Closed Bug 916829 Opened 12 years ago Closed 12 years ago

GenerationalGC: xpcshell test crashes [@ js::WeakMap::markIteratively(JSTracer*)]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: jonco, Assigned: jonco)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file, 1 obsolete file)

mark-debugger-weakmaps
3.69 KB, patch
terrence
: review+
Details | Diff | Splinter Review
When running a try build with GGC enabled, there are 15 or so xpcshell crashes like this one: 06:07:05 WARNING - PROCESS-CRASH | /builds/slave/talos-slave/test/build/tests/xpcshell/tests/toolkit/devtools/server/tests/unit/test_pauselifetime-02.js | application crashed [@ js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned long>, js::RelocatablePtr<JSObject>, js::DefaultHasher<js::EncapsulatedPtr<JSObject, unsigned long> > >::markIteratively(JSTracer*)] 06:07:05 INFO - Crash dump filename: /var/folders/gA/gAn+Yau+GbO+DizThjqg-U+++-k/-Tmp-/tmpGwlYya/A2643E51-D5C4-43D4-97B1-094AB2454C51.dmp 06:07:05 INFO - Operating system: Mac OS X 06:07:05 INFO - 10.6.8 10K549 06:07:05 INFO - CPU: amd64 06:07:05 INFO - family 6 model 23 stepping 10 06:07:05 INFO - 2 CPUs 06:07:05 INFO - Crash reason: EXC_BAD_ACCESS / 0x0000000d 06:07:05 INFO - Crash address: 0x0 06:07:05 INFO - Thread 0 (crashed) 06:07:05 INFO - 0 XUL!js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned long>, js::RelocatablePtr<JSObject>, js::DefaultHasher<js::EncapsulatedPtr<JSObject, unsigned long> > >::markIteratively(JSTracer*) [ObjectImpl.h:9bfcc1e15801 : 973 + 0x0] 06:07:05 INFO - rbx = 0x00007fff5fbf8d00 r12 = 0x0000000105789500 06:07:05 INFO - r13 = 0x00007fff5fbf8dc8 r14 = 0x0000000105789400 06:07:05 INFO - r15 = 0x00007fff5fbf8cf8 rip = 0x00000001025fd668 06:07:05 INFO - rsp = 0x00007fff5fbf8cf0 rbp = 0x00007fff5fbf8d60 06:07:05 INFO - Found by: given as instruction pointer in context 06:07:05 INFO - 1 XUL!js::WeakMapBase::markCompartmentIteratively(JSCompartment*, JSTracer*) [jsweakmap.cpp:9bfcc1e15801 : 42 + 0xb] 06:07:05 INFO - rbx = 0x0000000105b7f698 r12 = 0x0000000105789500 06:07:05 INFO - r13 = 0x00007fff5fbf8dc8 r14 = 0x0000000105789400 06:07:05 INFO - r15 = 0x0000000105789000 rip = 0x00000001028c198c 06:07:05 INFO - rsp = 0x00007fff5fbf8d70 rbp = 0x00007fff5fbf8d90 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 2 XUL!MarkWeakReferences<js::CompartmentsIterT<js::gc::GCZoneGroupIter> > [jsgc.cpp:9bfcc1e15801 : 2923 + 0xa] 06:07:05 INFO - rbx = 0x0000000105789400 r12 = 0x0000000105789500 06:07:05 INFO - r13 = 0x00007fff5fbf8dc8 r14 = 0x0000000000000000 06:07:05 INFO - r15 = 0x0000000105789000 rip = 0x00000001027efda9 06:07:05 INFO - rsp = 0x00007fff5fbf8da0 rbp = 0x00007fff5fbf8e10 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 3 XUL!EndMarkingZoneGroup [jsgc.cpp:9bfcc1e15801 : 2939 + 0xc] 06:07:05 INFO - rbx = 0x0000000105789520 r12 = 0x0000000105789000 06:07:05 INFO - r13 = 0x00007fffffffffff r14 = 0x0000000105789000 06:07:05 INFO - r15 = 0x00007fff5fbf8f90 rip = 0x00000001027eecc6 06:07:05 INFO - rsp = 0x00007fff5fbf8e20 rbp = 0x00007fff5fbf8e50 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 4 XUL!IncrementalCollectSlice [jsgc.cpp:9bfcc1e15801 : 3799 + 0x7] 06:07:05 INFO - rbx = 0x0000000105789520 r12 = 0x0000000105789000 06:07:05 INFO - r13 = 0x00007fffffffffff r14 = 0x0000000000000000 06:07:05 INFO - r15 = 0x00007fff5fbf8f90 rip = 0x00000001027ecdd1 06:07:05 INFO - rsp = 0x00007fff5fbf8e60 rbp = 0x00007fff5fbf9000 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 5 XUL!GCCycle [jsgc.cpp:9bfcc1e15801 : 4478 + 0xd] 06:07:05 INFO - rbx = 0x0000000000000000 r12 = 0x0000000000000008 06:07:05 INFO - r13 = 0x0000000000000000 r14 = 0x0000000102fb875c 06:07:05 INFO - r15 = 0x0000000105789000 rip = 0x00000001027eb01c 06:07:05 INFO - rsp = 0x00007fff5fbf9010 rbp = 0x00007fff5fbf9070 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 6 XUL!Collect [jsgc.cpp:9bfcc1e15801 : 4618 + 0x13] 06:07:05 INFO - rbx = 0x0000000000000000 r12 = 0x0000000000000008 06:07:05 INFO - r13 = 0x0000000105789000 r14 = 0x0000000105789520 06:07:05 INFO - r15 = 0x0000000000000000 rip = 0x00000001027e9254 06:07:05 INFO - rsp = 0x00007fff5fbf9080 rbp = 0x00007fff5fbf9120 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 7 XUL!js::Debugger::removeAllDebuggees(JSContext*, unsigned int, JS::Value*) [jscompartment.h:9bfcc1e15801 : 419 + 0xf] 06:07:05 INFO - rbx = 0x00000001057ca301 r12 = 0x00007fff5fbf9138 06:07:05 INFO - r13 = 0x00007fff5fbf9160 r14 = 0x00000001055ce280 06:07:05 INFO - r15 = 0x0000000105b7f400 rip = 0x00000001025df987 06:07:05 INFO - rsp = 0x00007fff5fbf9130 rbp = 0x00007fff5fbf91b0 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 8 XUL!js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [jscntxtinlines.h:9bfcc1e15801 : 218 + 0x7] 06:07:05 INFO - rbx = 0x0000000105b14e00 r12 = 0x00007fff5fbf9650 06:07:05 INFO - r13 = 0x0000000105ac2258 r14 = 0x00000001055ce280 06:07:05 INFO - r15 = 0x00007fffffffffff rip = 0x0000000102622327 06:07:05 INFO - rsp = 0x00007fff5fbf91c0 rbp = 0x00007fff5fbf9210 06:07:05 INFO - Found by: call frame info 06:07:05 INFO - 9 XUL!js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [Interpreter.cpp:9bfcc1e15801 : 471 + 0xa] 06:07:05 INFO - rbx = 0x0000000105ac2200 r12 = 0x00007fff5fbf9650 06:07:05 INFO - r13 = 0x000000000000003a r14 = 0x0000000000000000 06:07:05 INFO - r15 = 0x00000001055ce280 rip = 0x000000010261be4b 06:07:05 INFO - rsp = 0x00007fff5fbf9220 rbp = 0x00007fff5fbf9640 06:07:05 INFO - Found by: call frame info
Attached patch postbarrier-debugger-weakmaps (obsolete) — Splinter Review
Adding post barriers for the debugger weakmaps fixed this.
Assignee: general → jcoppeard
Status: NEW → ASSIGNED
Attachment #807153 - Flags: review?(terrence)
Well, that's very odd! We used to have these barriers, but I removed them. The problem was the Breakpoints list: since these are used all over the stack and heap in vm/Debugger, rooting/barriering their fields was extremely annoying. Instead of doing this, we added Debugger::markAll, which is called unconditionally from Nursery::collect. Debugger::markAll, calls environment->trace() and objects->trace() with our eagerlyTraceWeakMaps set to TraceWeakMapKeysValue. Thus, these maps should be getting fully traced -- and every key and value updated -- during every minor GC. Please try and figure out why that isn't happening here.
So the problem is that markAll() doesn't mark the weakmaps in debuggers that have had their debuggees removed, even if those weakmaps still contain entries. This patch changes markAll() to iterate through the runtime's debugger list rather than looking for compartments with debuggees.
Attachment #807153 - Attachment is obsolete: true
Attachment #807153 - Flags: review?(terrence)
Attachment #807801 - Flags: review?(terrence)
Comment on attachment 807801 [details] [diff] [review] mark-debugger-weakmaps Review of attachment 807801 [details] [diff] [review]: ----------------------------------------------------------------- Great work! r=me ::: testing/mozbase/mozcrash/mozcrash/mozcrash.py @@ +88,5 @@ > stackwalk_output.append("Crash dump filename: " + d) > top_frame = None > if symbols_path and stackwalk_binary and os.path.exists(stackwalk_binary): > # run minidump_stackwalk > + print(" ".join([stackwalk_binary, d, symbols_path])) Did you mean to include this hunk?
Attachment #807801 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/e3a20a3080de
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: