Jamie Heilman wrote: > I've found this is really easy to reproduce if I use the native webm > player to playback video, but harder to produce (though it still > happens) if I use Flashplayer. What typically happens is that > iceweasel stops responding and consumes a core's worth of CPU. An > strace of the process reveals infinite and repeated calls to madvise > for the same addr, same length, and always MADV_DONTNEED which is > returning -1 and setting errno to EINVAL. Looking through the > /proc/$pid/smaps file shows the address is the middle of a locked > range. gdb backtrace of the event using the -dbg packages gave me: > > #0 0x00007ffff7407407 in madvise () from /lib/x86_64-linux-gnu/libc.so.6 > #1 0x00007ffff663169e in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so > #2 0x00007ffff6628886 in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so > #3 0x00007ffff6628d51 in ?? () from /usr/lib/xulrunner-10.0/libmozjs.so > #4 0x00007ffff508d697 in nsJSContext::ScriptEvaluated (this=0x7fffe52690a0, > aTerminated=true) > at /tmp/buildd/iceweasel-10.0.2/dom/base/nsJSEnvironment.cpp:3122 > #5 0x00007ffff4f02e79 in nsCxPusher::Pop (this=0x7fffffff8d50) > at /tmp/buildd/iceweasel-10.0.2/content/base/src/nsContentUtils.cpp:2694 > ... > > Digging around, I suspect the DecommitFreePages function in > js/src/jsgc.cpp ... which appears to be gone from mozilla central > already, though I haven't gone and figured out what happened to it > yet.
OK, there was a small cleanup with https://bugzilla.mozilla.org/show_bug.cgi?id=702681 but a deeper refactor came with https://bugzilla.mozilla.org/show_bug.cgi?id=702251 and that new DecommitArenasFromAvailableList function looks more sane than DecommitFreePages did, but there's still no attempt to check errno in DecommitMemory or figure out why madvise fails, which is somewhat inconsistent with the: while (madvise(address, bytes, MADV_DONTNEED) == -1 && errno == EAGAIN) { } pattern used in yarr, but whatever. 702251 appeared to be fixed in the aurora branch, so I installed 12.0~a2+20120217042010-1 to see if I could reproduce the issue, and unfortunately I still could. On the trunk, the jsgcchunk stuff got generalized with https://bugzilla.mozilla.org/show_bug.cgi?id=720439 and DecommitMemory was effectively renamed to MarkPagesUnused but is otherwise the same as it was. So it doesn't appear like this problem is scheduled to go away anytime soon. I wish I could get gdb to pick up on the debugging information for libmozjs, but despite having the -dbg package installed I just can't seem to get it to do so. (I'd welcome any tips there.) -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org