Bug 52762 - Firefox 11 segfault with gcc 4.7 (-O3 -march=corei7-avx)
Summary: Firefox 11 segfault with gcc 4.7 (-O3 -march=corei7-avx)
Status: RESOLVED INVALID
Alias: None
Product: gcc
Classification: Unclassified
Component: c++ (show other bugs)
Version: 4.7.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-29 06:36 UTC by Dâniel Fraga
Modified: 2013-06-15 00:26 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2012-04-04 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dâniel Fraga 2012-03-29 06:36:00 UTC
I compiled Firefox 11 source code with gcc 4.7 and the following optimization:

-O3 -march=corei7-avx (for Sandy Bridge, core i7 2700k)

If i use just -march=corei7 it runs fine. GCC bug?

It compiled fine, but it segfaults:

#0  0x00007f6e37521360 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#1  0x00007f6e3752d099 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#2  0x00007f6e3753e3fa in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#3  0x00007f6e3753a073 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#4  0x00007f6e37874bdf in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#5  0x00007f6e378740db in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#6  0x00007f6e285fb3c0 in ?? ()
#7  0x0000000000000003 in ?? ()
#8  0x00007f6e1dc35da0 in ?? ()
#9  0x00007f6e1f0c3fd0 in ?? ()
#10 0x00007f6e1f31df30 in ?? ()
#11 0x00007f6e1e6e3e90 in ?? ()
#12 0xff00000000000000 in ?? ()
#13 0x00ffffffffffffff in ?? ()
#14 0x00444949534a736e in ?? ()
#15 0x726567616e614d79 in ?? ()
#16 0x32850f003a0074f4 in ?? ()
#17 0x777c810000004085 in ?? ()
#18 0x00000e850f003f00 in ?? ()
#19 0x83c35d5b04718901 in ?? ()
#20 0x0000000000000019 in ?? ()
#21 0x00007f6e37174c38 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#22 0x00007f6e371749f9 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#23 0x00007f6e37874014 in NS_InvokeByIndex_P () from /usr/local/lib/firefox-11.0/libxul.so
#24 0x00007f6e375437c7 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#25 0x00007f6e37548940 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#26 0x00007f6e37ad7d53 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#27 0x00007f6e37ac765c in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#28 0x00007f6e37ad7d14 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#29 0x00007f6e37ad8562 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#30 0x00007f6e37a4b3d7 in JS_CallFunctionValue () from /usr/local/lib/firefox-11.0/libxul.so
#31 0x00007f6e3753e727 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#32 0x00007f6e3753a073 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#33 0x00007f6e37874bdf in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#34 0x00007f6e378740db in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#35 0x00007f6e23861700 in ?? ()
#36 0x00007f6e1dc32280 in ?? ()
#37 0x00007f6e23861700 in ?? ()
#38 0x00007f6e24aeb110 in ?? ()
#39 0x00007f6e24aeb110 in ?? ()
#40 0x0000000000000002 in ?? ()
#41 0x0000000000000000 in ?? ()
Comment 1 Markus Trippelsdorf 2012-03-29 08:02:54 UTC
The first thing you should do is to build Firefox with debugging
symbols, so that you get a meaningful backtrace.
Comment 2 Dâniel Fraga 2012-03-29 17:38:48 UTC
Hi Marcus, here it's the backtrace with --enable-debug. If you need more testing, just ask:

[New Thread 139808722073408 (LWP 23395)]
nsStringStats
 => mAllocCount:              1
 => mReallocCount:            0
 => mFreeCount:               1
 => mShareCount:              0
 => mAdoptCount:              0
 => mAdoptFreeCount:          0
[New Thread 139808524986112 (LWP 23399)]
[New Thread 139808508339968 (LWP 23400)]
[New Thread 139808499947264 (LWP 23401)]
[New Thread 139808487765760 (LWP 23403)]
[New Thread 139808461412096 (LWP 23404)]
[New Thread 139808450914048 (LWP 23405)]
[New Thread 139808442521344 (LWP 23406)]
WARNING: 1 sort operation has occurred for the SQL statement '0x7f27c0166010'.  See https://developer.mozilla.org/En/Storage/Warnings details.: file /home/fraga/src/mozilla/storage/src/mozStoragePrivateHelpers.cpp, line 144
[New Thread 139808411809536 (LWP 23407)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 139808722073408 (LWP 23395)]
0x00007f27bd707fc9 in JSRuntime::onOwnerThread () from /usr/local/lib/firefox-11.0/libxul.so
(gdb) bt
#0  0x00007f27bd707fc9 in JSRuntime::onOwnerThread () from /usr/local/lib/firefox-11.0/libxul.so
#1  0x00007f27bd71412e in JS_ValueToObject () from /usr/local/lib/firefox-11.0/libxul.so
#2  0x00007f27bd08de23 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#3  0x00007f27bd545abc in NS_InvokeByIndex_P () from /usr/local/lib/firefox-11.0/libxul.so
#4  0x00007f27bd0b1036 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#5  0x00007f27bd0b618f in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#6  0x00007f27bd0b67e3 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#7  0x00007f27bd0bab60 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#8  0x00007f27bd82826a in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#9  0x00007f27bd8262d9 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#10 0x00007f27bd812b69 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#11 0x00007f27bd826483 in ?? () from /usr/local/lib/firefox-11.0/libxul.so
#12 0x0000000000000000 in ?? ()
Comment 3 Dâniel Fraga 2012-03-29 17:56:25 UTC
Well, nevermind. I tested some more and discovered the culprit: checkCompatibility 1.3 extension... I disabled that and everything is back to normal.

Thanks and sorry about the wrong bug report.
Comment 4 Dâniel Fraga 2012-03-29 19:02:34 UTC
(In reply to comment #3)
> Well, nevermind. I tested some more and discovered the culprit:
> checkCompatibility 1.3 extension... I disabled that and everything is back to
> normal.
> 
> Thanks and sorry about the wrong bug report.

Well, I replied too soon... it keeps crashing.

The problem is that it will segfault only when I compile WITHOUT --enable-debug...

Now it sometimes gives the following error:

ACR (Component): component init
isalloc_validate called with invalid pointer. Crashing...
Segmentation fault

***

I'm unable to get this with --enable-debug, so it's a problem...

I'll try with firefox 12 beta...
Comment 5 Markus Trippelsdorf 2012-03-29 19:12:51 UTC
In the future you should add: 
  ac_add_options --disable-install-strip  --disable-strip 
to your .mozconfig file, because otherwise the debug binaries will
be stripped (which results in your broken Comment 2 backtrace).
Comment 6 Dâniel Fraga 2012-03-29 20:13:23 UTC
(In reply to comment #5)
> In the future you should add: 
>   ac_add_options --disable-install-strip  --disable-strip 
> to your .mozconfig file, because otherwise the debug binaries will
> be stripped (which results in your broken Comment 2 backtrace).

Ok, I did that... now a complete and decent backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 140149652981568 (LWP 28284)]
0x00007f771e8156f9 in JSRuntime::onOwnerThread (this=0x1a0080) at /home/fraga/src/mozilla/js/src/jsval.h:852
852         JS_ASSERT((objBits >> JSVAL_TAG_SHIFT) == 0);
(gdb) bt
#0  0x00007f771e8156f9 in JSRuntime::onOwnerThread (this=0x1a0080) at /home/fraga/src/mozilla/js/src/jsval.h:852
#1  0x00007f771e82185e in JS_ValueToObject (cx=0x7fffad2c7630, v=
        {data = {asBits = 18445617585292306240, debugView = {payload47 = 140148977952576, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = -99883200, u32 = 4195084096, why = 4195084096}}, asDouble = -nan(0xbff76fa0be740), asPtr = 0xfffbff76fa0be740, asWord = 18445617585292306240}}, objp=0x7fffad2c7538) at /home/fraga/src/mozilla/js/src/jsval.h:852
#2  0x00007f771e19dd83 in nsXPCComponents_Utils::EvalInSandbox (this=Unhandled dwarf expression opcode 0xf3
) at /home/fraga/src/mozilla/js/xpconnect/src/xpcprivate.h:4165
#3  0x00007f771e652fea in NS_InvokeByIndex_P (that=Unhandled dwarf expression opcode 0xf3
) at /home/fraga/src/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
#4  0x00007f771e1c0f78 in CallMethodHelper::Invoke (this=0x7fffad2c77e8) from /usr/local/lib/firefox-11.0/libxul.so
#5  0x00007f771e1c60d1 in CallMethodHelper::Call (this=0x7fffad2c77e8) from /usr/local/lib/firefox-11.0/libxul.so
#6  0x00007f771e1c6725 in XPCWrappedNative::CallMethod (ccx=@0x7fffad2c7960, mode=Unhandled dwarf expression opcode 0xf3
) from /usr/local/lib/firefox-11.0/libxul.so
#7  0x00007f771e1caaa2 in XPC_WN_CallMethod (cx=0x7f77212aea30, argc=2, vp=Unhandled dwarf expression opcode 0x9f
) at /home/fraga/src/mozilla/js/xpconnect/src/xpcprivate.h:4165
#8  0x00007f771e93555a in js::CallJSNative (cx=0x7f77212aea30, native=0x7f771e1ca956 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=@0x7fffad2c7c00)
    at ./../../dist/include/js/HashTable.h:129
#9  0x00007f771e9335c9 in js::InvokeKernel (cx=0x7f77212aea30, args={<js::CallReceiver> = {usedRval_ = false, argv_ = 0x7f7710dd9208}, argc_ = 2}, construct=js::NO_CONSTRUCT)
    at /home/fraga/src/mozilla/js/src/jsval.h:771
#10 0x00007f771e91fe59 in js::Interpret (cx=0x7f77212aea30, entryFrame=0x7f7710dd9038, interpMode=<value optimized out>) at /home/fraga/src/mozilla/js/src/jsval.h:771
#11 0x00007f771e933773 in js::InvokeKernel (cx=0x7f77212aea30, args={<js::CallReceiver> = {usedRval_ = false, argv_ = 0x7f7710dd9030}, argc_ = 1}, construct=Unhandled dwarf expression opcode 0xf3
)
    at /home/fraga/src/mozilla/js/src/jsval.h:771
#12 0x0000000000000000 in ?? ()
Comment 7 Andi Kleen 2012-03-30 19:21:19 UTC
Happens in java script, which does JITed code.
My guess is that one of the transition points between JITed code and C code does not save AVX registers correctly or something like that.
I would file it with mozilla.org, it's more likely their bug.
Comment 8 Dâniel Fraga 2012-03-30 19:54:47 UTC
(In reply to comment #7)
> Happens in java script, which does JITed code.
> My guess is that one of the transition points between JITed code and C code
> does not save AVX registers correctly or something like that.
> I would file it with mozilla.org, it's more likely their bug.

Thanks Andi. I already had filled a bug in mozilla bugzilla. But unfortunatelly nobody answered. I'll wait. Thanks.

Ps: should I mark this bug as "invalid"?
Comment 9 Jason Merrill 2012-04-04 15:51:18 UTC
I'll put it in Waiting until we have a testcase smaller than Firefox.
Comment 10 Paolo Carlini 2013-06-15 00:26:01 UTC
Feedback not forthcoming.