Open Bug 1338089 Opened 7 years ago Updated 2 years ago

SIGSEGV crash in js::gc::TenuredCell::zone()

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Version:
51 Branch
Platform:
Other
NetBSD
Type:
defect

Tracking

()

People

(Reporter: martin, Unassigned)

Details

(Keywords: triage-deferred) 

With Firefox 51.0.1 on sparc64 I got a SIGSEGV with this backtrace:

#0  0xffffffffb82bddf8 in js::gc::TenuredCell::zone (this=<optimized out>)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/gc/Heap.h:1267
#1  MustSkipMarking<js::jit::JitCode*> (gcmarker=<optimized out>, thing=<optimized out>)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/gc/Marking.cpp:761
#2  0xffffffffb8a3c4d0 in DoMarking<js::Scope> (gcmarker=0xffffffffa931aa90, thing=0x6fffd28c720)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/gc/Marking.cpp:790
#3  0xffffffffb8a3c6a0 in js::TraceRange<js::Scope*> (trc=trc@entry=0xffffffffa931aa90, len=1, vec=<optimized out>, 
    name=0xffffffffb8e34000 "scopes") at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/gc/Marking.cpp:531
#4  0xffffffffb80ce86c in JSScript::traceChildren (this=this@entry=0x6fffd2db5e8, trc=trc@entry=0xffffffffa931aa90)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/jsscript.cpp:3573
#5  0xffffffffb82cad70 in js::GCMarker::processMarkStackTop (budget=..., this=0xffffffffa931aa90)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/gc/Marking.cpp:1656
#6  js::GCMarker::drainMarkStack (this=this@entry=0xffffffffa931aa90, budget=...)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/gc/Marking.cpp:1550
#7  0xffffffffb8084f88 in js::gc::GCRuntime::drainMarkStack (this=this@entry=0xffffffffa9318910, sliceBudget=..., 
    phase=phase@entry=js::gcstats::PHASE_MARK) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/jsgc.cpp:5234
#8  0xffffffffb809bbec in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0xffffffffa9318910, budget=..., 
    reason=reason@entry=JS::gcreason::INTER_SLICE_GC, lock=...)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/jsgc.cpp:5876
#9  0xffffffffb809cd1c in js::gc::GCRuntime::gcCycle (this=this@entry=0xffffffffa9318910, 
    nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/jsgc.cpp:6162
#10 0xffffffffb809d16c in js::gc::GCRuntime::collect (this=this@entry=0xffffffffa9318910, 
    nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/jsgc.cpp:6290
#11 0xffffffffb809d658 in js::gc::GCRuntime::gcSlice (this=0xffffffffa9318910, reason=<optimized out>, millis=40)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/jsgc.cpp:6377
#12 0xffffffffb5a651f0 in nsTimerImpl::Fire (this=0xffffffff8e8feef0)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/xpcom/threads/nsTimerImpl.cpp:521
#13 0xffffffffb5a63284 in nsTimerEvent::Run (this=0xffffffffa5e1a2f0)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/xpcom/threads/TimerThread.cpp:286
#14 0xffffffffb5a60774 in nsThread::ProcessNextEvent (this=0xffffffffba167160, aMayWait=<optimized out>, 
    aResult=0xffffffffffb3d1df) at /usr/pkgobj/www/firefox/work/firefox-51.0.1/xpcom/threads/nsThread.cpp:1067
#15 0xffffffffb5a8738c in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=<optimized out>)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/xpcom/glue/nsThreadUtils.cpp:311
#16 0xffffffffb5cf6bb4 in mozilla::ipc::MessagePump::Run (this=0xffffffffba22c700, aDelegate=0xffffffffba254180)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/ipc/glue/MessagePump.cpp:124
#17 0xffffffffb5cddb64 in MessageLoop::RunInternal (this=0xffffffffba254180)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/ipc/chromium/src/base/message_loop.cc:232
#18 MessageLoop::RunHandler (this=0xffffffffba254180)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/ipc/chromium/src/base/message_loop.cc:225
#19 MessageLoop::Run (this=0xffffffffba254180)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/ipc/chromium/src/base/message_loop.cc:205
#20 0xffffffffb75fc194 in nsBaseAppShell::Run (this=0xffffffffa7d4cc80)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/widget/nsBaseAppShell.cpp:156
#21 0xffffffffb7dd4e14 in nsAppStartup::Run (this=0xffffffffa7d35920)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/toolkit/components/startup/nsAppStartup.cpp:283
#22 0xffffffffb7e46fe4 in XREMain::XRE_mainRun (this=this@entry=0xffffffffffb3d7c0)

this is in the arena() call here:

1264    JS::Zone*
1265    TenuredCell::zone() const
1266    {
1267        JS::Zone* zone = arena()->zone;
1268        MOZ_ASSERT(CurrentThreadCanAccessZone(zone));
1269        return zone;
1270    }

lots of things are optimized out and actually the register values already overwritte, next usefull info is two frames up:

#2  0xffffffffb8a3c4d0 in DoMarking<js::Scope> (gcmarker=0xffffffffa931aa90, thing=0x6fffd28c720)
    at /usr/pkgobj/www/firefox/work/firefox-51.0.1/js/src/gc/Marking.cpp:790
790         if (MustSkipMarking(gcmarker, thing))
(gdb) p thing
$7 = (js::Scope *) 0x6fffd28c720
(gdb) p *thing
$8 = {<js::gc::TenuredCell> = {<js::gc::Cell> = {<No data fields>}, <No data fields>}, kind_ = js::ScopeKind::Function, 
  enclosing_ = {<js::WriteBarrieredBase<js::Scope*>> = {<js::BarrieredBase<js::Scope*>> = {<js::BarrieredBaseMixins<js::Scope*>> = {<No data fields>}, value = 0x6fffcfdd2c0}, <No data fields>}, <No data fields>}, 
  environmentShape_ = {<js::WriteBarrieredBase<js::Shape*>> = {<js::BarrieredBase<js::Shape*>> = {<js::BarrieredBaseMixins<js::Shape*>> = {<No data fields>}, value = 0x6fffd2c85d8}, <No data fields>}, <No data fields>}, 
  data_ = 18446744072199360512, static TraceKind = JS::TraceKind::Scope}
(gdb) p *gcmarker
$9 = {<JSTracer> = {runtime_ = 0xffffffffa9318200, weakMapAction_ = ExpandWeakMaps, 
    tag_ = JSTracer::TracerKindTag::Marking}, static StackTagMask = 7, stack = {stack_ = 0xffffffff8c276000, 
    tos_ = 0xffffffff8c2775b8, end_ = 0xffffffff8c27e000, baseCapacity_ = 4096, maxCapacity_ = 18446744073709551615}, 
  color = 0, unmarkedArenaStackTop = 0x0, linearWeakMarkingDisabled_ = false}
(gdb) p/x *thing
$10 = {<js::gc::TenuredCell> = {<js::gc::Cell> = {<No data fields>}, <No data fields>}, kind_ = 0x0, 
  enclosing_ = {<js::WriteBarrieredBase<js::Scope*>> = {<js::BarrieredBase<js::Scope*>> = {<js::BarrieredBaseMixins<js::Scope*>> = {<No data fields>}, value = 0x6fffcfdd2c0}, <No data fields>}, <No data fields>}, 
  environmentShape_ = {<js::WriteBarrieredBase<js::Shape*>> = {<js::BarrieredBase<js::Shape*>> = {<js::BarrieredBaseMixins<js::Shape*>> = {<No data fields>}, value = 0x6fffd2c85d8}, <No data fields>}, <No data fields>}, 
  data_ = 0xffffffffa5fc5000, static TraceKind = 0x3f}

I'll happily take any ideas/pointers for further investigation.
Keywords: triage-deferred
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.