#5655 closed defect (fixed)
js::GCMarker::eagerlyMarkChildren segfault
| Reported by: | Silier | Owned by: | wraitii |
|---|---|---|---|
| Priority: | Release Blocker | Milestone: | Alpha 24 |
| Component: | Core engine | Keywords: | |
| Cc: | Patch: |
Description
rP23293 I have got 2 access violation readings while playing multiplayer game.
Attachments (2)
Change History (13)
by , 4 years ago
| Attachment: | accviol.zip added |
|---|
by , 4 years ago
| Attachment: | next one.zip added |
|---|
comment:2 by , 4 years ago
This crashdump comes from Zwuckel from todays svn match:
> mozjs45-ps-release-vc140.dll!js::GCMarker::eagerlyMarkChildren(JSRope * rope=0x13402360) Line 1088 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::eagerlyMarkChildren(JSString *) Line 1008 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::markAndScan(JSString *) Line 820 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::traverse(JSString *) Line 823 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::traverseEdge(JSObject *) Line 876 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::GCMarker::processMarkStackTop(js::SliceBudget & budget={...}) Line 1430 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::GCMarker::drainMarkStack(js::SliceBudget & budget={...}) Line 1294 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::drainMarkStack(js::SliceBudget &) Line 5348 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget & budget={...}, JS::gcreason::Reason reason=REFRESH_FRAME) Line 6048 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::gcCycle(bool nonincrementalByAPI=true, js::SliceBudget & budget={...}, JS::gcreason::Reason reason=REFRESH_FRAME) Line 6281 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::collect(bool nonincrementalByAPI=true, js::SliceBudget budget={...}, JS::gcreason::Reason reason=REFRESH_FRAME) Line 6387 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::gc(JSGCInvocationKind gckind=GC_SHRINK, JS::gcreason::Reason reason=REFRESH_FRAME) Line 6443 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!JS::GCForReason(JSRuntime * rt=0x1d170e80, JSGCInvocationKind gckind=17822696, JS::gcreason::Reason reason=17822656) Line 7341 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js_free(void *) Line 244 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::TempAllocPolicy::free_(void *) Line 128 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::detail::HashTable<js::wasm::LifoSig const * const,js::HashSet<js::wasm::LifoSig const *,js::wasm::ModuleGenerator::SigHashPolicy,js::TempAllocPolicy>::SetOps,js::TempAllocPolicy>::changeTableSize(int deltaLog2=488050304, js::detail::HashTable<js::wasm::LifoSig const * const,js::HashSet<js::wasm::LifoSig const *,js::wasm::ModuleGenerator::SigHashPolicy,js::TempAllocPolicy>::SetOps,js::TempAllocPolicy>::FailureBehavior reportFailure=17822696) Line 1425 C++ Symbols loaded.
Perhaps one can reproduce it with one of the options described here wiki:JSRootingGuide#TestingRooting
comment:3 by , 4 years ago
I ran the replay visually and nonvisually, and a rejointest (with only few turns simulated after rejoin) using this GCZeal patch:
Index: libraries/source/spidermonkey/build.sh
===================================================================
--- libraries/source/spidermonkey/build.sh (revision 23332)
+++ libraries/source/spidermonkey/build.sh (working copy)
@@ -134,7 +134,7 @@
else
CXXFLAGS="${CXXFLAGS} ${TLCXXFLAGS}" ../configure ${CONF_OPTS} \
--enable-optimize \
- #--enable-gczeal \
+ --enable-gczeal \
#--enable-debug-symbols
fi
${MAKE} ${MAKE_OPTS}
Index: source/gui/CGUI.cpp
===================================================================
--- source/gui/CGUI.cpp (revision 23332)
+++ source/gui/CGUI.cpp (working copy)
@@ -55,6 +55,7 @@
{
m_ScriptInterface.reset(new ScriptInterface("Engine", "GUIPage", runtime));
m_ScriptInterface->SetCallbackData(this);
+ JS_SetGCZeal(m_ScriptInterface->GetContext(), 6, 2000);
GuiScriptingInit(*m_ScriptInterface);
m_ScriptInterface->LoadGlobalScripts();
Index: source/simulation2/system/ComponentManager.cpp
===================================================================
--- source/simulation2/system/ComponentManager.cpp (revision 23332)
+++ source/simulation2/system/ComponentManager.cpp (working copy)
@@ -60,6 +60,8 @@
{
context.SetComponentManager(this);
+ JS_SetGCZeal(m_ScriptInterface.GetContext(), 10, 1000);
+
m_ScriptInterface.SetCallbackData(static_cast<void*> (this));
m_ScriptInterface.ReplaceNondeterministicRNG(m_RNG);
See also https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/JSAPI_reference/JS_SetGCZeal.
However it never triggered a crash.
I didn't attempt the wiki:StaticRootingAnalysis yet, but the plugin file is offline and it perhaps it became obsoleted.
When searching the web for GCMarker::eagerlyMarkChildren we find many crashes (duplicate reports) with that trace for Firefox 54/55,
https://bugzilla.mozilla.org/show_bug.cgi?id=1337578
fixed by https://bugzilla.mozilla.org/show_bug.cgi?id=1337578
Its marked as a regression, it seems the same bug occurred before then already, here in FF53: https://bugzilla.mozilla.org/show_bug.cgi?id=1324002
comment:4 by , 4 years ago
Crash callstack after pressing ESC in the options menu
mozjs45-ps-release-vc140.dll!js::GCMarker::eagerlyMarkChildren(JSRope * rope=0x17b6e040) Line 1088 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::eagerlyMarkChildren(JSString *) Line 1008 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::markAndScan(JSString *) Line 820 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::traverse(JSString *) Line 823 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::GCMarker::traverseEdge(JSObject *) Line 876 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::GCMarker::processMarkStackTop(js::SliceBudget & budget={...}) Line 1430 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::GCMarker::drainMarkStack(js::SliceBudget & budget={...}) Line 1294 C++ Symbols loaded.
[Inline Frame] mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::drainMarkStack(js::SliceBudget &) Line 5348 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget & budget={...}, JS::gcreason::Reason reason=DESTROY_CONTEXT) Line 6048 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::gcCycle(bool nonincrementalByAPI=true, js::SliceBudget & budget={...}, JS::gcreason::Reason reason=DESTROY_CONTEXT) Line 6281 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::collect(bool nonincrementalByAPI=true, js::SliceBudget budget={...}, JS::gcreason::Reason reason=DESTROY_CONTEXT) Line 6387 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::gc::GCRuntime::gc(JSGCInvocationKind gckind=GC_NORMAL, JS::gcreason::Reason reason=DESTROY_CONTEXT) Line 6443 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!js::DestroyContext(JSContext * cx=0x4d90b500, js::DestroyContextMode mode=DCM_FORCE_GC) Line 182 C++ Symbols loaded.
mozjs45-ps-release-vc140.dll!JS_DestroyContext(JSContext * cx=0x4d90b500) Line 573 C++ Symbols loaded.
pyrogenesis.exe!ScriptInterface_impl::~ScriptInterface_impl() Line 396 C++ Symbols loaded.
pyrogenesis.exe!ScriptInterface::~ScriptInterface() Line 426 C++ Symbols loaded.
> pyrogenesis.exe!std::_Ref_count<ScriptInterface>::_Destroy() Line 153 C++ Non-user code. Symbols loaded.
[Inline Frame] pyrogenesis.exe!std::_Ref_count_base::_Decref() Line 112 C++ Symbols loaded.
[Inline Frame] pyrogenesis.exe!std::_Ptr_base<ScriptInterface>::_Decref() Line 338 C++ Symbols loaded.
[Inline Frame] pyrogenesis.exe!std::shared_ptr<ScriptInterface>::{dtor}() Line 567 C++ Symbols loaded.
pyrogenesis.exe!CGUI::~CGUI() Line 70 C++ Symbols loaded.
pyrogenesis.exe!std::_Ref_count<CGUI>::_Destroy() Line 153 C++ Non-user code. Symbols loaded.
[Inline Frame] pyrogenesis.exe!std::_Ref_count_base::_Decref() Line 112 C++ Symbols loaded.
[Inline Frame] pyrogenesis.exe!std::_Ptr_base<CGUI>::_Decref() Line 338 C++ Symbols loaded.
[Inline Frame] pyrogenesis.exe!std::shared_ptr<CGUI>::{dtor}() Line 567 C++ Symbols loaded.
pyrogenesis.exe!CGUIManager::HandleEvent(const SDL_Event_ * ev=0x004ff720) Line 310 C++ Symbols loaded.
pyrogenesis.exe!gui_handler(const SDL_Event_ * ev=0x004ff720) Line 51 C++ Symbols loaded.
pyrogenesis.exe!in_dispatch_event(const SDL_Event_ * ev=0x004ff720) Line 62 C++ Symbols loaded.
pyrogenesis.exe!PumpEvents() Line 227 C++ Symbols loaded.
pyrogenesis.exe!Frame() Line 372 C++ Symbols loaded.
pyrogenesis.exe!RunGameOrAtlas(int argc=1, const char * * argv=0x02540008) Line 638 C++ Symbols loaded.
pyrogenesis.exe!SDL_main(int argc=1, char * * argv=0x02540008) Line 684 C++ Symbols loaded.
pyrogenesis.exe!main_utf8(int argc=1, char * * argv=0x02540008) Line 126 C Symbols loaded.
pyrogenesis.exe!wmain(int argc=1, unsigned short * * wargv=0x005a7980, unsigned short * wenvp=0x005d0328) Line 151 C Symbols loaded.
[Inline Frame] pyrogenesis.exe!invoke_main() Line 79 C++ Non-user code. Symbols loaded.
pyrogenesis.exe!__scrt_common_main_seh() Line 253 C++ Non-user code. Symbols loaded.
pyrogenesis.exe!CallStartupWithinTryBlock() Line 365 C++ Symbols loaded.
kernel32.dll!75fe6359() Unknown Non-user code. Cannot find or open the PDB file.
[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll] Unknown No symbols loaded.
ntdll.dll!77cf7b74() Unknown Non-user code. Cannot find or open the PDB file.
ntdll.dll!77cf7b44() Unknown Non-user code. Cannot find or open the PDB file.
comment:5 by , 4 years ago
Program terminated with signal SIGSEGV, Segmentation fault.
#0 JSString::isPermanentAtom (this=<optimized out>) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/vm/String.h:452
452 return (d.u1.flags & PERMANENT_ATOM_MASK) == PERMANENT_ATOM_MASK;
[Current thread is 1 (Thread 0x7f63d6b89bc0 (LWP 63581))]
/usr/lib/../share/gcc-9.2.0/python/libstdcxx/v6/xmethods.py:731: SyntaxWarning: list indices must be integers or slices, not str; perhaps you missed a comma?
refcounts = ['_M_refcount']['_M_pi']
(gdb) info stack
#0 JSString::isPermanentAtom (this=<optimized out>) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/vm/String.h:452
#1 js::GCMarker::eagerlyMarkChildren (this=<optimized out>, linearStr=0x4b4b4b4b4b4b4b4b) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/gc/Marking.cpp:1028
#2 js::GCMarker::eagerlyMarkChildren (str=0x4b4b4b4b4b4b4b4b, this=0x555da85e9240) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/gc/Marking.cpp:1006
#3 js::GCMarker::markAndScan<JSString> (this=this@entry=0x555da85e9240, thing=<optimized out>) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/gc/Marking.cpp:820
#4 0x00007f63db0228eb in js::GCMarker::traverse<JSString*> (thing=<optimized out>, this=0x555da85e9240) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/gc/Marking.cpp:859
#5 js::GCMarker::traverseEdge<JSObject*, JSString> (source=<optimized out>, target=<optimized out>, this=0x555da85e9240) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/gc/Marking.cpp:876
#6 js::GCMarker::processMarkStackTop (this=this@entry=0x555da85e9240, budget=...) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/gc/Marking.cpp:1429
#7 0x00007f63db019295 in js::GCMarker::drainMarkStack (this=this@entry=0x555da85e9240, budget=...) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/gc/Marking.cpp:1293
#8 0x00007f63dadaa6c8 in js::gc::GCRuntime::drainMarkStack (phase=js::gcstats::PHASE_MARK, sliceBudget=..., this=0x555da85e73f8) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/jsgc.cpp:5348
#9 js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x555da85e73f8, budget=..., reason=reason@entry=JS::gcreason::REFRESH_FRAME)
at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/jsgc.cpp:6048
#10 0x00007f63dadabc18 in js::gc::GCRuntime::gcCycle (this=this@entry=0x555da85e73f8, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::REFRESH_FRAME)
at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/jsgc.cpp:6278
#11 0x00007f63dadac158 in js::gc::GCRuntime::collect (this=this@entry=0x555da85e73f8, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::REFRESH_FRAME)
at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/jsgc.cpp:6384
#12 0x00007f63dadac83f in js::gc::GCRuntime::gc (reason=JS::gcreason::REFRESH_FRAME, gckind=GC_SHRINK, this=0x555da85e73f8) at ../../dist/include/js/SliceBudget.h:59
#13 JS::GCForReason (rt=0x555da85e7000, gckind=gckind@entry=GC_SHRINK, reason=reason@entry=JS::gcreason::REFRESH_FRAME) at /home/elexis/code/0ad-svn4/trunk/libraries/source/spidermonkey/mozjs-45.0.2/js/src/jsgc.cpp:7340
#14 0x0000555da6f1b8e7 in ScriptRuntime::ShrinkingGC (this=0x555da85c2eb0) at ../../../source/scriptinterface/ScriptRuntime.cpp:261
#15 0x0000555da6dd8c4a in CSimulation2Impl::Update (this=0x555da97773a0, turnLength=<optimized out>, commands=...) at /usr/include/c++/9.2.0/bits/shared_ptr_base.h:1020
#16 0x0000555da6e1b2bb in CTurnManager::Update (this=0x555da9678410, simFrameLength=<optimized out>, maxTurns=1) at ../../../source/simulation2/system/TurnManager.cpp:166
#17 0x0000555da6f6282f in CGame::Update (this=0x555da96ccea0, deltaRealTime=0.027932791039347649, doInterpolate=<optimized out>) at ../../../source/ps/Game.cpp:400
#18 0x0000555da6d7cb5e in Frame () at ../../../source/main.cpp:393
#19 0x0000555da6d80d25 in RunGameOrAtlas (argc=<optimized out>, argv=<optimized out>) at ../../../source/main.cpp:638
#20 0x0000555da6d70e7a in main (argc=1, argv=0x7ffd53589cd8) at ../../../source/main.cpp:684
comment:6 by , 4 years ago
| Summary: | Access violation while playing multiplayer → js::GCMarker::eagerlyMarkChildren segfault |
|---|
comment:7 by , 4 years ago
Same stacktrace in both GUI and simulation context indicates that it's either two people doing the same stupid thing in both folders, or that its a SpiderMonkey issue from rP22627 (according occam its the latter).
Note:
See TracTickets
for help on using tickets.
