Open Bug 787879 Opened 8 years ago Updated 7 years ago

crash in js::SweepBackgroundThings

Categories

(Core :: JavaScript Engine, defect)

17 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

Tracking Status
firefox17 - wontfix
firefox18 - wontfix
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- wontfix
firefox22 --- wontfix
firefox23 --- wontfix
firefox24 --- wontfix
firefox27 --- affected
firefox28 --- affected
firefox29 --- affected
firefox30 --- affected

People

(Reporter: scoobidiver, Unassigned)

References

Details

(4 keywords, Whiteboard: [js:p1][unactionable])

Crash Data

It's #41 top browser crasher in 17.0a2 and #55 in 18.0a1.

It first appeared in 17.0a1/20120822. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=360ab7771e27&tochange=abc17059522b
It's likely a regression from bug 782993.

Signature 	je_free | js::SweepBackgroundThings More Reports Search
UUID	b139d437-478b-4c14-9e4e-7c2782120903
Date Processed	2012-09-03 02:36:46
Uptime	19
Last Crash	20 seconds before submission
Install Age	4.2 hours since version was first installed.
Install Time	2012-09-02 22:22:09
Product	Firefox
Version	18.0a1
Build ID	20120902030516
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 4 stepping 3
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x64f00000
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x68b8, AdapterSubsysID: 1482174b, AdapterDriverVersion: 8.982.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	False
Adapter Vendor ID	0x1002
Adapter Device ID	0x68b8
Total Virtual Memory	4294836224
Available Virtual Memory	3606753280
System Memory Use Percentage	20
Available Page File	13195988992
Available Physical Memory	13675708416

Frame 	Module 	Signature 	Source
0 	mozglue.dll 	je_free 	memory/mozjemalloc/jemalloc.c:6565
1 	mozjs.dll 	js::SweepBackgroundThings 	js/src/jsgc.cpp:2833
2 	mozjs.dll 	js::GCHelperThread::doSweep 	js/src/jsgc.cpp:3107
3 	mozjs.dll 	js::GCHelperThread::threadLoop 	js/src/jsgc.cpp:2959
4 	mozjs.dll 	js::GCHelperThread::threadMain 	js/src/jsgc.cpp:2938
5 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:395
6 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:90
7 	msvcr100.dll 	_callthreadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314
8 	msvcr100.dll 	_threadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292
9 	kernel32.dll 	BaseThreadInitThunk 	
10 	ntdll.dll 	__RtlUserThreadStart 	
11 	ntdll.dll 	_RtlUserThreadStart

More reports at:
https://crash-stats.mozilla.com/report/list?signature=je_free+|+js%3A%3ASweepBackgroundThings
Assignee: general → jcoppeard
Whiteboard: [js:p1:fx18]
It has spiked since the IonMonkey landing making it #7 top browser crasher over the last 3 days.
Keywords: topcrash
It's likely that this is caused by existing heap corruption issues, but is showing up in this new function now the code has been rearranged by bug 782993.
I had a quick look at this but can't see that it's related to my changes.  It could just as easily be heap corruption caused by subsequent changes that is causing this.  I

It's down to #47 on the top crashers list now, butI'll try and look into it in more depth next week.
While this is #48 on 18.0a2, it's #29 on 17.0b1 - if we're tracking this for 18, we might want to do the same for 17.
Crash Signature: [@ je_free | js::SweepBackgroundThings] → [@ je_free | js::SweepBackgroundThings] [@ arena_dalloc_small | je_free | js::SweepBackgroundThings ] [@ js::SweepBackgroundThings ] [@ moz_abort | je_free | js::SweepBackgroundThings ] [@ arena_run_dalloc | je_free | js::SweepBackgroundThings ]
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #4)
> While this is #48 on 18.0a2, it's #29 on 17.0b1 - if we're tracking this for
> 18, we might want to do the same for 17.

Is this a longstanding issue for FF17 and lower? If we've seen these signatures in previous versions of Firefox, this no longer represents a recent regression and we can untrack based upon the low volumes.

If the volume is completely new in FF17, we should continue to investigate as a regression.
(In reply to Alex Keybl [:akeybl] from comment #5)
> Is this a longstanding issue for FF17 and lower?

No, all the signatures on this bug (I found the others by searching for js::SweepBackgroundThings on Socorro) are not in 16 or older, only in 17 and newer.

> If the volume is completely new in FF17, we should continue to investigate
> as a regression.

Yes, I believe we should. It's not high in volume, but clearly a regression between 16 and 17.
This is not necessarily a regression. Sometimes we rename functions or move code around. If it was crashing before, now it will be crashing with a new signature. The same thing can happen if the compiler inlines in a different way.

I think we've always had crashes during sweeping (maybe grouped under the doSweep signature). I think this bug might be a variation on that.

I'd really like to be able to group all signatures related to GC in a single bin and watch how the volume of this giant signature changes. We have the data in crashdumps to do that now (bug 765065), but apparently no way to access it.
(In reply to Bill McCloskey (:billm) from comment #7)
> but apparently no way to
> access it.

Is there a bug filed for that?  If this volume right now including signatures that are just moved names from older signatures that furthers the likelihood that we can untrack this particular bug but it sounds like getting the information you asked for in bug 765065 should be put on a fast-track so we really know when there are GC changes as a group.
Good point. I filed bug 803209 for the Socorro changes.
Crash Signature: [@ je_free | js::SweepBackgroundThings] [@ arena_dalloc_small | je_free | js::SweepBackgroundThings ] [@ js::SweepBackgroundThings ] [@ moz_abort | je_free | js::SweepBackgroundThings ] [@ arena_run_dalloc | je_free | js::SweepBackgroundThings ] → [@ je_free | js::SweepBackgroundThings] [@ arena_dalloc_small | je_free | js::SweepBackgroundThings ] [@ js::SweepBackgroundThings ] [@ moz_abort | je_free | js::SweepBackgroundThings ] [@ arena_run_dalloc | je_free | js::SweepBackgroundThings ] [@ j…
Duplicate of this bug: 818026
Crash Signature: je_free | SweepBackgroundThings] [@ moz_abort | je_free | SweepBackgroundThings] → RtlEnterCriticalSection | je_free | js::SweepBackgroundThings] [@ je_free | SweepBackgroundThings] [@ moz_abort | je_free | SweepBackgroundThings]
Crash Signature: RtlEnterCriticalSection | je_free | js::SweepBackgroundThings] [@ je_free | SweepBackgroundThings] [@ moz_abort | je_free | SweepBackgroundThings] → RtlEnterCriticalSection | je_free | js::SweepBackgroundThings ] [@ je_free | SweepBackgroundThings ] [@ moz_abort | je_free | SweepBackgroundThings ]
Crash Signature: RtlEnterCriticalSection | je_free | js::SweepBackgroundThings ] [@ je_free | SweepBackgroundThings ] [@ moz_abort | je_free | SweepBackgroundThings ] → RtlEnterCriticalSection | je_free | js::SweepBackgroundThings ] [@ je_free | SweepBackgroundThings ] [@ moz_abort | je_free | SweepBackgroundThings ] [@ RtlEnterCriticalSection | je_free | SweepBackgroundThings ] [@ RtlpWaitForCriticalSection | RtlEn…
With combined signatures, it's #9 top browser crasher in 20.0.1, #8 in 21.0b3 and almost unaffected in 22.0a2 and above.
Crash Signature: RtlpOptimizeSRWLockList | je_free | SweepBackgroundThings ] [@ arena_run_tree_insert | je_free | SweepBackgroundThings ] [@ moz_abort | arena_run_dalloc | arena_dalloc_large | je_free | SweepBackgroundThings ] → RtlpOptimizeSRWLockList | je_free | SweepBackgroundThings ] [@ arena_run_tree_insert | je_free | SweepBackgroundThings ] [@ moz_abort | arena_run_dalloc | arena_dalloc_large | je_free | SweepBackgroundThings ] [@ FinalizeArenas ] [@ je_free | Finaliz…
Crash Signature: FinalizeArenas ] → FinalizeArenas ] [@ moz_abort | je_free | FinalizeArenas ]
Crash Signature: FinalizeArenas ] [@ moz_abort | je_free | FinalizeArenas ] → FinalizeArenas ] [@ moz_abort | je_free | FinalizeArenas ] [@ RtlEnterCriticalSection | je_free | FinalizeArenas ]
Crash Signature: FinalizeArenas ] [@ moz_abort | je_free | FinalizeArenas ] [@ RtlEnterCriticalSection | je_free | FinalizeArenas ] → FinalizeArenas ] [@ moz_abort | je_free | FinalizeArenas ] [@ RtlEnterCriticalSection | je_free | FinalizeArenas ] [@ arena_dalloc | je_free | FinalizeArenas ] [@ extent_ad_comp | extent_tree_ad_remove | huge_dalloc | je_free | FinalizeArenas ] [@ R…
Duplicate of this bug: 898600
Whiteboard: [js:p1:fx18] → [js:p1:fx18][unactionable]
I'm not currently working on this, so unassigning myself.
Assignee: jcoppeard → nobody
Whiteboard: [js:p1:fx18][unactionable] → [js:p1][unactionable]
You need to log in before you can comment on or make changes to this bug.