Closed Bug 1072801 Opened 8 years ago Closed 8 years ago

crash in AutoGCSlice::~AutoGCSlice

Categories

(Core :: JavaScript: GC, defect)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla36
Tracking Status
firefox33 --- affected

People

(Reporter: andrei, Assigned: terrence)

References

()

Details

(Keywords: crash, Whiteboard: [mozmill])

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-4c2f0025-a30f-40c7-9f63-20b412140925.
=============================================================

Similar to bug 1072800 and possibly bug 1069884.
Please dupe if this is the case.

Crashed in the same test as both of those above referenced bugs.
This crash is close to a null deref, but not sure how critical it could be.

Crash Reason 	SIGSEGV
Crash Address 	0x1a8

First 10 frames of the stack:

0 	libxul.so 	AutoGCSlice::~AutoGCSlice 	js/src/jsgc.cpp
1 	libxul.so 	js::gc::GCRuntime::incrementalCollectSlice(long long, JS::gcreason::Reason, js::JSGCInvocationKind) 	js/src/jsgc.cpp
2 	libxul.so 	js::gc::GCRuntime::gcCycle(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) 	js/src/jsgc.cpp
3 	libxul.so 	js::gc::GCRuntime::collect(bool, long long, js::JSGCInvocationKind, JS::gcreason::Reason) 	js/src/jsgc.cpp
4 	libxul.so 	js::gc::GCRuntime::gcSlice(js::JSGCInvocationKind, JS::gcreason::Reason, long long) 	js/src/jsgc.cpp
5 	libxul.so 	JS::IncrementalGC(JSRuntime*, JS::gcreason::Reason, long long) 	js/src/jsfriendapi.cpp
6 	libxul.so 	nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long long) 	dom/base/nsJSEnvironment.cpp
7 	libxul.so 	InterSliceGCTimerFired(nsITimer*, void*) 	dom/base/nsJSEnvironment.cpp
8 	libxul.so 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
9 	libxul.so 	nsTimerEvent::Run() 	xpcom/threads/nsTimerImpl.cpp
10 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
Component: XUL → JavaScript: GC
Crashed again, same signature, linux, 33.0.1:
https://crash-stats.mozilla.com/report/index/20f63e84-7c24-4c18-8c8a-e41672141027
Well, that's horrid; we really should be handling this OOM better. It's a safe null deref in all cases, so at least it's not a sec issue. Making this site fallible isn't really feasible, so lets just signal this as an OOM crash immediately.
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Attachment #8512255 - Flags: review?(sphink)
Comment on attachment 8512255 [details] [diff] [review]
handle_slice_stats_oom_better-v0.diff

Review of attachment 8512255 [details] [diff] [review]:
-----------------------------------------------------------------

Hopefully this won't hit too often. It's a bit dangerous.
Attachment #8512255 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/111df21a6d66
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
Socorro [1] shows only 2 crashes in Firefox 31 over the past month.

[1] - https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=28&signature=AutoGCSlice%3A%3A~AutoGCSlice
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.