Closed Bug 890243 Opened 11 years ago Closed 10 years ago

Crash in EnterBaseline when using multiple JSContexts per Runtime

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
24 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 905926

People

(Reporter: yves.gwerder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [Not a browser crash])

Attachments

(4 files)

callstack.txt
3.08 KB, text/plain
Details
Debugging session with djvj (also posten on IRC)
1.66 KB, text/plain
Details
Instruction dump at the location of the crash
5.59 KB, text/plain
Details
It's as simple as that to reproduce...
1.11 KB, text/plain
Details
Attached file callstack.txt
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release) Build ID: 20130620122336 Steps to reproduce: I'm working on upgrading Spidermonkey from 1.8.5 to 24 for 0 A.D. (http://play0ad.com/). At startup we run a hardware detection script and then load the GUI. Some additional notes: - I mentioned the issue on IRC and did some debugging together with djvj. http://logbot.glob.com.au/?c=mozilla%23jsapi&s=2+Jul+2013&e=4+Jul+2013#c210959 - I switched to the newest Aurora branch today and it still happens - I'm trying to create some sample code to reproduce the crash. The problem is that if you wanted to reproduce it the same way I did you'd have to download 0 A.D. and apply my WIP patch which is already several thousand lines long and quite cumbersome to apply. Actual results: - It did not crash with a non-threadsafe build and with different runtimes for both scripts. - It also doesn't crash If I don't run the hardware detection script and directly start the GUI. - It DOES crash with a THREADSAFE build when I run the hardware detection script and then run the GUI using the same runtime but a different context. The crash seems to happend because it tries accessing JIT-code that already got cleaned up (check the attachments). Expected results: It should not crash or if I used the API incorrectly somewhere it could probably assert for that earlier.
Blocks: SadJit
Severity: normal → critical
Crash Signature: [@ EnterBaseline]
Keywords: crash
This looks a bit suspicious in js::gc::MarkRuntime: /* Any Ion wrappers survive until the runtime is being torn down. */ if (rt->hasContexts()) ion::IonRuntime::Mark(trc);
(In reply to Jan de Mooij [:jandem] from comment #4) > This looks a bit suspicious in js::gc::MarkRuntime: > > /* Any Ion wrappers survive until the runtime is being torn down. */ > if (rt->hasContexts()) > ion::IonRuntime::Mark(trc); Yeah, and GC is clearly hit due to the following path: JS_DestroyContext (in jsapi.cpp) calls DestroyContext(cx, DCM_FORCE_GC) DestroyContext removes the context, and then calls GC unconditionally. If the removed context is the last one, this will collect the Ion trampoline stubs. I don't know if this behaviour is really a bug? Yves: Can you try keeping an extra context alive? I.e. Keep a minimal context (no InitStandardClasses for the global, etc.) alive all the time, not touching it, and do the Setup/Teardown with separate contexts?
Flags: needinfo?(yves.gwerder)
Adding such a dummy-context after creating the runtime works around the issue. I'd call it workaround but for me it's fine for the moment.
Flags: needinfo?(yves.gwerder)
On a related note, bholley is hard at work removing all of Gecko's dependencies on having multiple JSContexts and, once he is finished, we'll merge JSContext and JSRuntime. In the meantime, it'd be a good idea to only create JSContexts and JSRuntimes in 1:1 pairs.
enterBaseline crashers are topcrash #4 on 23, #5 on 24 and #14 on 25. See bug 861503 and bug 858032 nominating for 24 and 25
Status: UNCONFIRMED → NEW
status-firefox23: --- → affected
status-firefox24: --- → affected
status-firefox25: --- → affected
tracking-firefox24: --- → ?
tracking-firefox25: --- → ?
Ever confirmed: true
Keywords: topcrash
(In reply to Tracy Walker [:tracy] from comment #8) > enterBaseline crashers are topcrash #4 on 23, #5 on 24 and #14 on 25. See > bug 861503 and bug 858032 Bug 858032 is the top crasher. For this one, crash stats tell nothing.
Keywords: topcrash
Tracy looks like Kairo is saying that this may be expected : https://bugzilla.mozilla.org/show_bug.cgi?id=858032#c5 , unclear why we track then. Any more data we can get here to make it actionable or track ?
(In reply to bhavana bajaj [:bajaj] (on vacation until 08/14/2013) from comment #10) > Any more data we can get here to make it actionable or track ? Any reproducible crash that blocks a top crasher is good to track unless it's known to cause only a small ratio of crashes.
Tracking as this is a reproducible case for the pool of [EnterBaseline] crashes in 858032. Needinfoing :naveed to help with assignee here.
tracking-firefox24: ?+
tracking-firefox25: ?+
Flags: needinfo?(nihsanullah)
I will look into this, though I doubt this is responsible for these topcrashes. The EnterBaseline signature is for crashes in JIT code and it's a collection of different bugs, many of them random memory corruption elsewhere. Apparently lots of other things will fail if we destroy the last JSContext before the runtime is destroyed, see bug 905926 comment 0. I should have a fix for this on Monday.
Flags: needinfo?(nihsanullah) → needinfo?(jdemooij)
Bill, I think we want something other than rt->hasContexts() in MarkRuntime. I think not marking atoms in this case is also a problem for Bobby's work in bug 905926, or am I missing something? Just removing the rt->hasContexts() will undo bug 904282, so I'm not sure how to proceed. if (rt->hasContexts() && !trc->runtime->isHeapMinorCollecting() && (!IS_GC_MARKING_TRACER(trc) || rt->atomsCompartment()->zone()->isCollecting())) { MarkAtoms(trc); rt->staticStrings.trace(trc); #ifdef JS_ION ion::IonRuntime::Mark(trc); #endif }
Flags: needinfo?(wmccloskey)
Yeah, this has been a problem for a while. We've been pretty lazy using rt->hasContexts() as a proxy for lots of somewhat unrelated things (my fault). This will have to get fixed in bug 905926, so I'll make this depend on that. However, Firefox always has at least one context around until shutdown, so it never triggers this problem. This bug is not causing any Firefox crashes and it should not be tracked.
tracking-firefox24: + → ---
tracking-firefox25: + → ---
Depends on: 905926
Flags: needinfo?(wmccloskey)
Crash Signature: [@ EnterBaseline]
Whiteboard: [Not a browser crash]
Thank you, clearing needinfo? flag.
Flags: needinfo?(jdemooij)
Assignee: general → nobody
Bug 905926 should have fixed this, we now use rt->isBeingDestroyed() instead of !rt->hasContexts().
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: