dab6 : 4270 + 0x1f] eip = 0x6a082407 esp = 0x001c30c0 ebp = 0x001c30d8 Found by: call frame info
I'm not entirely sure what's going on here, but it's definitely a regression from bug 728343. Terrence, can you put together a quick patch to change the setPrivate in prop_iter_trace into an assertion that they're the same? We'll have to fix this later, but for now we should fix the orange. I suspect what may be happening is: 1. An object of class prop_iter_class is created. Incremental GC is disabled for the future, but one is still running, so write barriers are enabled. 2. Some sort of non-GC tracer runs, calling prop_iter_trace. Then we keep triggering the write barrier in an infinite recursive loop through the setPrivate call.
Attached patch v0: trivial fixSplinter Review
Assignee: general → terrence
Status: NEW → ASSIGNED
Attachment #603377 - Flags: review?(wmccloskey)
Comment on attachment 603377 [details] [diff] [review] v0: trivial fix Thanks.
Attachment #603377 - Flags: review?(wmccloskey) → review+
https://tbpl.mozilla.org/php/getParsedLog.php?id=9857759&tree=Mozilla-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=9858490&tree=Mozilla-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=9857188&tree=Mozilla-Inbound
Blocks: 438871
Summary: intermittent mochitest crash due to stack overflow during GC → intermittent mochitest crash in browser_aboutHome.js due to stack overflow during GC
Target Milestone: --- → mozilla13
https://hg.mozilla.org/mozilla-central/rev/b686a2a91027
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: