Closed
Bug 1029549
Opened 10 years ago
Closed 10 years ago
Intermittent browser_audionode-actor-get-param-flags.js | application crashed [@ js::gc::Cell::arenaHeader() const] (after: "Assertion failure: isTenured(), at js/src/gc/Heap.h:1001")
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: emorley, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, intermittent-failure)
Crash Data
Attachments
(1 file)
|
1.13 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
Ubuntu VM 12.04 mozilla-inbound debug test mochitest-devtools-chrome-3 on 2014-06-24 05:40:47 PDT for push f90e81750943
slave: tst-linux32-spot-343
https://tbpl.mozilla.org/php/getParsedLog.php?id=42353484&tree=Mozilla-Inbound
{
06:02:26 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:26 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:26 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:26 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:26 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:27 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:27 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:27 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:27 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:27 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:27 INFO - [1765] WARNING: NS_ENSURE_SUCCESS(EnsureScriptEnvironment(), nullptr) failed with result 0x80040111: file /builds/slave/m-in-lx-d-00000000000000000000/build/docshell/base/nsDocShell.cpp, line 4147
06:02:27 INFO - TEST-INFO | chrome://mochitests/content/browser/browser/devtools/webaudioeditor/test/browser_audionode-actor-get-param-flags.js | Removing tab.
06:02:27 INFO - TEST-INFO | chrome://mochitests/content/browser/browser/devtools/webaudioeditor/test/browser_audionode-actor-get-param-flags.js | Tab removed and finished closing.
06:02:27 INFO - [1765] WARNING: NS_ENSURE_TRUE(mMutable) failed: file /builds/slave/m-in-lx-d-00000000000000000000/build/netwerk/base/src/nsSimpleURI.cpp, line 265
06:02:27 INFO - TEST-INFO | chrome://mochitests/content/browser/browser/devtools/webaudioeditor/test/browser_audionode-actor-get-param-flags.js | finish() was called, cleaning up...
06:02:27 INFO - Assertion failure: isTenured(), at /builds/slave/m-in-lx-d-00000000000000000000/build/js/src/gc/Heap.h:1001
06:02:29 INFO - TEST-INFO | Main app process: killed by SIGSEGV
06:02:29 WARNING - TEST-UNEXPECTED-FAIL | chrome://mochitests/content/browser/browser/devtools/webaudioeditor/test/browser_audionode-actor-get-param-flags.js | application terminated with exit code 11
06:02:29 INFO - INFO | runtests.py | Application ran for: 0:19:43.643997
06:02:29 INFO - INFO | zombiecheck | Reading PID log: /tmp/tmpEMYgD1pidlog
06:02:42 WARNING - PROCESS-CRASH | chrome://mochitests/content/browser/browser/devtools/webaudioeditor/test/browser_audionode-actor-get-param-flags.js | application crashed [@ js::gc::Cell::arenaHeader() const]
06:02:42 INFO - Crash dump filename: /tmp/tmpzJA3Q_/minidumps/49263c83-4a40-a8cf-28e711c0-600d8d2e.dmp
06:02:42 INFO - Operating system: Linux
06:02:42 INFO - 0.0.0 Linux 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686
06:02:42 INFO - CPU: x86
06:02:42 INFO - GenuineIntel family 6 model 45 stepping 7
06:02:42 INFO - 1 CPU
06:02:42 INFO - Crash reason: SIGSEGV
06:02:42 INFO - Crash address: 0x0
06:02:42 INFO - Thread 0 (crashed)
06:02:42 INFO - 0 libxul.so!js::gc::Cell::arenaHeader() const [Heap.h:f90e81750943 : 1001 + 0x18]
06:02:42 INFO - eip = 0xb4be6afc esp = 0xbf9e1ff0 ebp = 0xbf9e2008 ebx = 0xb6da5980
06:02:42 INFO - esi = 0xaceffff0 edi = 0x000000ef eax = 0x00000000 ecx = 0xb76518ac
06:02:42 INFO - edx = 0x00000000 efl = 0x00210282
06:02:42 INFO - Found by: given as instruction pointer in context
06:02:42 INFO - 1 libxul.so!js::gc::GCRuntime::beginMarkPhase() [Heap.h:f90e81750943 : 1063 + 0x1a]
06:02:42 INFO - eip = 0xb4bfd995 esp = 0xbf9e2010 ebp = 0xbf9e20f8 ebx = 0xb6da5980
06:02:42 INFO - esi = 0xaceffff0 edi = 0x000000ef
06:02:42 INFO - Found by: call frame info
06:02:42 INFO - 2 libxul.so!js::gc::GCRuntime::incrementalCollectSlice(long long, JS::gcreason::Reason, js::JSGCInvocationKind) [jsgc.cpp:f90e81750943 : 4735 + 0x7]
06:02:42 INFO - eip = 0xb4c09d20 esp = 0xbf9e2100 ebp = 0xbf9e2178 ebx = 0xb6da5980
06:02:42 INFO - esi = 0xadfd81cc edi = 0xbf9e2144
06:02:42 INFO - Found by: call frame info
06:02:42 INFO - 3 libxul.so!js::gc::GCRuntime::gcCycle(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) [jsgc.cpp:f90e81750943 : 4928 + 0x23]
06:02:42 INFO - eip = 0xb4c0a9cd esp = 0xbf9e2180 ebp = 0xbf9e2208 ebx = 0xb6da5980
06:02:42 INFO - esi = 0xadfd81cc edi = 0x00000000
06:02:42 INFO - Found by: call frame info
06:02:42 INFO - 4 libxul.so!js::gc::GCRuntime::collect(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) [jsgc.cpp:f90e81750943 : 5084 + 0x27]
06:02:42 INFO - eip = 0xb4c0adaa esp = 0xbf9e2210 ebp = 0xbf9e22b8 ebx = 0xb6da5980
06:02:42 INFO - esi = 0xadfd81cc edi = 0xadfd8438
06:02:42 INFO - Found by: call frame info
06:02:42 INFO - 5 libxul.so!js::GC(JSRuntime*, js::JSGCInvocationKind, JS::gcreason::Reason) [jsgc.cpp:f90e81750943 : 5115 + 0x2d]
06:02:42 INFO - eip = 0xb4c0b566 esp = 0xbf9e22c0 ebp = 0xbf9e22e8 ebx = 0xb6da5980
06:02:42 INFO - esi = 0xadfd8000 edi = 0xbf9e2370
06:02:42 INFO - Found by: call frame info
06:02:42 INFO - 6 libxul.so!JS::GCForReason(JSRuntime*, JS::gcreason::Reason) [jsfriendapi.cpp:f90e81750943 : 190 + 0x17]
06:02:42 INFO - eip = 0xb4bd4e7e esp = 0xbf9e22f0 ebp = 0xbf9e2308 ebx = 0xb6da5980
06:02:42 INFO - esi = 0xadfd8000 edi = 0xbf9e2370
06:02:42 INFO - Found by: call frame info
}
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
|
||
Updated•10 years ago
|
Blocks: GC.stability
|
|
||
Comment 10•10 years ago
|
||
The crash here is happening because the Chunk's "location" field is 0 instead of tenured or nursery. The marking is for a Shape's Getter or Setter object out of the CC's visitChildren on a JSObject. This would indicate that one of those objects is dead or corrupt, or that the shape's property flags are out of sync with reality.
| Comment hidden (Legacy TBPL/Treeherder Robot) |
|
|
||
Comment 12•10 years ago
|
||
We're falling over here either when we access the arena header or the chunk trailer -- it's hard to tell with the inlining. What we do know is that it is on a TenuredHeap in the wrapper cache (XPCWN). This patch puts the same sanity checks we make when accessing the arenaHeader into getPtr. At the very least this will move the crash up the stack.
Attachment #8491648 -
Flags: review?(jcoppeard)
|
|
||
Updated•10 years ago
|
Keywords: leave-open
|
||
Comment 13•10 years ago
|
||
Comment on attachment 8491648 [details] [diff] [review]
sanity_check_TenuredHeap_on_access-v0.diff
Review of attachment 8491648 [details] [diff] [review]:
-----------------------------------------------------------------
r=me.
Attachment #8491648 -
Flags: review?(jcoppeard) → review+
|
|
||
Comment 14•10 years ago
|
||
|
|
||
Comment 15•10 years ago
|
||
And that really should not have turned the tree orange. This should be fun.
https://hg.mozilla.org/integration/mozilla-inbound/rev/8e6e924ff00b
|
|
||
Comment 16•10 years ago
|
||
I forgot that we don't null-check anywhere on that path. Derp!
|
||
Comment 17•10 years ago
|
||
Looks like this is fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
|
||
Comment 18•7 years ago
|
||
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in
before you can comment on or make changes to this bug.
Description
•