1035249 - crash in jemalloc_crash | arena_dalloc | je_free | free | js::detail::HashTable<JS::Symbol* const, js::HashSet<JS::Symbol*, js::HashSymbolsByDescription, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::changeTableSize(int)

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

This bug was filed from the Socorro interface and is 
report bp-74b095d3-8d79-442c-8e04-254602140706.
=============================================================
Crashing Thread
Frame 	Module 	Signature 	Source
0 	libmozglue.so 	jemalloc_crash 	memory/mozjemalloc/jemalloc.c
1 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c
2 	libmozglue.so 	je_free 	memory/mozjemalloc/jemalloc.c
3 	libmozglue.so 	free 	memory/build/replace_malloc.c
4 	libxul.so 	js::detail::HashTable<JS::Symbol* const, js::HashSet<JS::Symbol*, js::HashSymbolsByDescription, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::changeTableSize(int) 	/builds/slave/b2g_m-cen_ham_ntly-00000000000/build/objdir-gecko/js/src/../../dist/include/js/Utility.h:122
5 	libxul.so 	bool js::HashSet<js::Shape*, js::ShapeHasher, js::SystemAllocPolicy>::putNew<js::Shape*&>(js::StackShape const&, js::Shape*&&&) 	/builds/slave/b2g_m-cen_ham_ntly-00000000000/build/objdir-gecko/js/src/../../dist/include/js/HashTable.h:1342
6 	libxul.so 	js::PropertyTree::insertChild(js::ExclusiveContext*, js::Shape*, js::Shape*) 	js/src/jspropertytree.cpp
7 	libxul.so 	js::PropertyTree::getChild(js::ExclusiveContext*, js::Shape*, js::StackShape&) 	js/src/jspropertytree.cpp
8 	libxul.so 	JSObject::getChildProperty(js::ExclusiveContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>, js::StackShape&) 	js/src/vm/Shape.cpp
9 	libxul.so 	js::Shape* JSObject::addPropertyInternal<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ExclusiveContextType, JS::Handle<JSObject*>, JS::Handle<jsid>, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>), unsigned int, unsigned int, unsigned int, js::Shape**, bool) 	js/src/jsobj.h
10 	libxul.so 	js::StaticBlockObject::addVar(js::ExclusiveContext*, JS::Handle<js::StaticBlockObject*>, JS::Handle<jsid>, unsigned int, bool*) 	js/src/vm/ScopeObject.cpp
11 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::bindLet(js::frontend::BindData<js::frontend::FullParseHandler>*, JS::Handle<js::PropertyName*>, js::frontend::Parser<js::frontend::FullParseHandler>*) 	js/src/frontend/Parser.cpp
12 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::variables(js::frontend::ParseNodeKind, bool*, js::StaticBlockObject*, js::frontend::VarContext) 	js/src/frontend/Parser.cpp
13 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::letDeclaration() 	js/src/frontend/Parser.cpp
14 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::letStatement() 	js/src/frontend/Parser.cpp
15 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::statement(bool) 	js/src/frontend/Parser.cpp
16 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::switchStatement() 	js/src/frontend/Parser.cpp
17 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::statements() 	js/src/frontend/Parser.cpp
18 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) 	js/src/frontend/Parser.cpp
19 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric(js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionType, js::frontend::FunctionSyntaxKind, js::frontend::Directives*) 	js/src/frontend/Parser.cpp
20 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody(js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::FunctionType, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) 	js/src/frontend/Parser.cpp
21 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::functionDef(JS::Handle<js::PropertyName*>, js::frontend::TokenStream::Position const&, js::frontend::FunctionType, js::frontend::FunctionSyntaxKind, js::GeneratorKind) 	js/src/frontend/Parser.cpp
22 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr() 	js/src/frontend/Parser.cpp
23 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::TokenKind) 	js/src/frontend/Parser.cpp
24 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::TokenKind, bool) 	js/src/frontend/Parser.cpp
25 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr() 	js/src/frontend/Parser.cpp
26 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1() 	js/src/frontend/Parser.cpp
27 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1() 	js/src/frontend/Parser.cpp
28 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr() 	js/src/frontend/Parser.cpp
29 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::objectLiteral() 	js/src/frontend/Parser.cpp
30 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::TokenKind) 	js/src/frontend/Parser.cpp
31 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::TokenKind, bool) 	js/src/frontend/Parser.cpp
32 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr() 	js/src/frontend/Parser.cpp
33 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1() 	js/src/frontend/Parser.cpp
34 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::condExpr1() 	js/src/frontend/Parser.cpp
35 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr() 	js/src/frontend/Parser.cpp
36 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr() 	js/src/frontend/Parser.cpp
37 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::expr() 	js/src/frontend/Parser.cpp
38 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement() 	js/src/frontend/Parser.cpp
39 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::statements() 	js/src/frontend/Parser.cpp
40 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) 	js/src/frontend/Parser.cpp
41 	libxul.so 	js::frontend::Parser<js::frontend::FullParseHandler>::standaloneFunctionBody(JS::Handle<JSFunction*>, js::AutoNameVector const&, js::GeneratorKind, js::frontend::Directives, js::frontend::Directives*) 	js/src/frontend/Parser.cpp
42 	libxul.so 	CompileFunctionBody 	js/src/frontend/BytecodeCompiler.cpp
43 	libxul.so 	js::frontend::CompileFunctionBody(JSContext*, JS::MutableHandle<JSFunction*>, JS::ReadOnlyCompileOptions const&, js::AutoNameVector const&, JS::SourceBufferHolder&) 	js/src/frontend/BytecodeCompiler.cpp
44 	libxul.so 	JS::CompileFunction(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, char const*, unsigned int, char const* const*, JS::SourceBufferHolder&, JS::MutableHandle<JSFunction*>) 	js/src/jsapi.cpp
45 	libxul.so 	JS::CompileFunction 	js/src/jsapi.cpp
46 	libxul.so 	JS::CompileFunction(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, char const*, unsigned int, char const* const*, char const*, unsigned int, JS::MutableHandle<JSFunction*>) 	js/src/jsapi.cpp
47 	libxul.so 	mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) 	js/xpconnect/loader/mozJSComponentLoader.cpp
48 	libxul.so 	mozJSComponentLoader::ImportInto(nsACString_internal const&, JS::Handle<JSObject*>, JSContext*, JS::MutableHandle<JSObject*>) 	js/xpconnect/loader/mozJSComponentLoader.cpp
49 	libxul.so 	mozJSComponentLoader::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) 	js/xpconnect/loader/mozJSComponentLoader.cpp
50 	libxul.so 	nsXPCComponents_Utils::Import(nsACString_internal const&, JS::Handle<JS::Value>, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) 	js/xpconnect/src/XPCComponents.cpp
51 	libxul.so 	NS_InvokeByIndex 	xpcom/reflect/xptcall/md/unix/xptcinvoke_arm.cpp
52 	libxul.so 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp
53 	libxul.so 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
54 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
55 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
56 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
57 	libxul.so 	js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) 	js/src/vm/Interpreter.cpp
58 	libxul.so 	js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) 	js/src/vm/Interpreter.cpp
59 	libxul.so 	Evaluate 	js/src/jsapi.cpp
60 	libxul.so 	JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&) 	js/src/jsapi.cpp
61 	libxul.so 	nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) 	dom/base/nsJSUtils.cpp
62 	libxul.so 	nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) 	dom/base/nsJSUtils.cpp
63 	libxul.so 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) 	content/base/src/nsScriptLoader.cpp
64 	libxul.so 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) 	content/base/src/nsScriptLoader.cpp
65 	libxul.so 	nsScriptLoader::ProcessScriptElement(nsIScriptElement*) 	content/base/src/nsScriptLoader.cpp
66 	libxul.so 	nsScriptElement::MaybeProcessScript() 	content/base/src/nsScriptElement.cpp
67 	libxul.so 	nsIScriptElement::AttemptToExecute() 	/builds/slave/b2g_m-cen_ham_ntly-00000000000/build/objdir-gecko/parser/html/../../dist/include/nsIScriptElement.h:220
68 	libxul.so 	nsHtml5TreeOpExecutor::RunScript(nsIContent*) 	parser/html/nsHtml5TreeOpExecutor.cpp
69 	libxul.so 	nsHtml5TreeOpExecutor::RunFlushLoop() 	parser/html/nsHtml5TreeOpExecutor.cpp
70 	libxul.so 	nsHtml5ExecutorFlusher::Run() 	parser/html/nsHtml5StreamParser.cpp
71 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
72 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
73 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
74 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
75 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
76 	libxul.so 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
77 	libxul.so 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
78 	libxul.so 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
79 	libxul.so 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
80 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp
81 	b2g 	main 	b2g/app/nsBrowserApp.cpp
82 	libc.so 	__libc_init 	bionic/libc/bionic/libc_init_dynamic.c:114
83 		@0xb0001dc5 	
84 	b2g 	NS_StringSetData

More Reports: https://crash-stats.mozilla.com/report/list?signature=jemalloc_crash%20|%20arena_dalloc%20|%20je_free%20|%20free%20|%20js%3A%3Adetail%3A%3AHashTable%3CJS%3A%3ASymbol*%20const%2C%20js%3A%3AHashSet%3CJS%3A%3ASymbol*%2C%20js%3A%3AHashSymbolsByDescription%2C%20js%3A%3ASystemAllocPolicy%3E%3A%3ASetOps%2C%20js%3A%3ASystemAllocPolicy%3E%3A%3AchangeTableSize%28int%29#tab-reports

First crash seen : 7/4
20140704151451

Startup crash

Comment 1

[Jason Orendorff [:jorendorff]]

The jump from frame 5 to frame 4 (different kind of hash table) is surprising.

I don't see any crashes with this signature on Socorro now, so I guess I should close this. If you can reproduce it, reopen and ni? me.