Rev5 MacOSX Mountain Lion 10.8 mozilla-inbound debug test marionette https://treeherder.mozilla.org/ui/logviewer.html#?job_id=4030729&repo=mozilla-inbound 22:56:08 ERROR - PROCESS-CRASH | runner.py | application crashed [@ mozilla::dom::AutoNoJSAPI::AutoNoJSAPI(bool)] 22:56:08 INFO - Crash dump filename: /var/folders/np/253ng38x5ln5h1fwm2gjh92h00000w/T/tmpDdX9PS.mozrunner/minidumps/623830CC-4F28-47AF-803A-001499FE870C.dmp 22:56:08 INFO - Operating system: Mac OS X 22:56:08 INFO - 10.8.0 12A269 22:56:08 INFO - CPU: amd64 22:56:08 INFO - family 6 model 42 stepping 7 22:56:08 INFO - 8 CPUs 22:56:08 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 22:56:08 INFO - Crash address: 0x0 22:56:08 INFO - Thread 0 (crashed) 22:56:08 INFO - 0 XUL!mozilla::dom::AutoNoJSAPI::AutoNoJSAPI(bool) [ScriptSettings.cpp:8c37c5083952 : 566 + 0x0] 22:56:08 INFO - rbx = 0x00007fff7584ec68 r12 = 0x0000000000020418 22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x0000000000000001 22:56:08 INFO - r15 = 0x00000001200e9bc0 rip = 0x00000001021b8d43 22:56:08 INFO - rsp = 0x00007fff5fbf9640 rbp = 0x00007fff5fbf9650 22:56:08 INFO - Found by: given as instruction pointer in context 22:56:08 INFO - 1 XUL!nsTextEditorState::GetValue(nsAString_internal&, bool) const [nsTextEditorState.cpp:8c37c5083952 : 1844 + 0x13] 22:56:08 INFO - rbx = 0x0000000000000001 r12 = 0x0000000000020418 22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x00007fff5fbf98c0 22:56:08 INFO - r15 = 0x00000001200e9bc0 rip = 0x0000000102d89748 22:56:08 INFO - rsp = 0x00007fff5fbf9660 rbp = 0x00007fff5fbf9800 22:56:08 INFO - Found by: call frame info 22:56:08 INFO - 2 XUL!nsTextEditorState::UnbindFromFrame(nsTextControlFrame*) [nsTextEditorState.cpp:8c37c5083952 : 1534 + 0xf] 22:56:08 INFO - rbx = 0x000000011fb97408 r12 = 0x00000001200e9bc0 22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x00007fff5fbf98c0 22:56:08 INFO - r15 = 0x00007fff5fbf98e0 rip = 0x0000000102d866f7 22:56:08 INFO - rsp = 0x00007fff5fbf9810 rbp = 0x00007fff5fbf99a0 22:56:08 INFO - Found by: call frame info 22:56:08 INFO - 3 XUL!nsTextControlFrame::DestroyFrom(nsIFrame*) [nsTextControlFrame.cpp:8c37c5083952 : 131 + 0xb] 22:56:08 INFO - rbx = 0x0000000000000000 r12 = 0x000000011fb97408 22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x000000012402f458 22:56:08 INFO - r15 = 0x000000011fb97408 rip = 0x0000000103839ade 22:56:08 INFO - rsp = 0x00007fff5fbf99b0 rbp = 0x00007fff5fbf99e0 22:56:08 INFO - Found by: call frame info 22:56:08 INFO - 4 XUL!nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) [nsLineBox.cpp:8c37c5083952 : 388 + 0xc] 22:56:08 INFO - rbx = 0x0000000120596a20 r12 = 0x000000011fb97408 22:56:08 INFO - r13 = 0x00000001141150e8 r14 = 0x000000012402f458 22:56:08 INFO - r15 = 0x0000000120596a58 rip = 0x00000001037d19b0

Luke, any idea what the AsmJSSignalHandlers.cpp stuff is all about?

Thread 0 seems to be crashing because of an AutoNoJSAPI in GetValue where the callstack contains active JS. On OSX, because of Mach weirdness, AsmJSSignalHandler runs in a separate thread that gets notified any time there is a SEGV which just happened on Thread 0 due to MOZ_CRASH in AutoNoJSAPI. Nowhere in AsmJSSignalHandler is there a call to AutoNoJSAPI, so I expect frame 2 on Thread 17 is bogus. bholley may be able to make something of thread 0's stack to see what's going on here.

So presumably what's happening is that js::Invoke throws, and then the AutoGCIfNeeded triggers a GC as it comes off the stack. This triggers a long callstack, which eventually finds its way down to an AutoNoJSAPI, which asserts that there is no pending exception (which there is). This assertion is designed to enforce the invariant that luke wanted in bug 989528 comment 12. So we have a few options: (1) Avoid GCing when an exception is pending. (2) Make AutoNoJSAPI fallible (like AutoJSAPI etc), and have it fail to initialize when there's an exception pending on the active cx. (3) Allow AutoNoJSAPI when an exception is pending. Thoughts, luke?

1 and 2 sound undesirable, so I'd go with 3. Since AutoNoJSAPI seems to mean "I shouldn't be running script" and the exception invariant is "an exception shouldn't be pending when I run JS", there seems to be an impedance mismatch anyhow. Really, it's AutoEntryScript's ctor which sounds to me like a good place for this assertion, but I don't really understand all the nuances of these Auto classes.

Comment on attachment 8538126 [details] [diff] [review] Don't assert against pending exceptions in AutoNoJSAPI - do it in AutoJSAPI::InitInternal instead. v1 Review of attachment 8538126 [details] [diff] [review]: ----------------------------------------------------------------- Great, thanks.

So, this is orange on try. It looks like the reason is that we actually do instantiate an AutoEntryScript with a pending exception on the stack in two places - XPCWrappedJSClass:CheckForPendingException, and workers. The latter, unfortunately, can't be fixed until nsm finishes bug 1072144. So I'm splitting these pieces out.

Just removed the problematic assert in the mean time: https://hg.mozilla.org/integration/mozilla-inbound/rev/51ea551dd266

Please request Aurora/Beta approval on this when you get a chance :)

Comment on attachment 8538126 [details] [diff] [review] Don't assert against pending exceptions in AutoNoJSAPI - do it in AutoJSAPI::InitInternal instead. v1 The patch landed for this bug just removes an assertion that was firing intermittently in automation. No impact on the bits we ship.

Comment on attachment 8538126 [details] [diff] [review] Don't assert against pending exceptions in AutoNoJSAPI - do it in AutoJSAPI::InitInternal instead. v1 a=test-only works too, but approving to get this expidited.

https://hg.mozilla.org/releases/mozilla-aurora/rev/5590fdb108c5 https://hg.mozilla.org/releases/mozilla-beta/rev/b5fb6408eb27