Closed Bug 852912 Opened 11 years ago Closed 11 years ago

Intermittent Windows ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 8
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22

People

(Reporter: emorley, Assigned: billm)

References

Details

(Keywords: crash, intermittent-failure)

Crash Data

Attachments

(1 file)

patch
971 bytes, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
Rev3 WINNT 6.2 mozilla-inbound debug test jsreftest on 2013-03-19 16:01:14 PDT for push d72d29f6a92c

slave: t-w864-ix-087

https://tbpl.mozilla.org/php/getParsedLog.php?id=20849257&tree=Mozilla-Inbound

{
16:13:11     INFO -  --DOMWINDOW == 99 (0E5777C0) [serial = 1970] [outer = 00000000] [url = data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E]
16:13:11     INFO -  --DOMWINDOW == 98 (0E576680) [serial = 1969] [outer = 00000000] [url = file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_3/String/15.5.4.11.js]
16:13:11     INFO -  --DOMWINDOW == 97 (0E574628) [serial = 1968] [outer = 00000000] [url = data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E]
16:13:11     INFO -  --DOMWINDOW == 96 (0E576230) [serial = 1967] [outer = 00000000] [url = file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_3/Statements/switch-002.js]
16:13:11     INFO -  --DOMWINDOW == 95 (0E5750F0) [serial = 1966] [outer = 00000000] [url = data:text/html;charset=UTF-8,%3C%21%2D%2DCLEAR%2D%2D%3E]
16:13:15  WARNING -  TEST-UNEXPECTED-FAIL | file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | Exited with code -1073741819 during test run
16:13:15     INFO -  INFO | automation.py | Application ran for: 0:07:26.338000
16:13:15     INFO -  INFO | automation.py | Reading PID log: c:\users\cltbld~1.t-w\appdata\local\temp\tmpxke5htpidlog
16:13:21     INFO -  PROCESS-CRASH | file:///C:/slave/test/build/tests/jsreftest/tests/jsreftest.html?test=ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal]
16:13:21     INFO -  Crash dump filename: c:\users\cltbld~1.t-w\appdata\local\temp\tmpytn8gv\minidumps\9d10bd17-defe-4fe1-bde4-46ac7eecc464.dmp
16:13:21     INFO -  Operating system: Windows NT
16:13:21     INFO -                    6.2.9200
16:13:21     INFO -  CPU: x86
16:13:21     INFO -       GenuineIntel family 6 model 30 stepping 5
16:13:21     INFO -       8 CPUs
16:13:21     INFO -  Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
16:13:21     INFO -  Crash address: 0x0
16:13:21     INFO -  Thread 0 (crashed)
16:13:21     INFO -   0  mozjs.dll!MarkValueInternal [Marking.cpp:d72d29f6a92c : 471 + 0x0]
16:13:21     INFO -      eip = 0x73378146   esp = 0x00adc794   ebp = 0x00adc7a4   ebx = 0x00000000
16:13:21     INFO -      esi = 0x00000000   edi = 0x03bb5fec   eax = 0x00000001   ecx = 0x737f4034
16:13:21     INFO -      edx = 0x03bb5fec   efl = 0x00010202
16:13:21     INFO -      Found by: given as instruction pointer in context
16:13:21     INFO -   1  mozjs.dll!js::gc::MarkValueRootRange(JSTracer *,unsigned int,JS::Value *,char const *) [Marking.cpp:d72d29f6a92c : 550 + 0x12]
16:13:21     INFO -      eip = 0x73378777   esp = 0x00adc7ac   ebp = 0x00adc7bc
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   2  mozjs.dll!JS::AutoGCRooter::trace(JSTracer *) [RootMarking.cpp:d72d29f6a92c : 632 + 0x15]
16:13:21     INFO -      eip = 0x733514b3   esp = 0x00adc7c4   ebp = 0x00adc824
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   3  mozjs.dll!js::gc::MarkRuntime(JSTracer *,bool) [RootMarking.cpp:d72d29f6a92c : 687 + 0x1c]
16:13:21     INFO -      eip = 0x733519ac   esp = 0x00adc82c   ebp = 0x00adc8f4
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   4  mozjs.dll!BeginMarkPhase [jsgc.cpp:d72d29f6a92c : 2873 + 0xf]
16:13:21     INFO -      eip = 0x73029c3f   esp = 0x00adc8fc   ebp = 0x00adc9f0
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   5  mozjs.dll!IncrementalCollectSlice [jsgc.cpp:d72d29f6a92c : 4285 + 0x6]
16:13:21     INFO -      eip = 0x73033ed4   esp = 0x00adc9f8   ebp = 0x00adca34
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   6  mozjs.dll!GCCycle [jsgc.cpp:d72d29f6a92c : 4463 + 0xe]
16:13:21     INFO -      eip = 0x7303545c   esp = 0x00adca3c   ebp = 0x00adca78
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   7  mozjs.dll!Collect [jsgc.cpp:d72d29f6a92c : 4591 + 0x20]
16:13:21     INFO -      eip = 0x730358f9   esp = 0x00adca80   ebp = 0x00adcb10
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   8  mozjs.dll!js::gc::RunDebugGC(JSContext *) [jsgc.cpp:d72d29f6a92c : 4797 + 0x13]
16:13:21     INFO -      eip = 0x73035d6a   esp = 0x00adcb18   ebp = 0x00adcb34
16:13:21     INFO -      Found by: call frame info
16:13:21     INFO -   9  mozjs.dll!js::gc::NewGCThing<js::Shape,1>(JSContext *,js::gc::AllocKind,unsigned int,js::gc::InitialHeap) [jsgcinlines.h:d72d29f6a92c : 490 + 0x5]
}
Before https://tbpl.mozilla.org/?tree=Mozilla-Inbound&jobname=Rev3%20WINNT%206.2%20mozilla-inbound%20debug%20test%20jsreftest&rev=41789248e1e6 we had ~15 greens in a row; after it's crashing ~1 in 3 runs.

Jeff, which needs backing out?
Blocks: 837957, 852563
Flags: needinfo?(jwalden+bmo)
This is almost certainly bug 852563, but that is adding a needed fix and shouldn't be backed out.  parse-array-gc.js is added by that bug and could be removed itself I guess.
We saw a bunch of crashes like this on ARM in February, but then they mysteriously stopped. It does seem like a compiler issue, but it could still be our fault.
Give WinXP enough opportunities to fail, and it will do so.
Summary: Intermittent Windows 8 ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal] → Intermittent Windows ecma_5/JSON/parse-array-gc.js | application crashed [@ MarkValueInternal]
Attached patch patchSplinter Review 
The stack for this crash looks like this:

mozjs.dll!js::gc::MarkValueRootRange(JSTracer *,unsigned int,JS::Value *,char const *) [Marking.cpp:d72d29f6a92c : 550 + 0x12]
mozjs.dll!JS::AutoGCRooter::trace(JSTracer *) [RootMarking.cpp:d72d29f6a92c : 632 + 0x15]
...
mozjs.dll!JS_NewArrayObject(JSContext *,int,JS::Value *) [jsapi.cpp:d72d29f6a92c : 4677 + 0xb]
xul.dll!nsFrameMessageManager::SendSyncMessage(nsAString_internal const &,JS::Value const &,JSContext *,unsigned char,JS::Value *) [nsFrameMessageManager.cpp:d72d29f6a92c : 383 + 0xb]

If you look at nsFrameMessageManager::SendSyncMessage, it passes NULL for the Value* argument to JS_NewArrayObject. That seems to be an okay thing for that function since it explicitly checks for NULL. However, it also tries to root the array, which is wrong if it's NULL.

As far as I can tell, this has been a longstanding (though rare) NULL crash. It seems like the easiest fix is to NULL check the array during root marking.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #727410 - Flags: review?(bhackett1024)
RyanVM said he already disabled the test, so we need to re-enable it when this problem is fixed.
Comment on attachment 727410 [details] [diff] [review]
patch

Review of attachment 727410 [details] [diff] [review]:
-----------------------------------------------------------------

Ack, I should have looked more closely at the stack trace.

::: js/src/gc/RootMarking.cpp
@@ +627,5 @@
>          return;
>      }
>  
>      JS_ASSERT(tag_ >= 0);
> +    if (static_cast<AutoArrayRooter *>(this)->array) {

Maybe add a temp to avoid the duplicate static_cast?
Attachment #727410 - Flags: review?(bhackett1024) → review+
Disabled on all Windows debug builds. Bill, make sure to take the [leave open] off when your push your fix.

https://hg.mozilla.org/integration/mozilla-inbound/rev/65bbddd22ef0
Whiteboard: [leave open]
I looked more closely at those Android crashes, and it looks like the same problem. It was harder to see in those stacks because they had a lot more junk in them. I'll land this whenever the tree reopens.
Flags: needinfo?(jwalden+bmo)
https://hg.mozilla.org/mozilla-central/rev/d3f79c7dc180
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
No longer blocks: 837957
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: