Closed Bug 984101 Opened 6 years ago Closed 3 years ago

[tarako]B2G_NOOPT=1 build, monkey test crash at libxul.so!JSRuntime::isHeapMajorCollecting() [Runtime.h : 1190 + 0x2]

Categories

(Core :: JavaScript: GC, defect, critical)

28 Branch
ARM
Gonk (Firefox OS)
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
tracking-b2g backlog
Tracking Status
b2g-v1.3T --- affected

People

(Reporter: james.zhang, Assigned: terrence)

References

(Depends on 1 open bug)

Details

(Keywords: crash, Whiteboard: [b2g-crash])

Attachments

(3 files, 2 obsolete files)

This build is B2G_NOOPT=1.

Operating system: Android
                  0.0.0 Linux 3.0.8+ #1 PREEMPT Sat Mar 15 04:20:53 CST 2014 armv7l Spreadtrum/sp6821a_gonk/sp6821a_gonk:4.0.4.0.4.0.4/OPENMASTER/4:user/test-keys
CPU: arm
     0 CPUs

Crash reason:  SIGSEGV
Crash address: 0x9ec

Thread 0 (crashed)
 0  libxul.so!JSRuntime::isHeapMajorCollecting() [Runtime.h : 1190 + 0x2]
     r4 = 0x45f2d6a0    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed42c8
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed42c8    lr = 0x42fb0dd3    pc = 0x42fb0d86
    Found by: given as instruction pointer in context
 1  libxul.so!JSRuntime::isHeapCollecting() [Runtime.h : 1192 + 0x5]
     r4 = 0x45f2d6a0    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed42d8
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed42d8    pc = 0x42fb0dd3
    Found by: call frame info
 2  libxul.so!JS::Zone::isCollecting() const [Zone.h : 150 + 0xf]
     r4 = 0x45f2d6a0    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed42e8
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed42e8    pc = 0x42fb0e11
    Found by: call frame info
 3  libxul.so!js::gc::IsMarked<JSFunction> [Marking.cpp : 327 + 0x5]
     r4 = 0x45f2d6a0    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed42f8
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed42f8    pc = 0x42fb63fd
    Found by: call frame info
 4  libxul.so!js::gc::IsObjectMarked(js::BarrieredPtr<JSObject, unsigned int>*) [Marking.cpp : 434 + 0xd]
     r4 = 0x45f2d6a0    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4368
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4368    pc = 0x42fb1537
    Found by: call frame info
 5  libxul.so!js::gc::IsMarked(js::BarrieredPtr<JSObject, unsigned int>*) [Marking.h : 319 + 0x5]
     r4 = 0x45f2d6a0    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4378
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4378    pc = 0x4316d51f
    Found by: call frame info
 6  libxul.so!js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned int>, js::RelocatableValue, js::DefaultHasher<js::EncapsulatedPtr<JSObject, unsigned int> > >::markIteratively(JSTracer*) [jsweakmap.h : 185 + 0x9]
     r4 = 0x45f2d6a0    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4388
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4388    pc = 0x4317083b
    Found by: call frame info
 7  libxul.so!js::WeakMapBase::markCompartmentIteratively(JSCompartment*, JSTracer*) [jsweakmap.cpp : 42 + 0xf]
     r4 = 0x00000000    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed43c0
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed43c0    pc = 0x4316d6e7
    Found by: call frame info
 8  libxul.so!MarkWeakReferences<js::CompartmentsIterT<js::gc::GCZoneGroupIter> > [jsgc.cpp : 3159 + 0x19]
     r4 = 0x00000000    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed43d8
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed43d8    pc = 0x430e731b
    Found by: call frame info
 9  libxul.so!MarkWeakReferencesInCurrentGroup [jsgc.cpp : 3175 + 0x7]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4430
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4430    pc = 0x430e1ddf
    Found by: call frame info
10  libxul.so!EndMarkingZoneGroup [jsgc.cpp : 3851 + 0x9]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4440
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4440    pc = 0x430e2ba5
    Found by: call frame info
11  libxul.so!BeginSweepPhase [jsgc.cpp : 4043 + 0x5]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4458
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4458    pc = 0x430e33c7
    Found by: call frame info
12  libxul.so!IncrementalCollectSlice [jsgc.cpp : 4651 + 0xb]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4470
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4470    pc = 0x430e451b
    Found by: call frame info
13  libxul.so!GCCycle [jsgc.cpp : 4790 + 0x15]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed44c0
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed44b8    pc = 0x430e4949
    Found by: call frame info
14  libxul.so!Collect [jsgc.cpp : 4928 + 0x15]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4508
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4500    pc = 0x430e4bfd
    Found by: call frame info
15  libxul.so!js::GCSlice(JSRuntime*, js::JSGCInvocationKind, JS::gcreason::Reason, long long) [jsgc.cpp : 4973 + 0x15]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4580
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4578    pc = 0x430e4d73
    Found by: call frame info
16  libxul.so!JS::IncrementalGC(JSRuntime*, JS::gcreason::Reason, long long) [jsfriendapi.cpp : 212 + 0x13]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed45a8
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed45a0    pc = 0x430d2513
    Found by: call frame info
17  libxul.so!nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsCompartment, nsJSContext::IsShrinking, long long) [nsJSEnvironment.cpp : 1922 + 0x11]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed45c0
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed45c0    pc = 0x41cdf56d
    Found by: call frame info
18  libxul.so!InterSliceGCTimerFired(nsITimer*, void*) [nsJSEnvironment.cpp : 2251 + 0x1b]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed45f0
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed45e8    pc = 0x41ce01d1
    Found by: call frame info
19  libxul.so!nsTimerImpl::Fire() [nsTimerImpl.cpp : 551 + 0xd]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4600
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4600    pc = 0x40fee9d5
    Found by: call frame info
20  libxul.so!nsTimerEvent::Run() [nsTimerImpl.cpp : 635 + 0x13]
     r4 = 0x00000de7    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4640
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4640    pc = 0x40feec0f
    Found by: call frame info
21  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 612 + 0x17]
     r4 = 0x00000001    r5 = 0x4041c48c    r6 = 0x00000000    r7 = 0xbeed4658
     r8 = 0x4041c460    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4658    pc = 0x40feb4d3
    Found by: call frame info
22  libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0x13]
     r4 = 0x00000000    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed46d8
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed46d8    pc = 0x40f81b4f
    Found by: call frame info
23  libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 124 + 0xd]
     r4 = 0x00000000    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed46f0
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed46f0    pc = 0x4127111d
    Found by: call frame info
24  libxul.so!MessageLoop::RunInternal() [message_loop.cc : 222 + 0x1b]
     r4 = 0x40fb7c3d    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed4720
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4720    pc = 0x41258c0d
    Found by: call frame info
25  libxul.so!MessageLoop::RunHandler() [message_loop.cc : 215 + 0x5]
     r4 = 0x40fb7c3d    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed4730
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4730    pc = 0x41258bdf
    Found by: call frame info
26  libxul.so!MessageLoop::Run() [message_loop.cc : 189 + 0x5]
     r4 = 0x40fb7c3d    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed4740
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4740    pc = 0x41258bbf
    Found by: call frame info
27  libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp : 161 + 0xb]
     r4 = 0x40fb7c3d    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed4760
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4760    pc = 0x41b98197
    Found by: call frame info
28  libxul.so!nsAppStartup::Run() [nsAppStartup.cpp : 276 + 0x19]
     r4 = 0x40fb7c3d    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed4778
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4778    pc = 0x4297c52d
    Found by: call frame info
29  libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp : 4059 + 0x17]
     r4 = 0x40fb7c3d    r5 = 0x40fb7c3d    r6 = 0xbeed6bf4    r7 = 0xbeed4798
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4790    pc = 0x4292297b
    Found by: call frame info
30  libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*) [nsAppRunner.cpp : 4127 + 0x5]
     r4 = 0x40416144    r5 = 0xbeed6bf4    r6 = 0x00000001    r7 = 0xbeed4980
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4980    pc = 0x42922b53
    Found by: call frame info
31  libxul.so!XRE_main [nsAppRunner.cpp : 4337 + 0x17]
     r4 = 0x42922ce9    r5 = 0xbeed6bf4    r6 = 0x00000001    r7 = 0xbeed49d0
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed49d0    pc = 0x42922d23
    Found by: call frame info
32  b2g!do_main [nsBrowserApp.cpp : 163 + 0x25]
     r4 = 0x42922ce9    r5 = 0xbeed6bf4    r6 = 0x00000001    r7 = 0xbeed4ae8
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed4ae8    pc = 0x00009cad
    Found by: call frame info
33  b2g!main [nsBrowserApp.cpp : 256 + 0x17]
     r4 = 0x00009744    r5 = 0xbeed6bf4    r6 = 0x00000001    r7 = 0xbeed5b20
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed5b20    pc = 0x00009f93
    Found by: call frame info
34  libc.so!__libc_init [libc_init_dynamic.c : 114 + 0x7]
     r4 = 0x00009744    r5 = 0xbeed6bf4    r6 = 0x00000001    r7 = 0xbeed6bfc
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed6bd8    pc = 0x400dfa57
    Found by: call frame info
35  0xb0001dc5
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeed6bf0    pc = 0xb0001dc7
    Found by: call frame info
36  b2g!png_colorspace_set_xy_and_XYZ [png.c : 1578 + 0x1]
     sp = 0xbeed6c4c    pc = 0x0000b8d7
    Found by: stack scanning
This build is B2G_NOOPT=1. Is this backtrace right ?
blocking-b2g: --- → 1.3T?
Flags: needinfo?(ttsai)
Flags: needinfo?(styang)
Flags: needinfo?(kkuo)
Component: General → JavaScript: GC
Product: Firefox OS → Core
Version: unspecified → 28 Branch
Severity: major → critical
Keywords: crash
Depends on: 983022
Maybe the JSRuntime is null?  That seems weird for the main thread.
Hi! Alan,

Please take a look. Thanks

--
Keven
Flags: needinfo?(kkuo) → needinfo?(ahuang)
Naveed, this is in JS. I would like someone from the team to at least comment here.
Flags: needinfo?(nihsanullah)
Flags: needinfo?(styang)
This is quite weird. The comparison "heapState == js::MajorCollecting" shouldn't get SIGSEGV unless JSRuntime from runtimeFromMainThread()->isHeapCollecting()->isHeapMajorCollecting() is invalid. This should not happen, and how could the first dereference be correct?
Flags: needinfo?(ahuang)
We are waiting to hear back from naveed and get a comment here before making a blocking call here since he would be the best person to read the stack trace and give direction here.
Assignee: nobody → terrence
Flags: needinfo?(nihsanullah)
The crash address of 0x9ec means the runtime is null.

* We get the runtime here from Zone::runtime_.
* We get the zone by looking at the ArenaHeader::zone.
* We get the ArenaHeader* from the JSObject* by aligning the pointer to the page level and casting.

This would indicate that the JSObject* is pointing to a dead (and decommitted) JSObject. We have a steady trickle of crashes in all releases with this, or similar, signature: dead object in a WeakMap of unknown origin.

Thus far we have been unable to determine the root cause, despite significant effort. Sadly, any instrumentation we add to help track down the root cause is going to be heavy, as the problem is so non-local from the crash. We've been discussing whether to take this step on Nightly, and possibly Aurora, for as long as I've been here, but have not taken the time to do so yet. At the very least we should add tracking for it to the JS task list so we can prioritize it at the JS workweek.
Terrence, this bug might be a blocker for 1.3T, so I recommend moving on this right away. Lets put this into Aurora and Nightly. Thanks.
Keywords: leave-open
https://tbpl.mozilla.org/?tree=Try&rev=8ccf6513250e

As discussed on IRC, this expands our free pattern usage so that the tenured heap's usage more closely matches what we do in the nursery.
Attachment #8394260 - Flags: review?(jcoppeard)
Comment on attachment 8394260 [details] [diff] [review]
expand_free_patterns-v0.diff

Review of attachment 8394260 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Marking.cpp
@@ +111,5 @@
> +    for (int i = 0; i < numPoisonBytes; ++i) {
> +        const uint8_t pb = poisonBytes[i];
> +        const uint32_t pw = pb | (pb << 8) | (pb << 16) | (pb << 24);
> +        JS_STATIC_ASSERT(sizeof(T) >= sizeof(FreeSpan) + sizeof(uint32_t));
> +        uint32_t *p =

The two lines above can be hoisted out of the for loop.

::: js/src/gc/Nursery.cpp
@@ +871,5 @@
>  js::Nursery::sweep(JSRuntime *rt)
>  {
>  #ifdef JS_GC_ZEAL
>      /* Poison the nursery contents so touching a freed object will crash. */
> +    JS_POISON((void *)start(), JS_SWEPT_NURSERY_PATTERN, NurserySize - sizeof(JSRuntime *));

On an unrelated note, doesn't this touch the whole nursery every time we collect, even the bits we've decommitted, causing them to be re-committed again?

::: js/src/jsgc.cpp
@@ +492,5 @@
>      if (allClear) {
>          JS_ASSERT(newListTail == &newListHead);
>          JS_ASSERT(!newFreeSpanStart ||
>                    newFreeSpanStart == thingsStart(thingKind));
> +        JS_POISON(data, JS_SWEPT_TENURED_PATTERN, sizeof(data));

Can we poison the header too somewhere?  I guess in DecommitArenasFromAvailableList().
Attachment #8394260 - Flags: review?(jcoppeard) → review+
triage: 1.3T+ to resolve partner stability issues
blocking-b2g: 1.3T? → 1.3T+
We have bug 966490 on file, a similar-ish crash (touching a bogus object during weak map marking in IGC) that jandem noticed on crash stats.  It only affected 28, not 29, and later went away, so I closed it as incomplete.  Of course, it is possible that it went away on 28 because we only run certain kinds of poisoning on Nightly and Aurora.  Anyways, that bug doesn't have any more information than this one does.  I guess I'll reopen it and see if somebody familiar with crash stats can figure out when the crash went away.
What kinds of objects are used as weak map keys on B2G?  Globals, reflectors, something else?
Depends on: 966490
(In reply to Andrew McCreight [:mccr8] from comment #12)
> We have bug 966490 on file, a similar-ish crash (touching a bogus object
> during weak map marking in IGC) that jandem noticed on crash stats.  It only
> affected 28, not 29, and later went away, so I closed it as incomplete.  Of
> course, it is possible that it went away on 28 because we only run certain
> kinds of poisoning on Nightly and Aurora.  Anyways, that bug doesn't have
> any more information than this one does.  I guess I'll reopen it and see if
> somebody familiar with crash stats can figure out when the crash went away.

I have no permission to access bug 966490.
Joe, we have no STRs here. If we block on this bug, without clear STRs or a way to get them, we might have to block on this indefinitely and never release 1.3T. For that reason we usually only block on bugs with a STR or extremely high probability of the crash (which is almost as good as STR). Blocking on a rare crash means you don't ship :-/
blocking-b2g: 1.3T+ → 1.3T?
Flags: needinfo?(ttsai)
triage: minus for no clear STR
blocking-b2g: 1.3T? → -
The tree finally opened long enough to push this:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c2adda06f871

Green try run here for the sceptical:
https://tbpl.mozilla.org/?tree=Try&rev=1812b9f0bbde

I'm still working on the followup to do more aggressive checking.
This appears to have regressed performance catastrophically on MacOS and 3-5% elsewhere. I'm going to implement a patch to cut back just a little on the unimportant stuff. In the meantime, maybe we'll get some useful new crashes.
Attached patch fix_poison_performance-v0.diff (obsolete) — Splinter Review
This disables poisoning of just-allocated things and does not re-poison the full arena after it is clear, only the header. The only new poisoning once this patch is applied is the poisoning on the nursery. If we are still regressed badly after this lands, I will have to work on minimizing that too.
Attachment #8403650 - Flags: review?(jcoppeard)
Comment on attachment 8403650 [details] [diff] [review]
fix_poison_performance-v0.diff

Review of attachment 8403650 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.
Attachment #8403650 - Flags: review?(jcoppeard) → review+
Checkin ready version.
Attachment #8403650 - Attachment is obsolete: true
Attachment #8404035 - Flags: review+
Attachment #8394260 - Flags: checkin+
Keywords: checkin-needed
Depends on: 994253
had to backout this change since it caused bustages like https://tbpl.mozilla.org/php/getParsedLog.php?id=37550258&tree=Mozilla-Inbound
Gah! Sorry for the bustage. We really just can't easily poison the arena header at all.
Attachment #8404035 - Attachment is obsolete: true
Attachment #8405627 - Flags: review+
Keywords: checkin-needed
Attachment #8405627 - Flags: checkin+
blocking-b2g: - → 1.3T?
Joe, why are you requesting to block on this? How frequently are we encountering this crash? This is an undiagnosed random memory bug. It could take many months to track it down.
Andreas, we don't have an approval flag for 1.3T so i am using 1.3T? instead.
it's really to evaluate if we want to uplift this to 1.3T, now that this is review+
ni? ttsai for initial look
Flags: needinfo?(ttsai)
We have a diagnosis patch. Not a fix. There are still no leads here as far as I can tell. Uplifting this would buy us nothing on device.
Blocks: 989414
(In reply to Joe Cheng [:jcheng] from comment #29)
> Andreas, we don't have an approval flag for 1.3T so i am using 1.3T? instead.
> it's really to evaluate if we want to uplift this to 1.3T, now that this is
> review+
> ni? ttsai for initial look

I failed to apply these patches in 1.3T branch locally. The patches need to be rebased if Tarako needs them.
triage: put this to backlog, recent monkey tests did not show this crash
blocking-b2g: 1.3T? → backlog
Flags: needinfo?(ttsai)
blocking-b2g: backlog → ---
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in before you can comment on or make changes to this bug.