905544 - Segmentation fault at JSRuntime::atomsCompartment

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Kan-Ru Chen [:kanru] (UTC+9)]

B2G with current mozilla-central https://hg.mozilla.org/mozilla-central/file/a8daa428ccbc

0x42347038 in JSRuntime::atomsCompartment (this=0x43e12000) at /home/kanru/zone2/mozilla/central/js/src/vm/Runtime.h:1392
1392            JS_ASSERT(currentThreadHasExclusiveAccess());

#0  0x42347038 in JSRuntime::atomsCompartment (this=0x43e12000) at /home/kanru/zone2/mozilla/central/js/src/vm/Runtime.h:1392
#1  0x4235858a in BeginMarkPhase (rt=0x43e12000, budget=<value optimized out>, reason=JS::gcreason::TOO_MUCH_MALLOC, gckind=js::GC_NORMAL)
    at /home/kanru/zone2/mozilla/central/js/src/jsgc.cpp:2770
#2  IncrementalCollectSlice (rt=0x43e12000, budget=<value optimized out>, reason=JS::gcreason::TOO_MUCH_MALLOC, gckind=js::GC_NORMAL)
    at /home/kanru/zone2/mozilla/central/js/src/jsgc.cpp:4278
#3  0x42359fda in GCCycle (rt=0x43e12000, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::TOO_MUCH_MALLOC)
    at /home/kanru/zone2/mozilla/central/js/src/jsgc.cpp:4462
#4  0x4235a302 in Collect (rt=0x43e12000, incremental=true, budget=30000, gckind=js::GC_NORMAL, reason=JS::gcreason::TOO_MUCH_MALLOC)
    at /home/kanru/zone2/mozilla/central/js/src/jsgc.cpp:4598
#5  0x4235a5f8 in GCSlice (rt=0x81, gckind=<value optimized out>, reason=JS::gcreason::TOO_MUCH_MALLOC, millis=0)
    at /home/kanru/zone2/mozilla/central/js/src/jsgc.cpp:4634
#6  0x4230dd20 in js_InvokeOperationCallback (cx=0x404d2960) at /home/kanru/zone2/mozilla/central/js/src/jscntxt.cpp:1011
#7  0x4230de0e in js_HandleExecutionInterrupt (cx=0x81) at /home/kanru/zone2/mozilla/central/js/src/jscntxt.cpp:1039
#8  0x4221d884 in Interpret (cx=0x404d2960, state=<value optimized out>) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:1672
#9  0x42220834 in js::RunScript (cx=0x404d2960, state=...) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:446
#10 0x42220d6e in js::Invoke (cx=0x404d2960, args=..., construct=js::NO_CONSTRUCT) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:508
#11 0x42221682 in js::Invoke (cx=0x404d2960, thisv=..., fval=..., argc=0, argv=0x0, rval=...)
    at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:539
#12 0x422e443e in JS_CallFunction (cx=0x404d2960, objArg=<value optimized out>, fun=0x47918f00, argc=0, argv=0x0, rval=0xbed68410)
    at /home/kanru/zone2/mozilla/central/js/src/jsapi.cpp:5318
#13 0x417b8684 in mozJSComponentLoader::ObjectForLocation (this=<value optimized out>, aComponentFile=0x404d2960, aURI=<value optimized out>, 
    aObject=<value optimized out>, aLocation=0x47807ae4, aPropagateExceptions=true, aException=...)
    at /home/kanru/zone2/mozilla/central/js/xpconnect/loader/mozJSComponentLoader.cpp:1036
#14 0x417b9116 in mozJSComponentLoader::ImportInto (this=0x40420690, aLocation=..., targetObj=..., callercx=<value optimized out>, vp=...)
    at /home/kanru/zone2/mozilla/central/js/xpconnect/loader/mozJSComponentLoader.cpp:1248
#15 0x417b9986 in mozJSComponentLoader::Import (this=0x40420690, registryLocation=..., targetValArg=<value optimized out>, cx=0x404d2960, 
    optionalArgc=0 '\000', retval=0xbed689e8) at /home/kanru/zone2/mozilla/central/js/xpconnect/loader/mozJSComponentLoader.cpp:1145
#16 0x41779332 in nsXPCComponents_Utils::Import (this=<value optimized out>, registryLocation=..., targetObj=..., cx=0x404d2960, 
    optionalArgc=<value optimized out>, retval=0xbed689e8) at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCComponents.cpp:3963
#17 0x41db5882 in NS_InvokeByIndex (that=0x43f6bdc0, methodIndex=7, paramCount=<value optimized out>, params=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:164
#18 0x417a0364 in CallMethodHelper::Invoke (this=0xbed68980) at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNative.cpp:2808
#19 CallMethodHelper::Call (this=0xbed68980) at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNative.cpp:2148
#20 0x417a1572 in XPCWrappedNative::CallMethod (ccx=..., mode=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNative.cpp:2114
#21 0x417a7c9e in XPC_WN_CallMethod (cx=0x404d2960, argc=1, vp=<value optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1315
#22 0x42216944 in js::CallJSNative (cx=0x404d2960, native=0x417a7b91 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/kanru/zone2/mozilla/central/js/src/jscntxtinlines.h:218
#23 0x42220dd6 in js::Invoke (cx=0x404d2960, args=..., construct=js::NO_CONSTRUCT) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:489
#24 0x4221e652 in Interpret (cx=0x404d2960, state=<value optimized out>) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:2484
#25 0x42220834 in js::RunScript (cx=0x404d2960, state=...) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:446
#26 0x42220d6e in js::Invoke (cx=0x404d2960, args=..., construct=js::NO_CONSTRUCT) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:508
#27 0x42221682 in js::Invoke (cx=0x404d2960, thisv=..., fval=..., argc=0, argv=0x0, rval=...)
    at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:539
#28 0x422e443e in JS_CallFunction (cx=0x404d2960, objArg=<value optimized out>, fun=0x479188c0, argc=0, argv=0x0, rval=0xbed69600)
    at /home/kanru/zone2/mozilla/central/js/src/jsapi.cpp:5318
#29 0x417b8684 in mozJSComponentLoader::ObjectForLocation (this=<value optimized out>, aComponentFile=0x404d2960, aURI=<value optimized out>, 
    aObject=<value optimized out>, aLocation=0x46d9b2d4, aPropagateExceptions=true, aException=...)
    at /home/kanru/zone2/mozilla/central/js/xpconnect/loader/mozJSComponentLoader.cpp:1036
#30 0x417b9116 in mozJSComponentLoader::ImportInto (this=0x40420690, aLocation=..., targetObj=..., callercx=<value optimized out>, vp=...)
    at /home/kanru/zone2/mozilla/central/js/xpconnect/loader/mozJSComponentLoader.cpp:1248
#31 0x417b9986 in mozJSComponentLoader::Import (this=0x40420690, registryLocation=..., targetValArg=<value optimized out>, cx=0x44eaf090, 
    optionalArgc=0 '\000', retval=0xbed69bd8) at /home/kanru/zone2/mozilla/central/js/xpconnect/loader/mozJSComponentLoader.cpp:1145
#32 0x41779332 in nsXPCComponents_Utils::Import (this=<value optimized out>, registryLocation=..., targetObj=..., cx=0x44eaf090, 
    optionalArgc=<value optimized out>, retval=0xbed69bd8) at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCComponents.cpp:3963
#33 0x41db5882 in NS_InvokeByIndex (that=0x46d0d160, methodIndex=7, paramCount=<value optimized out>, params=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:164
#34 0x417a0364 in CallMethodHelper::Invoke (this=0xbed69b70) at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNative.cpp:2808
#35 CallMethodHelper::Call (this=0xbed69b70) at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNative.cpp:2148
#36 0x417a1572 in XPCWrappedNative::CallMethod (ccx=..., mode=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNative.cpp:2114
#37 0x417a7c9e in XPC_WN_CallMethod (cx=0x44eaf090, argc=1, vp=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1315
#38 0x42216944 in js::CallJSNative (cx=0x44eaf090, native=0x417a7b91 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/kanru/zone2/mozilla/central/js/src/jscntxtinlines.h:218
#39 0x42220dd6 in js::Invoke (cx=0x44eaf090, args=..., construct=js::NO_CONSTRUCT) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:489
#40 0x4221e652 in Interpret (cx=0x44eaf090, state=<value optimized out>) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:2484
#41 0x42220834 in js::RunScript (cx=0x44eaf090, state=...) at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:446
#42 0x42221978 in ExecuteKernel (cx=0x44eaf090, script=..., scopeChainArg=<value optimized out>, rval=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:630
#43 js::Execute (cx=0x44eaf090, script=..., scopeChainArg=<value optimized out>, rval=<value optimized out>)
---Type <return> to continue, or q <return> to quit---o
    at /home/kanru/zone2/mozilla/central/js/src/vm/Interpreter.cpp:667
#44 0x422e93ea in JS_ExecuteScript (cx=0x44eaf090, objArg=<value optimized out>, scriptArg=0x45acb200, rval=0xbed6a538)
    at /home/kanru/zone2/mozilla/central/js/src/jsapi.cpp:5120
#45 0x4141fd96 in mozilla::dom::XULDocument::ExecuteScript (this=<value optimized out>, aContext=0x46990440, aScriptObject=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/content/xul/document/src/XULDocument.cpp:3654
#46 0x4141ffa2 in mozilla::dom::XULDocument::ExecuteScript (this=0x46d46800, aScript=0x4695b310)
    at /home/kanru/zone2/mozilla/central/content/xul/document/src/XULDocument.cpp:3677
#47 0x41426e52 in mozilla::dom::XULDocument::OnStreamComplete (this=0x46d46800, aLoader=<value optimized out>, context=<value optimized out>, 
    aStatus=<value optimized out>, stringLen=42753, 
    string=0x476d9000 "/* -*- Mode: Java; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- /\n/* vim: set shiftwidth=2 tabstop=2 autoindent c
indent expandtab: */\n/* This Source Code Form is subject to the terms of "...)
    at /home/kanru/zone2/mozilla/central/content/xul/document/src/XULDocument.cpp:3542
#48 0x40e634fc in nsStreamLoader::OnStopRequest (this=0x471437f0, request=<value optimized out>, ctxt=<value optimized out>, aStatus=0)
    at /home/kanru/zone2/mozilla/central/netwerk/base/src/nsStreamLoader.cpp:101
#49 0x40f7828e in nsJARChannel::OnStopRequest (this=0x4536c2f0, req=<value optimized out>, ctx=<value optimized out>, status=0)
    at /home/kanru/zone2/mozilla/central/modules/libjar/nsJARChannel.cpp:982
#50 0x40e4991a in nsInputStreamPump::OnStateStop (this=0x471378e0) at /home/kanru/zone2/mozilla/central/netwerk/base/src/nsInputStreamPump.cpp:627
#51 0x40e49a9e in nsInputStreamPump::OnInputStreamReady (this=0x471378e0, stream=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/netwerk/base/src/nsInputStreamPump.cpp:395
#52 0x41d8e9e2 in nsInputStreamReadyEvent::Run (this=0x471449e0) at /home/kanru/zone2/mozilla/central/xpcom/io/nsStreamUtils.cpp:82
#53 0x41d9dc10 in nsThread::ProcessNextEvent (this=0x40402550, mayWait=<value optimized out>, result=0xbed6a747)
    at /home/kanru/zone2/mozilla/central/xpcom/threads/nsThread.cpp:622
#54 0x41d66a16 in NS_ProcessNextEvent (thread=0x40402550, mayWait=false)
    at /home/kanru/zone2/mozilla/B2G/objdir-gecko-central-debug/xpcom/build/nsThreadUtils.cpp:238
#55 0x419a59c4 in mozilla::ipc::MessagePump::Run (this=0x40401d90, aDelegate=0x4043e0c0)
    at /home/kanru/zone2/mozilla/central/ipc/glue/MessagePump.cpp:81
#56 0x41dc9d7e in MessageLoop::RunInternal (this=0x4043e0c0) at /home/kanru/zone2/mozilla/central/ipc/chromium/src/base/message_loop.cc:220
#57 0x41dc9d96 in MessageLoop::RunHandler (this=0x4043e0c0) at /home/kanru/zone2/mozilla/central/ipc/chromium/src/base/message_loop.cc:213
#58 MessageLoop::Run (this=0x4043e0c0) at /home/kanru/zone2/mozilla/central/ipc/chromium/src/base/message_loop.cc:187
#59 0x4192d35e in nsBaseAppShell::Run (this=0x43e3f340) at /home/kanru/zone2/mozilla/central/widget/xpwidgets/nsBaseAppShell.cpp:163
#60 0x41841972 in nsAppStartup::Run (this=0x43ffb550) at /home/kanru/zone2/mozilla/central/toolkit/components/startup/nsAppStartup.cpp:269
#61 0x40dc4ac0 in XREMain::XRE_mainRun (this=0xbed6a9b4) at /home/kanru/zone2/mozilla/central/toolkit/xre/nsAppRunner.cpp:3855
#62 0x40dc74da in XREMain::XRE_main (this=0xbed6a9b4, argc=<value optimized out>, argv=<value optimized out>, aAppData=0x217b0)
    at /home/kanru/zone2/mozilla/central/toolkit/xre/nsAppRunner.cpp:3923
#63 0x40dc7670 in XRE_main (argc=1, argv=0xbed6cba4, aAppData=0x217b0, aFlags=<value optimized out>)
    at /home/kanru/zone2/mozilla/central/toolkit/xre/nsAppRunner.cpp:4125

Comment 1

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

How reproducible is this? Just by inspection, I don't see any way that this assertion should fail. exclusiveThreadsPaused should be true here.

Comment 2

[Kan-Ru Chen [:kanru] (UTC+9)]

It always happens at the beginning of booting. So the device is end up in a boot-crash loop.

Comment 3

[Kan-Ru Chen [:kanru] (UTC+9)]

In additional, this is a DEBUG build.

Comment 4

[Kan-Ru Chen [:kanru] (UTC+9)]

(gdb) p numExclusiveThreads
$3 = 0
(gdb) p mainThreadHasExclusiveAccess
$4 = {value = false}
(gdb) p exclusiveThreadsPaused
$5 = {value = false}
(gdb) p exclusiveAccessOwner
$6 = {value = 0x0}

Comment 6

[Kan-Ru Chen [:kanru] (UTC+9)]

hmm.. I think exclusiveThreadsPaused should be true after this point

http://mxr.mozilla.org/mozilla-central/source/js/src/jsgc.cpp#4446

Comment 7

[Kan-Ru Chen [:kanru] (UTC+9)]

And it's not

4455            gcstats::AutoPhase ap(rt->gcStats, gcstats::PHASE_WAIT_BACKGROUND_THREAD);
(gdb) p rt->exclusiveThreadsPaused 
$4 = {value = false}

Comment 8

[Kan-Ru Chen [:kanru] (UTC+9)]

Attachment: Patch

Need to set exclusiveThreadsPaused = true when JS_THREADSAFE && DEBUG is defined.

Comment 9

[Brian Hackett [Laid off!]]

Attachment: alternate

The fields around exclusive threads really only have meaning if there are any worker threads, which will only happen when JS_THREADSAFE and JS_ION are both defined.  The attached patch changes the synchronization fields around exclusive access to only exist if these are defined (aka JS_WORKER_THREADS).

Comment 10

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Comment on attachment 793940 [details] [diff] [review]
Patch

Thanks very much for tracking this down.

Comment 11

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/d74b077b663c

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/d74b077b663c