Closed Bug 894251 Opened 11 years ago Closed 11 years ago

Intermittent PROCESS-CRASH | /tests/dom/tests/mochitest/whatwg/test_bug477323.html | application crashed [@ js::ion::Assembler::TraceJumpRelocations(JSTracer*, js::ion::IonCode*, js::ion::CompactBufferReader&)]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox23 --- fixed
firefox24 --- fixed
firefox25 --- fixed

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(Keywords: crash, intermittent-failure)

Crash Data

Attachments

(1 file, 1 obsolete file)

/home/mjrosenb/patches/use_movPatchable-r1.patch
3.65 KB, patch
jandem
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review 
https://tbpl.mozilla.org/php/getParsedLog.php?id=25314464&tree=Mozilla-Inbound

Android Tegra 250 mozilla-inbound opt test mochitest-7 on 2013-07-15 23:57:37 PDT for push d9a84be1a35c

slave: tegra-057

PROCESS-CRASH | /tests/dom/tests/mochitest/whatwg/test_bug477323.html | application crashed [@ js::ion::Assembler::TraceJumpRelocations(JSTracer*, js::ion::IonCode*, js::ion::CompactBufferReader&)]


ROCESS-CRASH | /tests/dom/tests/mochitest/whatwg/test_bug477323.html | application crashed [@ js::ion::Assembler::TraceJumpRelocations(JSTracer*, js::ion::IonCode*, js::ion::CompactBufferReader&)]
Crash dump filename: /tmp/tmpjQdAz0/17978f29-154f-20db-3316e991-6b32e453.dmp
Operating system: Android
                  0.0.0 Linux 2.6.32.9-00002-gd8084dc-dirty #1 SMP PREEMPT Wed Feb 2 11:32:06 PST 2011 armv7l nvidia/harmony/harmony/harmony:2.2/FRF91/20110202.102810:eng/test-keys
CPU: arm
     2 CPUs

Crash reason:  SIGSEGV
Crash address: 0x4e345c2

Thread 33 (crashed)
 0  libxul.so!js::ion::Assembler::TraceJumpRelocations(JSTracer*, js::ion::IonCode*, js::ion::CompactBufferReader&) [IonCode.h:d9a84be1a35c : 117 + 0x0]
     r4 = 0x500057ca    r5 = 0x500057ca    r6 = 0x5e176148    r7 = 0x5692854c
     r8 = 0x6241dfd8    r9 = 0x012fff10   r10 = 0x500057ca    fp = 0x5e176208
     sp = 0x60affb60    lr = 0x56445ea1    pc = 0x56445faa
    Found by: given as instruction pointer in context
 1  libxul.so!js::ion::IonCode::trace(JSTracer*) [Ion.cpp:d9a84be1a35c : 481 + 0x3]
     r4 = 0x6241dfd8    r5 = 0x5e176148    r6 = 0x50005710    r7 = 0x00000002
     r8 = 0x60affc90    r9 = 0x5e176148   r10 = 0x5e176000    fp = 0x5e176208
     sp = 0x60affb88    pc = 0x563e4efb
    Found by: call frame info
 2  libxul.so!js::GCMarker::processMarkStackOther(js::SliceBudget&, unsigned int, unsigned int) [Marking.cpp:d9a84be1a35c : 1164 + 0x7]
     r4 = 0x6241dfd8    r5 = 0x56aeafb4    r6 = 0x5d4bde2c    r7 = 0x00000001
     r8 = 0x60affc90    r9 = 0x5e176148   r10 = 0x5e176000    fp = 0x5e176208
     sp = 0x60affba8    pc = 0x562ae47f
    Found by: call frame info
 3  libxul.so!js::GCMarker::drainMarkStack(js::SliceBudget&) [Marking.cpp:d9a84be1a35c : 1402 + 0x7]
     r4 = 0x5e160cac    r5 = 0x5e176148    r6 = 0x5d4bde2c    r7 = 0x00000001
     r8 = 0x5d4bde2c    r9 = 0x60affc90   r10 = 0x5e176000    fp = 0x5e176208
     sp = 0x60affbf8    pc = 0x562ae7db
    Found by: call frame info
 4  libxul.so!IncrementalCollectSlice [jsgc.cpp:d9a84be1a35c : 3798 + 0x7]
     r4 = 0x5e160cac    r5 = 0x00000001    r6 = 0x5d4bde2c    r7 = 0x60affc90
     r8 = 0x5d4bde2c    r9 = 0x5e160cac   r10 = 0x5e176000    fp = 0x5e176208
     sp = 0x60affc28    pc = 0x5633737f
    Found by: call frame info
 5  libxul.so!GCCycle [jsgc.cpp:d9a84be1a35c : 4442 + 0x11]
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x5e176000    r7 = 0x5691f148
     r8 = 0x00000003    r9 = 0x5e176208   r10 = 0x00000000    fp = 0x00000000
     sp = 0x60affd20    pc = 0x56338585
This was almost certainly caused by my change earlier today: https://hg.mozilla.org/integration/mozilla-inbound/rev/302fb81f0729
although I am not sure how this change could have this affect.
filed bug 894260 to get the minidump file
Crash Signature: @ js::ion::Assembler::TraceJumpRelocations(JSTracer*, js::ion::IonCode*, js::ion::CompactBufferReader&) → [@ js::ion::Assembler::TraceJumpRelocations(JSTracer*, js::ion::IonCode*, js::ion::CompactBufferReader&)]
Depends on: 871290
(In reply to TinderboxPushlog Robot from comment #5)
> RyanVM
> https://tbpl.mozilla.org/php/getParsedLog.php?id=25340134&tree=Mozilla-
> Inbound
> Android Tegra 250 mozilla-inbound opt test mochitest-2 on 2013-07-16 12:27:47
> revision: 703acacad625
> slave: tegra-076
> 
> PROCESS-CRASH |
> /tests/content/html/content/test/test_iframe_sandbox_workers.html |
> application crashed [@ js::ion::Assembler::TraceJumpRelocations(JSTracer*,
> js::ion::IonCode*, js::ion::CompactBufferReader&)]

This was post-backout...
Flags: needinfo?(mrosenberg)
Thank you for all of the failures!
I am now decently convinced that this problem is armv6-specific, and will re-focus my efforts there!
Flags: needinfo?(mrosenberg)
It may be hitting more commonly on Armv6, but there are instances on Armv7 as well in bug 893376.
Ryan since bug 893376 and this bug seems related shouldn't we dupe bug 893376 to this one ?
As the short description of the patch says, don't use mov to get an immediate into r12 to call.  The tracer has no clue how to deal with a single instruction move.  Currently, we use the standard move method, which tries a single instruction move, then a single instruction movn, and if neither of those works, then it generates a two instruction move. There are probably around 3,000 valid addresses that can be encoded as a single instruction move, so if we get *incredibly* unlucky, we'll generate an instruction sequence that can't be traced.
Attachment #781506 - Flags: review?(jdemooij)
made sure it actually compiles, and fix another two uses of ma_mov.
Attachment #781518 - Flags: review?(jdemooij)
Comment on attachment 781518 [details] [diff] [review]
/home/mjrosenb/patches/use_movPatchable-r1.patch

Review of attachment 781518 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/arm/MacroAssembler-arm.cpp
@@ +1517,5 @@
> +    if (hasMOVWT()) {
> +        rs = L_MOVWT;
> +    } else {
> +        rs = L_LDR;
> +    }

Nit: style guide wants no braces here (condition/then/else are all single-line). r=me with that, here and below.
Attachment #781518 - Flags: review?(jdemooij) → review+
Attachment #781506 - Attachment is obsolete: true
Attachment #781506 - Flags: review?(jdemooij)
Comment on attachment 781518 [details] [diff] [review]
/home/mjrosenb/patches/use_movPatchable-r1.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): IonMonkey
User impact if declined: UB during gc in incredibly rare circumstances
Testing completed (on m-c, etc.): I'll let it stew on m-i for a while
Risk to taking this patch (and alternatives if risky): negligible slow down in cases that may have caused a crash.
String or IDL/UUID changes made by this patch:
Attachment #781518 - Flags: approval-mozilla-beta?
Attachment #781518 - Flags: approval-mozilla-aurora?
Blocks: 871290
No longer depends on: 871290
https://hg.mozilla.org/mozilla-central/rev/50541189f179

Well played, sir. Thanks for not quitting on this.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Attachment #781518 - Flags: approval-mozilla-beta?
Attachment #781518 - Flags: approval-mozilla-beta+
Attachment #781518 - Flags: approval-mozilla-aurora?
Attachment #781518 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: