Closed Bug 852912 Opened 12 years ago Closed 12 years ago

Intermittent Windows ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 8
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22

People

(Reporter: emorley, Assigned: billm)

References

Details

(Keywords: crash, intermittent-failure)

Crash Data

Attachments

(1 file)

patch
971 bytes, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Rev3 WINNT 6.2 mozilla-inbound debug test jsreftest on 2013-03-19 16:01:14 PDT for push d72d29f6a92c slave: t-w864-ix-087 https://tbpl.mozilla.org/php/getParsedLog.php?id=20849257&tree=Mozilla-Inbound { 16:13:11 INFO - --DOMWINDOW == 99 (0E5777C0) [serial = 1970] [outer = 00000000] [url = data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E] 16:13:11 INFO - --DOMWINDOW == 98 (0E576680) [serial = 1969] [outer = 00000000] [url = file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_3/String/15.5.4.11.js] 16:13:11 INFO - --DOMWINDOW == 97 (0E574628) [serial = 1968] [outer = 00000000] [url = data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E] 16:13:11 INFO - --DOMWINDOW == 96 (0E576230) [serial = 1967] [outer = 00000000] [url = file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_3/Statements/switch-002.js] 16:13:11 INFO - --DOMWINDOW == 95 (0E5750F0) [serial = 1966] [outer = 00000000] [url = data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E] 16:13:15 WARNING - TEST-UNEXPECTED-FAIL | file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | Exited with code -1073741819 during test run 16:13:15 INFO - INFO | automation.py | Application ran for: 0:07:26.338000 16:13:15 INFO - INFO | automation.py | Reading PID log: c:\users\cltbld~1.t-w\appdata\local\temp\tmpxke5htpidlog 16:13:21 INFO - PROCESS-CRASH | file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal] 16:13:21 INFO - Crash dump filename: c:\users\cltbld~1.t-w\appdata\local\temp\tmpytn8gv\minidumps\9d10bd17-defe-4fe1-bde4-46ac7eecc464.dmp 16:13:21 INFO - Operating system: Windows NT 16:13:21 INFO - 6.2.9200 16:13:21 INFO - CPU: x86 16:13:21 INFO - GenuineIntel family 6 model 30 stepping 5 16:13:21 INFO - 8 CPUs 16:13:21 INFO - Crash reason: EXCEPTION_ACCESS_VIOLATION_READ 16:13:21 INFO - Crash address: 0x0 16:13:21 INFO - Thread 0 (crashed) 16:13:21 INFO - 0 mozjs.dll!MarkValueInternal [Marking.cpp:d72d29f6a92c : 471 + 0x0] 16:13:21 INFO - eip = 0x73378146 esp = 0x00adc794 ebp = 0x00adc7a4 ebx = 0x00000000 16:13:21 INFO - esi = 0x00000000 edi = 0x03bb5fec eax = 0x00000001 ecx = 0x737f4034 16:13:21 INFO - edx = 0x03bb5fec efl = 0x00010202 16:13:21 INFO - Found by: given as instruction pointer in context 16:13:21 INFO - 1 mozjs.dll!js::gc::MarkValueRootRange(JSTracer *,unsigned int,JS::Value *,char const *) [Marking.cpp:d72d29f6a92c : 550 + 0x12] 16:13:21 INFO - eip = 0x73378777 esp = 0x00adc7ac ebp = 0x00adc7bc 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 2 mozjs.dll!JS::AutoGCRooter::trace(JSTracer *) [RootMarking.cpp:d72d29f6a92c : 632 + 0x15] 16:13:21 INFO - eip = 0x733514b3 esp = 0x00adc7c4 ebp = 0x00adc824 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 3 mozjs.dll!js::gc::MarkRuntime(JSTracer *,bool) [RootMarking.cpp:d72d29f6a92c : 687 + 0x1c] 16:13:21 INFO - eip = 0x733519ac esp = 0x00adc82c ebp = 0x00adc8f4 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 4 mozjs.dll!BeginMarkPhase [jsgc.cpp:d72d29f6a92c : 2873 + 0xf] 16:13:21 INFO - eip = 0x73029c3f esp = 0x00adc8fc ebp = 0x00adc9f0 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 5 mozjs.dll!IncrementalCollectSlice [jsgc.cpp:d72d29f6a92c : 4285 + 0x6] 16:13:21 INFO - eip = 0x73033ed4 esp = 0x00adc9f8 ebp = 0x00adca34 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 6 mozjs.dll!GCCycle [jsgc.cpp:d72d29f6a92c : 4463 + 0xe] 16:13:21 INFO - eip = 0x7303545c esp = 0x00adca3c ebp = 0x00adca78 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 7 mozjs.dll!Collect [jsgc.cpp:d72d29f6a92c : 4591 + 0x20] 16:13:21 INFO - eip = 0x730358f9 esp = 0x00adca80 ebp = 0x00adcb10 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 8 mozjs.dll!js::gc::RunDebugGC(JSContext *) [jsgc.cpp:d72d29f6a92c : 4797 + 0x13] 16:13:21 INFO - eip = 0x73035d6a esp = 0x00adcb18 ebp = 0x00adcb34 16:13:21 INFO - Found by: call frame info 16:13:21 INFO - 9 mozjs.dll!js::gc::NewGCThing<js::Shape,1>(JSContext *,js::gc::AllocKind,unsigned int,js::gc::InitialHeap) [jsgcinlines.h:d72d29f6a92c : 490 + 0x5] }
Before https://tbpl.mozilla.org/?tree=Mozilla-Inbound&jobname=Rev3%20WINNT%206.2%20mozilla-inbound%20debug%20test%20jsreftest&rev=41789248e1e6 we had ~15 greens in a row; after it's crashing ~1 in 3 runs. Jeff, which needs backing out?
Blocks: 837957, 852563
Flags: needinfo?(jwalden+bmo)
This is almost certainly bug 852563, but that is adding a needed fix and shouldn't be backed out. parse-array-gc.js is added by that bug and could be removed itself I guess.
We saw a bunch of crashes like this on ARM in February, but then they mysteriously stopped. It does seem like a compiler issue, but it could still be our fault.
Give WinXP enough opportunities to fail, and it will do so.
Summary: Intermittent Windows 8 ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal] → Intermittent Windows ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal]
Attached patch patchSplinter Review
The stack for this crash looks like this: mozjs.dll!js::gc::MarkValueRootRange(JSTracer *,unsigned int,JS::Value *,char const *) [Marking.cpp:d72d29f6a92c : 550 + 0x12] mozjs.dll!JS::AutoGCRooter::trace(JSTracer *) [RootMarking.cpp:d72d29f6a92c : 632 + 0x15] ... mozjs.dll!JS_NewArrayObject(JSContext *,int,JS::Value *) [jsapi.cpp:d72d29f6a92c : 4677 + 0xb] xul.dll!nsFrameMessageManager::SendSyncMessage(nsAString_internal const &,JS::Value const &,JSContext *,unsigned char,JS::Value *) [nsFrameMessageManager.cpp:d72d29f6a92c : 383 + 0xb] If you look at nsFrameMessageManager::SendSyncMessage, it passes NULL for the Value* argument to JS_NewArrayObject. That seems to be an okay thing for that function since it explicitly checks for NULL. However, it also tries to root the array, which is wrong if it's NULL. As far as I can tell, this has been a longstanding (though rare) NULL crash. It seems like the easiest fix is to NULL check the array during root marking.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #727410 - Flags: review?(bhackett1024)
RyanVM said he already disabled the test, so we need to re-enable it when this problem is fixed.
Comment on attachment 727410 [details] [diff] [review] patch Review of attachment 727410 [details] [diff] [review]: ----------------------------------------------------------------- Ack, I should have looked more closely at the stack trace. ::: js/src/gc/RootMarking.cpp @@ +627,5 @@ > return; > } > > JS_ASSERT(tag_ >= 0); > + if (static_cast<AutoArrayRooter *>(this)->array) { Maybe add a temp to avoid the duplicate static_cast?
Attachment #727410 - Flags: review?(bhackett1024) → review+
Disabled on all Windows debug builds. Bill, make sure to take the [leave open] off when your push your fix. https://hg.mozilla.org/integration/mozilla-inbound/rev/65bbddd22ef0
Whiteboard: [leave open]
I looked more closely at those Android crashes, and it looks like the same problem. It was harder to see in those stacks because they had a lot more junk in them. I'll land this whenever the tree reopens.
Flags: needinfo?(jwalden+bmo)
https://hg.mozilla.org/mozilla-central/rev/d3f79c7dc180
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
No longer blocks: 837957
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: