Bug#660960: tight loop attempting to madvise(..., MADV_DONTNEED) locked memory

Mike Hommey mh at glandium.org
Sat Feb 25 08:13:07 UTC 2012 

On Sat, Feb 25, 2012 at 01:07:11AM +0000, Jamie Heilman wrote:
> Jamie Heilman wrote:
> > I've found this is really easy to reproduce if I use the native webm
> > player to playback video, but harder to produce (though it still
> > happens) if I use Flashplayer.  What typically happens is that
> > iceweasel stops responding and consumes a core's worth of CPU.  An
> > strace of the process reveals infinite and repeated calls to madvise
> > for the same addr, same length, and always MADV_DONTNEED which is
> > returning -1 and setting errno to EINVAL.  Looking through the
> > /proc/$pid/smaps file shows the address is the middle of a locked
> > range.  gdb backtrace of the event using the -dbg packages gave me:
> > 
> > #0  0x00007ffff7407407 in madvise () from /lib/x86_64-linux-gnu/libc.so.6
> > #1  0x00007ffff663169e in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so
> > #2  0x00007ffff6628886 in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so
> > #3  0x00007ffff6628d51 in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so
> > #4  0x00007ffff508d697 in nsJSContext::ScriptEvaluated (this=0x7fffe52690a0, 
> >     aTerminated=true)
> >     at /tmp/buildd/iceweasel-10.0.2/dom/base/nsJSEnvironment.cpp:3122
> > #5  0x00007ffff4f02e79 in nsCxPusher::Pop (this=0x7fffffff8d50)
> >     at /tmp/buildd/iceweasel-10.0.2/content/base/src/nsContentUtils.cpp:2694
> > ...
> > 
> > Digging around, I suspect the DecommitFreePages function in
> > js/src/jsgc.cpp ... which appears to be gone from mozilla central
> > already, though I haven't gone and figured out what happened to it
> > yet.
> 
> OK, there was a small cleanup with
> https://bugzilla.mozilla.org/show_bug.cgi?id=702681 but a deeper
> refactor came with https://bugzilla.mozilla.org/show_bug.cgi?id=702251
> and that new DecommitArenasFromAvailableList function looks more sane
> than DecommitFreePages did, but there's still no attempt to check
> errno in DecommitMemory or figure out why madvise fails, which is
> somewhat inconsistent with the:
> while (madvise(address, bytes, MADV_DONTNEED) == -1 && errno == EAGAIN) { }
> pattern used in yarr, but whatever.  702251 appeared to be fixed in
> the aurora branch, so I installed 12.0~a2+20120217042010-1 to see if I
> could reproduce the issue, and unfortunately I still could.  On the
> trunk, the jsgcchunk stuff got generalized with
> https://bugzilla.mozilla.org/show_bug.cgi?id=720439 and DecommitMemory
> was effectively renamed to MarkPagesUnused but is otherwise the same
> as it was.  So it doesn't appear like this problem is scheduled to go
> away anytime soon.  I wish I could get gdb to pick up on the debugging
> information for libmozjs, but despite having the -dbg package
> installed I just can't seem to get it to do so.  (I'd welcome any tips
> there.)

Try removing the /usr/lib/xulrunner-*/libmozjs.so symlink.

Mike

More information about the pkg-mozilla-maintainers mailing list