Bug#660960: tight loop attempting to madvise(..., MADV_DONTNEED) locked memory

Sat Feb 25 01:07:11 UTC 2012

Jamie Heilman wrote:
> I've found this is really easy to reproduce if I use the native webm
> player to playback video, but harder to produce (though it still
> happens) if I use Flashplayer.  What typically happens is that
> iceweasel stops responding and consumes a core's worth of CPU.  An
> strace of the process reveals infinite and repeated calls to madvise
> for the same addr, same length, and always MADV_DONTNEED which is
> returning -1 and setting errno to EINVAL.  Looking through the
> /proc/$pid/smaps file shows the address is the middle of a locked
> range.  gdb backtrace of the event using the -dbg packages gave me:
> 
> #0  0x00007ffff7407407 in madvise () from /lib/x86_64-linux-gnu/libc.so.6
> #1  0x00007ffff663169e in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so
> #2  0x00007ffff6628886 in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so
> #3  0x00007ffff6628d51 in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so
> #4  0x00007ffff508d697 in nsJSContext::ScriptEvaluated (this=0x7fffe52690a0, 
>     aTerminated=true)
>     at /tmp/buildd/iceweasel-10.0.2/dom/base/nsJSEnvironment.cpp:3122
> #5  0x00007ffff4f02e79 in nsCxPusher::Pop (this=0x7fffffff8d50)
>     at /tmp/buildd/iceweasel-10.0.2/content/base/src/nsContentUtils.cpp:2694
> ...
> 
> Digging around, I suspect the DecommitFreePages function in
> js/src/jsgc.cpp ... which appears to be gone from mozilla central
> already, though I haven't gone and figured out what happened to it
> yet.

OK, there was a small cleanup with
https://bugzilla.mozilla.org/show_bug.cgi?id=702681 but a deeper
refactor came with https://bugzilla.mozilla.org/show_bug.cgi?id=702251
and that new DecommitArenasFromAvailableList function looks more sane
than DecommitFreePages did, but there's still no attempt to check
errno in DecommitMemory or figure out why madvise fails, which is
somewhat inconsistent with the:
while (madvise(address, bytes, MADV_DONTNEED) == -1 && errno == EAGAIN) { }
pattern used in yarr, but whatever.  702251 appeared to be fixed in
the aurora branch, so I installed 12.0~a2+20120217042010-1 to see if I
could reproduce the issue, and unfortunately I still could.  On the
trunk, the jsgcchunk stuff got generalized with
https://bugzilla.mozilla.org/show_bug.cgi?id=720439 and DecommitMemory
was effectively renamed to MarkPagesUnused but is otherwise the same
as it was.  So it doesn't appear like this problem is scheduled to go
away anytime soon.  I wish I could get gdb to pick up on the debugging
information for libmozjs, but despite having the -dbg package
installed I just can't seem to get it to do so.  (I'd welcome any tips
there.)

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly,
 she's not for you." She was cheap, she was stupid and she wouldn't
 load -- well, not for me, anyway."                     -Holly