Closed Bug 792825 Opened 12 years ago Closed 12 years ago

Crash in js::gc::MarkObjectRange on CyanogenMod 10

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
18 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox18 + fixed

People

(Reporter: snorp, Unassigned)

References

Details

(4 keywords, Whiteboard: [native-crash][startupcrash])

Crash Data

Attachments

(1 file)

patch to backout 9a02263d7206
9.28 KB, patch
mossop
: review+
Details | Diff | Splinter Review 
I get a crash on current nightly with CM10 from 09/18. Doesn't happen on non-CM10 devices AFAICT.

(gdb) bt
#0  MarkRange<JSObject> (name=<optimized out>, vec=<optimized out>, len=<optimized out>, trc=<optimized out>)
    at /Users/snorp/source/mozilla-central/js/src/gc/Barrier.h:159
#1  js::gc::MarkObjectRange (trc=0x6104d108, len=1, vec=0x0, name=0x6437b43c "objects")
    at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:240
#2  0x63f280c4 in JSScript::markChildren(JSTracer*) () from /Users/snorp/source/mozilla-central/objdir-android/dist/bin/libxul.so
#3  0x63fcceb8 in MarkChildren (script=<optimized out>, trc=<optimized out>) at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:805
#4  js::gc::PushMarkStack (gcmarker=0x6437b43c, thing=<optimized out>) at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:606
#5  0x63fcd846 in MarkInternal<JSScript> (thingp=<optimized out>, trc=<optimized out>)
    at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:118
#6  MarkUnbarriered<JSScript> (name=<optimized out>, thingp=<optimized out>, trc=<optimized out>)
    at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:139
#7  js::gc::MarkScriptUnbarriered (trc=0x6104d108, thingp=<optimized out>, name=<optimized out>)
    at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:243
#8  0x63eac2a2 in trace (trc=<optimized out>, this=<optimized out>) at /Users/snorp/source/mozilla-central/js/src/jsfun.cpp:513
#9  fun_trace (trc=0x6104d108, obj=<optimized out>) at /Users/snorp/source/mozilla-central/js/src/jsfun.cpp:522
#10 0x63fd49e6 in processMarkStackTop (budget=<optimized out>, this=<optimized out>)
    at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:1255
#11 js::GCMarker::drainMarkStack (this=0x6104d108, budget=...) at /Users/snorp/source/mozilla-central/js/src/gc/Marking.cpp:1299
#12 0x63eb80a8 in DrainMarkStack (sliceBudget=<optimized out>, rt=<optimized out>) at /Users/snorp/source/mozilla-central/js/src/jsgc.cpp:4258
#13 IncrementalCollectSlice (rt=0x6104d000, budget=40000, reason=js::gcreason::INTER_SLICE_GC, gckind=js::GC_NORMAL)
    at /Users/snorp/source/mozilla-central/js/src/jsgc.cpp:4319
#14 0x63eba10e in GCCycle (rt=0x6104d000, incremental=<optimized out>, budget=40000, gckind=js::GC_NORMAL, reason=js::gcreason::INTER_SLICE_GC)
    at /Users/snorp/source/mozilla-central/js/src/jsgc.cpp:4524
#15 0x63ebb39c in Collect (reason=<optimized out>, gckind=<optimized out>, budget=<optimized out>, incremental=<optimized out>, 
    rt=<optimized out>) at /Users/snorp/source/mozilla-central/js/src/jsgc.cpp:4638
#16 js::GCSlice (rt=0x6104d000, gckind=js::GC_NORMAL, reason=js::gcreason::INTER_SLICE_GC, millis=40)
    at /Users/snorp/source/mozilla-central/js/src/jsgc.cpp:4676
#17 0x63eab312 in js::IncrementalGC (rt=0x6104d108, reason=js::gcreason::INTER_SLICE_GC, millis=<optimized out>)
    at /Users/snorp/source/mozilla-central/js/src/jsfriendapi.cpp:171
#18 0x637034b8 in nsJSContext::GarbageCollectNow(js::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsCompartment, nsJSContext::IsShrinking, long long) () from /Users/snorp/source/mozilla-central/objdir-android/dist/bin/libxul.so
#19 0x63703580 in InterSliceGCTimerFired(nsITimer*, void*) () from /Users/snorp/source/mozilla-central/objdir-android/dist/bin/libxul.so
#20 0x63bf9296 in nsTimerImpl::Fire (this=0x61cd7040) at /Users/snorp/source/mozilla-central/xpcom/threads/nsTimerImpl.cpp:473
#21 0x63bf934e in nsTimerEvent::Run (this=<optimized out>) at /Users/snorp/source/mozilla-central/xpcom/threads/nsTimerImpl.cpp:556
#22 0x63bf70ba in nsThread::ProcessNextEvent (this=0x5ec564c0, mayWait=<optimized out>, result=0x5f95294f)
    at /Users/snorp/source/mozilla-central/xpcom/threads/nsThread.cpp:624
#23 0x63bd5252 in NS_ProcessNextEvent_P (thread=0x28, mayWait=true)
    at /Users/snorp/source/mozilla-central/objdir-android/xpcom/build/nsThreadUtils.cpp:220
#24 0x63afba5e in mozilla::ipc::MessagePump::Run (this=0x5ec53280, aDelegate=0x5ec7f0e0)
    at /Users/snorp/source/mozilla-central/ipc/glue/MessagePump.cpp:117
#25 0x63c19ea0 in MessageLoop::RunInternal (this=0x641b17cc) at /Users/snorp/source/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
#26 0x63c19f76 in RunHandler (this=<optimized out>) at /Users/snorp/source/mozilla-central/ipc/chromium/src/base/message_loop.cc:201
#27 MessageLoop::Run (this=0x5ec7f0e0) at /Users/snorp/source/mozilla-central/ipc/chromium/src/base/message_loop.cc:175
#28 0x63a7c5f8 in nsBaseAppShell::Run() () from /Users/snorp/source/mozilla-central/objdir-android/dist/bin/libxul.so
#29 0x639b5e24 in nsAppStartup::Run (this=0x610da550) at /Users/snorp/source/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:296
#30 0x6338a0f6 in XREMain::XRE_mainRun (this=0x5f952af4) at /Users/snorp/source/mozilla-central/toolkit/xre/nsAppRunner.cpp:3829
#31 0x6338c1fc in XREMain::XRE_main (this=0x5f952af4, argc=<optimized out>, argv=0x5ec6b048, aAppData=<optimized out>)
    at /Users/snorp/source/mozilla-central/toolkit/xre/nsAppRunner.cpp:3906
#32 0x6338c330 in XRE_main (argc=7, argv=0x5ec6b048, aAppData=0x5bce4744, aFlags=<optimized out>)
Either it's a new form of bug 790139 like I though previously or a new regression that hides bug 790139 because more hittable.
Crash stats don't show crash reports in the build from 9/18, the first ones happen in 18.0a1/20120919. Are you sure of the build date?
Assignee: nobody → general
Severity: normal → critical
Crash Signature: [@ js::gc::MarkObjectRange]
tracking-firefox18: --- → ?
Component: General → JavaScript Engine
Keywords: crash, regression, topcrash
Product: Firefox for Android → Core
Whiteboard: [native-crash][startupcrash]
Version: unspecified → 18 Branch
Guessing crash stats catch all, the regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0d3b17a88d5f&tochange=80499f04e875
It might be a regression from bug 790836.

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Agc%3A%3AMarkObjectRange
Summary: Crashes on CyanogenMod 10 → Crash in js::gc::MarkObjectRange on CyanogenMod 10
I can reproduce this crash on a Nexus S with CM10
What are your STR?
STR:
- start Firefox
- load a page
- wait a couple of seconds
- crash

It happens 50% of the time. Sometimes, I need to load a second page to get the crash.
Keywords: reproducible
I get this crash on my ASUS TF101 with CM10, in both Nightly and Aurora builds.  Same steps as Paul.
(In reply to Matt Cosentino from comment #7)
> I get this crash on my ASUS TF101 with CM10, in both Nightly and Aurora
> builds.  Same steps as Paul.
Are you sure it's the same crash signature? Indeed, Beta and Aurora are unaffected: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Agc%3A%3AMarkObjectRange
While CM is the majority from the reports, I also see Tiamat (http://tiamat-dev.com), and AOKP, AniDroid, Faux 123
I bisected this crash to https://hg.mozilla.org/mozilla-central/rev/9a02263d7206, which is bug 788378

Blair, Mossop, any idea what's going on here?

        Attachment #666194 -
        Flags: review?(dtownsend+bugmail)

    
    

    
  
Comment on attachment 666194 [details] [diff] [review]
patch to backout 9a02263d7206

Review of attachment 666194 [details] [diff] [review]:
-----------------------------------------------------------------

No idea why this would be causing problems, but let's get it out and verify that solves it.

        Attachment #666194 -
        Flags: review?(dtownsend+bugmail) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/fc074c415513
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox18:
          --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18

    
    

    
  
Any idea of what the real root cause of this is? Need something to mark as dependent on bug 788378 so we know when its safe to re-land.

    
    

    
  
(In reply to Blair McBride (:Unfocused) from comment #15)
> Any idea of what the real root cause of this is? Need something to mark as
> dependent on bug 788378 so we know when its safe to re-land.

We need to get the JS team involved to find that out, as this is all JS code that triggered it, and the signature is in the GC, so this is somehow in the JS engine. Sounds strange that a JS engine bug would only affect CM10, but GC crashes can be memory corruption - maybe CM10 is corrupting our memory somehow? In any case, we need real JS engine devs to investigate this.

    
    

    
  
Right... but is there another bug open for that, or does this need reopened so it doesn't get lost?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: