This is with M-C and C-C updated a couple of days ago. Found with valgrind: With valgrind, I found the problem under linux AMD64 when I run |make mozmill| testsuite fully debug version of TB, but this problem will be universal across platforms. (OK, I am using GCC 8 if it matters.) ==31965== Conditional jump or move depends on uninitialised value(s) ==31965== at 0xE823EDE: js::gc::Chunk::allocateArena(JSRuntime*, JS::Zone*, js::gc::AllocKind, js::AutoLockGC const&) (Heap-inl.h:18) ==31965== by 0xE82427F: js::gc::GCRuntime::allocateArena(js::gc::Chunk*, JS::Zone*, js::gc::AllocKind, js::gc::ShouldCheckThresholds, js::AutoLockGC const&) (Allocator.cpp:602) ==31965== by 0xE824603: js::gc::ArenaLists::refillFreeListAndAllocate(js::gc::FreeLists&, js::gc::AllocKind, js::gc::ShouldCheckThresholds) (Allocator.cpp:513) ==31965== by 0xE8247C9: js::gc::GCRuntime::refillFreeListFromMainThread(JSContext*, js::gc::AllocKind) (Allocator.cpp:449) ==31965== by 0xE8248D7: js::gc::GCRuntime::refillFreeListFromAnyThread(JSContext*, js::gc::AllocKind) (Allocator.cpp:436) ==31965== by 0xE8402FF: js::NormalAtom* js::gc::GCRuntime::tryNewTenuredThing<js::NormalAtom, (js::AllowGC)0>(JSContext*, js::gc::AllocKind, unsigned long) (Allocator.cpp:275) ==31965== by 0xE840358: js::NormalAtom* js::Allocate<js::NormalAtom, (js::AllowGC)0>(JSContext*) (Allocator.cpp:255) ==31965== by 0xE4630DF: js::StaticStrings::init(JSContext*) (StringType-inl.h:324) ==31965== by 0xE28CF4B: JSRuntime::initializeAtoms(JSContext*) (JSAtom.cpp:245) ==31965== by 0xE580739: JS::InitSelfHostedCode(JSContext*) (jsapi.cpp:423) ==31965== by 0x9DFD390: nsXPConnect::InitStatics() (nsXPConnect.cpp:141) ==31965== by 0x9DBCBF2: xpcModuleCtor() (XPCModule.cpp:11) ==31965== by 0xD102E9A: nsLayoutModuleInitialize() (nsLayoutModule.cpp:107) ==31965== by 0x917B3ED: nsComponentManagerImpl::Init() (nsComponentManager.cpp:493) ==31965== by 0x91D8BF3: NS_InitXPCOM (XPCOMInit.cpp:445) ==31965== by 0xDF5296A: ScopedXPCOMStartup::Initialize() (nsAppRunner.cpp:1279) ==31965== by 0xDF5F548: XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (nsAppRunner.cpp:4707) ==31965== by 0xDF5FC56: XRE_main(int, char**, mozilla::BootstrapConfig const&) (nsAppRunner.cpp:4792) ==31965== by 0xDF61B12: mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) (Bootstrap.cpp:45) ==31965== by 0x11261A: do_main(int, char**, char**) (nsMailApp.cpp:210) ==31965== by 0x1126C8: main (nsMailApp.cpp:285) ==31965== I noticed possibly related two errors: Bug 1039379 Intermittent browser_console_optimized_out_vars.js | application crashed [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind)] Bug 1033441 Intermittent browser_console_private_browsing.js | application crashed [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind)] If a function reads uninitialized value, then it can possibly contain bogus value that could result in crash later. TIA
Bug 1578951 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This is with M-C and C-C updated a couple of days ago. Found with valgrind: With valgrind, I found the problem under linux AMD64 when I run |make mozmill| testsuite with fully debug version of TB, but this problem will be universal across platforms. (OK, I am using GCC 8 if it matters.) ==31965== Conditional jump or move depends on uninitialised value(s) ==31965== at 0xE823EDE: js::gc::Chunk::allocateArena(JSRuntime*, JS::Zone*, js::gc::AllocKind, js::AutoLockGC const&) (Heap-inl.h:18) ==31965== by 0xE82427F: js::gc::GCRuntime::allocateArena(js::gc::Chunk*, JS::Zone*, js::gc::AllocKind, js::gc::ShouldCheckThresholds, js::AutoLockGC const&) (Allocator.cpp:602) ==31965== by 0xE824603: js::gc::ArenaLists::refillFreeListAndAllocate(js::gc::FreeLists&, js::gc::AllocKind, js::gc::ShouldCheckThresholds) (Allocator.cpp:513) ==31965== by 0xE8247C9: js::gc::GCRuntime::refillFreeListFromMainThread(JSContext*, js::gc::AllocKind) (Allocator.cpp:449) ==31965== by 0xE8248D7: js::gc::GCRuntime::refillFreeListFromAnyThread(JSContext*, js::gc::AllocKind) (Allocator.cpp:436) ==31965== by 0xE8402FF: js::NormalAtom* js::gc::GCRuntime::tryNewTenuredThing<js::NormalAtom, (js::AllowGC)0>(JSContext*, js::gc::AllocKind, unsigned long) (Allocator.cpp:275) ==31965== by 0xE840358: js::NormalAtom* js::Allocate<js::NormalAtom, (js::AllowGC)0>(JSContext*) (Allocator.cpp:255) ==31965== by 0xE4630DF: js::StaticStrings::init(JSContext*) (StringType-inl.h:324) ==31965== by 0xE28CF4B: JSRuntime::initializeAtoms(JSContext*) (JSAtom.cpp:245) ==31965== by 0xE580739: JS::InitSelfHostedCode(JSContext*) (jsapi.cpp:423) ==31965== by 0x9DFD390: nsXPConnect::InitStatics() (nsXPConnect.cpp:141) ==31965== by 0x9DBCBF2: xpcModuleCtor() (XPCModule.cpp:11) ==31965== by 0xD102E9A: nsLayoutModuleInitialize() (nsLayoutModule.cpp:107) ==31965== by 0x917B3ED: nsComponentManagerImpl::Init() (nsComponentManager.cpp:493) ==31965== by 0x91D8BF3: NS_InitXPCOM (XPCOMInit.cpp:445) ==31965== by 0xDF5296A: ScopedXPCOMStartup::Initialize() (nsAppRunner.cpp:1279) ==31965== by 0xDF5F548: XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (nsAppRunner.cpp:4707) ==31965== by 0xDF5FC56: XRE_main(int, char**, mozilla::BootstrapConfig const&) (nsAppRunner.cpp:4792) ==31965== by 0xDF61B12: mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) (Bootstrap.cpp:45) ==31965== by 0x11261A: do_main(int, char**, char**) (nsMailApp.cpp:210) ==31965== by 0x1126C8: main (nsMailApp.cpp:285) ==31965== I noticed possibly related two errors: Bug 1039379 Intermittent browser_console_optimized_out_vars.js | application crashed [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind)] Bug 1033441 Intermittent browser_console_private_browsing.js | application crashed [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind)] If a function reads uninitialized value, then it can possibly contain bogus value that could result in crash later. TIA