Closed Bug 978227 Opened 10 years ago Closed 10 years ago

Intermittent ASAN test_sqliteMultiReporter.xul | application terminated with exit code 1 after "SEGV /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/js/src/../../dist/include/mozilla/HashFunctions.h:279 HashUntilZero<char>"

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox28 --- unaffected
firefox29 --- unaffected
firefox30 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: RyanVM, Assigned: n.nethercote)

References

Details

(Keywords: intermittent-failure)

Attachments

(1 file)

fix
845 bytes, patch
till
: review+
Details | Diff | Splinter Review 
https://tbpl.mozilla.org/php/getParsedLog.php?id=35435999&tree=Fx-Team

Ubuntu ASAN VM 12.04 x64 fx-team opt test mochitest-other on 2014-02-28 10:42:21 PST for push 8859e1b0add3
slave: tst-linux64-ec2-372

10:58:50     INFO -  2663 INFO TEST-START | chrome://mochitests/content/chrome/toolkit/components/aboutmemory/tests/test_sqliteMultiReporter.xul
10:58:51     INFO -  ASAN:SIGSEGV
10:58:51     INFO -  =================================================================
10:58:51     INFO -  ==2428==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fed1fff3536 sp 0x7fffad19b8e0 bp 0x7fffad19ba90 T0)
10:58:51     INFO -  AddressSanitizer can not provide additional info.
10:58:52     INFO -  [Parent 2428] WARNING: waitpid failed pid:2810 errno:10: file /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/base/process_util_posix.cc, line 254
10:58:52     INFO -  [Parent 2428] WARNING: Failed to deliver SIGKILL to 2810!(3).: file /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc, line 118
10:58:52     INFO -  [Parent 2428] WARNING: waitpid failed pid:2815 errno:10: file /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/base/process_util_posix.cc, line 254
10:58:52     INFO -  [Parent 2428] WARNING: Failed to deliver SIGKILL to 2815!(3).: file /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc, line 118
10:58:52     INFO -  [Parent 2428] WARNING: waitpid failed pid:2820 errno:10: file /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/base/process_util_posix.cc, line 254
10:58:52     INFO -  [Parent 2428] WARNING: Failed to deliver SIGKILL to 2820!(3).: file /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/chrome/common/process_watcher_posix_sigchld.cc, line 118
10:58:52     INFO -      #0 0x7fed1fff3535 in HashUntilZero<char> /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/js/src/../../dist/include/mozilla/HashFunctions.h:279
10:58:52     INFO -      #1 0x7fed1fff3535 in HashString /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/js/src/../../dist/include/mozilla/HashFunctions.h:306
10:58:52     INFO -      #2 0x7fed1fff3535 in hash /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/MemoryMetrics.cpp:96
10:58:52     INFO -      #3 0x7fed1fff3535 in prepareHash /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/js/src/../../dist/include/js/HashTable.h:1043
10:58:52     INFO -      #4 0x7fed1fff3535 in lookupForAdd /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/js/src/../../dist/include/js/HashTable.h:1520
10:58:52     INFO -      #5 0x7fed1fff3535 in lookupForAdd /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/js/src/../../dist/include/js/HashTable.h:136
10:58:52     INFO -      #6 0x7fed1fff3535 in AddClassInfo(Granularity, JS::CompartmentStats*, char const*, JS::ClassInfo&) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/MemoryMetrics.cpp:332
10:58:52     INFO -      #7 0x7fed1ff7cf66 in _ZL17StatsCellCallbackIL11Granularity0EEvP9JSRuntimePvS3_13JSGCTraceKindm /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/MemoryMetrics.cpp:427
10:58:52     INFO -      #8 0x7fed1f5f4739 in IterateCompartmentsArenasCells(JSRuntime*, JS::Zone*, void*, void (*)(JSRuntime*, void*, JSCompartment*), void (*)(JSRuntime*, void*, js::gc::Arena*, JSGCTraceKind, unsigned long), void (*)(JSRuntime*, void*, void*, JSGCTraceKind, unsigned long)) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/gc/Iteration.cpp:47
10:58:52     INFO -      #9 0x7fed1f5f3f9a in js::IterateZonesCompartmentsArenasCells(JSRuntime*, void*, void (*)(JSRuntime*, void*, JS::Zone*), void (*)(JSRuntime*, void*, JSCompartment*), void (*)(JSRuntime*, void*, js::gc::Arena*, JSGCTraceKind, unsigned long), void (*)(JSRuntime*, void*, void*, JSGCTraceKind, unsigned long)) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/gc/Iteration.cpp:63
10:58:52     INFO -      #10 0x7fed1ff788e9 in JS::CollectRuntimeStats(JSRuntime*, JS::RuntimeStats*, JS::ObjectPrivateVisitor*) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/MemoryMetrics.cpp:653
10:58:52     INFO -      #11 0x7fed1bdd2836 in xpc::JSReporter::CollectReports(nsDataHashtable<nsUint64HashKey, nsCString>*, nsDataHashtable<nsUint64HashKey, nsCString>*, nsIMemoryReporterCallback*, nsISupports*) /builds/slave/fx-team-l64-asan-0000000000000/build/js/xpconnect/src/XPCJSRuntime.cpp:2647
10:58:52     INFO -      #12 0x7fed1c1d70d7 in nsWindowMemoryReporter::CollectReports(nsIMemoryReporterCallback*, nsISupports*) /builds/slave/fx-team-l64-asan-0000000000000/build/dom/base/nsWindowMemoryReporter.cpp:520
10:58:52     INFO -      #13 0x7fed18901aa4 in nsMemoryReporterManager::GetReportsForThisProcess(nsIMemoryReporterCallback*, nsISupports*) /builds/slave/fx-team-l64-asan-0000000000000/build/xpcom/base/nsMemoryReporterManager.cpp:1048
10:58:52     INFO -      #14 0x7fed189e9a91 in NS_InvokeByIndex /builds/slave/fx-team-l64-asan-0000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
10:58:52     INFO -      #15 0x7fed1be39e61 in Invoke /builds/slave/fx-team-l64-asan-0000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2403
10:58:52     INFO -      #16 0x7fed1be39e61 in CallMethodHelper /builds/slave/fx-team-l64-asan-0000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:1744
10:58:52     INFO -      #17 0x7fed1be39e61 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/slave/fx-team-l64-asan-0000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:1711
10:58:52     INFO -      #18 0x7fed1be3fc38 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/fx-team-l64-asan-0000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1285
10:58:52     INFO -      #19 0x7fed1ff60860 in native /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/jscntxtinlines.h:230
10:58:52     INFO -      #20 0x7fed1ff60860 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/Interpreter.cpp:476
10:58:52     INFO -      #21 0x7fed1ff52587 in Interpret(JSContext*, js::RunState&) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/Interpreter.cpp:2614
10:58:52     INFO -      #22 0x7fed1ff379b9 in js::RunScript(JSContext*, js::RunState&) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/Interpreter.cpp:423
10:58:52     INFO -      #23 0x7fed1ff635dd in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/Interpreter.cpp:631
10:58:52     INFO -      #24 0x7fed1ff63b4c in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/vm/Interpreter.cpp:667
10:58:52     INFO -      #25 0x7fed1fbd880a in JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) /builds/slave/fx-team-l64-asan-0000000000000/build/js/src/jsapi.cpp:4795
10:58:52     INFO -      #26 0x7fed1d192922 in mozilla::dom::XULDocument::ExecuteScript(nsIScriptContext*, JS::Handle<JSScript*>) /builds/slave/fx-team-l64-asan-0000000000000/build/content/xul/document/src/XULDocument.cpp:3681
10:58:52     INFO -      #27 0x7fed1d176fb4 in ExecuteScript /builds/slave/fx-team-l64-asan-0000000000000/build/content/xul/document/src/XULDocument.cpp:3703
10:58:52     INFO -      #28 0x7fed1d176fb4 in mozilla::dom::XULDocument::ResumeWalk() /builds/slave/fx-team-l64-asan-0000000000000/build/content/xul/document/src/XULDocument.cpp:3048
10:58:52     INFO -      #29 0x7fed1d1749ae in OnPrototypeLoadDone /builds/slave/fx-team-l64-asan-0000000000000/build/content/xul/document/src/XULDocument.cpp:607
10:58:52     INFO -      #30 0x7fed1d1749ae in mozilla::dom::XULDocument::EndLoad() /builds/slave/fx-team-l64-asan-0000000000000/build/content/xul/document/src/XULDocument.cpp:580
10:58:52     INFO -      #31 0x7fed1d19e49d in XULContentSinkImpl::DidBuildModel(bool) /builds/slave/fx-team-l64-asan-0000000000000/build/content/xul/document/src/nsXULContentSink.cpp:240
10:58:52     INFO -      #32 0x7fed19e9acac in DidBuildModel /builds/slave/fx-team-l64-asan-0000000000000/build/parser/htmlparser/src/nsParser.cpp:901
10:58:52     INFO -      #33 0x7fed19e9acac in nsParser::ResumeParse(bool, bool, bool) /builds/slave/fx-team-l64-asan-0000000000000/build/parser/htmlparser/src/nsParser.cpp:1507
10:58:52     INFO -      #34 0x7fed19e9dea3 in nsParser::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/fx-team-l64-asan-0000000000000/build/parser/htmlparser/src/nsParser.cpp:1878
10:58:52     INFO -      #35 0x7fed19e133ca in nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/fx-team-l64-asan-0000000000000/build/uriloader/base/nsURILoader.cpp:319
10:58:52     INFO -      #36 0x7fed18afd114 in nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/fx-team-l64-asan-0000000000000/build/netwerk/base/src/nsBaseChannel.cpp:732
10:58:52     INFO -      #37 0x7fed18afd2f9 in non-virtual thunk to nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/netwerk/base/src/Unified_cpp_netwerk_base_src0.cpp:745
10:58:52     INFO -      #38 0x7fed18b3a505 in nsInputStreamPump::OnStateStop() /builds/slave/fx-team-l64-asan-0000000000000/build/netwerk/base/src/nsInputStreamPump.cpp:703
10:58:52     INFO -      #39 0x7fed18b38c63 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/fx-team-l64-asan-0000000000000/build/netwerk/base/src/nsInputStreamPump.cpp:438
10:58:52     INFO -      #40 0x7fed1899f674 in nsInputStreamReadyEvent::Run() /builds/slave/fx-team-l64-asan-0000000000000/build/xpcom/io/nsStreamUtils.cpp:85
10:58:52     INFO -      #41 0x7fed189d4602 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/fx-team-l64-asan-0000000000000/build/xpcom/threads/nsThread.cpp:643
10:58:52     INFO -      #42 0x7fed188a8271 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/fx-team-l64-asan-0000000000000/build/xpcom/glue/nsThreadUtils.cpp:263
10:58:52     INFO -      #43 0x7fed1920dc81 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/glue/MessagePump.cpp:95
10:58:52     INFO -      #44 0x7fed191806f3 in RunInternal /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/base/message_loop.cc:226
10:58:52     INFO -      #45 0x7fed191806f3 in RunHandler /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/base/message_loop.cc:219
10:58:52     INFO -      #46 0x7fed191806f3 in MessageLoop::Run() /builds/slave/fx-team-l64-asan-0000000000000/build/ipc/chromium/src/base/message_loop.cc:193
10:58:52     INFO -      #47 0x7fed1bc9878c in nsBaseAppShell::Run() /builds/slave/fx-team-l64-asan-0000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:164
10:58:52     INFO -      #48 0x7fed1ea07ae6 in nsAppStartup::Run() /builds/slave/fx-team-l64-asan-0000000000000/build/toolkit/components/startup/nsAppStartup.cpp:276
10:58:52     INFO -      #49 0x7fed1e81b755 in XREMain::XRE_mainRun() /builds/slave/fx-team-l64-asan-0000000000000/build/toolkit/xre/nsAppRunner.cpp:3996
10:58:52     INFO -      #50 0x7fed1e81c68a in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/fx-team-l64-asan-0000000000000/build/toolkit/xre/nsAppRunner.cpp:4063
10:58:52     INFO -      #51 0x7fed1e81d5bb in XRE_main /builds/slave/fx-team-l64-asan-0000000000000/build/toolkit/xre/nsAppRunner.cpp:4273
10:58:52     INFO -      #52 0x459dcd in do_main /builds/slave/fx-team-l64-asan-0000000000000/build/browser/app/nsBrowserApp.cpp:282
10:58:52     INFO -      #53 0x459dcd in main /builds/slave/fx-team-l64-asan-0000000000000/build/browser/app/nsBrowserApp.cpp:643
10:58:52     INFO -      #54 0x7fed2943176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
10:58:52     INFO -      #55 0x45934c in _start (/builds/slave/test/build/application/firefox/firefox+0x45934c)
10:58:53     INFO -  SUMMARY: AddressSanitizer: SEGV /builds/slave/fx-team-l64-asan-0000000000000/build/obj-firefox/js/src/../../dist/include/mozilla/HashFunctions.h:279 HashUntilZero<char>
10:58:53     INFO -  ==2428==ABORTING
10:58:53  WARNING -  TEST-UNEXPECTED-FAIL | chrome://mochitests/content/chrome/toolkit/components/aboutmemory/tests/test_sqliteMultiReporter.xul | application terminated with exit code 1
Some kind of null-deref in the JS memory reporter.
Blocks: 972712
Looks like object/shape classNames are occasionally null, which I didn't account for. This will be easy to fix, and I will do it on Monday.
Attached patch fixSplinter Review 
Actually, it's so easy that I can post the patch now and ask for review.

Till, do you know in what cases the className will be null?
Assignee: nobody → n.nethercote
Attachment #8383901 - Flags: review?(till)
Comment on attachment 8383901 [details] [diff] [review]
fix

Review of attachment 8383901 [details] [diff] [review]:
-----------------------------------------------------------------

> Till, do you know in what cases the className will be null?

I don't really know, but speculating, I'd say it might be caused by Object.create(null), perhaps?
Attachment #8383901 - Flags: review?(till) → review+
Oh also, Splinter doesn't like this patch at all. No idea why.
https://hg.mozilla.org/integration/mozilla-inbound/rev/5c9a4a1f2c0b

It's weird that this has only occurred once in the several days since the patch from bug 972712 landed. If classname==nullptr was a legitimate case, I'd expect it much more often than that. I wonder if there was some heap corruption. Anyway, it doesn't hurt to have this additional check.
https://hg.mozilla.org/mozilla-central/rev/5c9a4a1f2c0b
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to TBPL Robot from comment #9)
> KWierso
> https://tbpl.mozilla.org/php/getParsedLog.php?id=35616394&tree=Mozilla-
> Inbound
> Ubuntu ASAN VM 12.04 x64 mozilla-inbound opt test mochitest-other on
> 2014-03-04 13:34:22
> revision: 722fd1b0e050
> slave: tst-linux64-spot-395

Ah, that one is different. It's complaining that this line in vm/MemoryMetrics.cpp:

        const char* className = shape->base()->clasp()->name;

is touching memory it shouldn't. I think it claims the accessed memory is freed, but I'm not certain.

My inclination for the moment is to land a patch that breaks that line up into pieces, so that if/when this happens again, it's more obvious which pointer dereference is causing the problem.
If someone want to back out 519787a56627 (i.e. part 6 of bug 972712), please do. That's the triggering patch.
I backed out the offending patch, as well as the earlier patch from this bug. See bug 972712 comment 26.
Comment 25 is different; broken out to bug 1024996.
The backing out of the patch from bug 1023719 should fix this.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: