Closed
Bug 1088110
Opened 10 years ago
Closed 10 years ago
Intermittent valgrind-test | Invalid write of size 4 at js::gc::Chunk::findDecommittedArenaOffset / js::gc::Chunk::fetchNextDecommittedArena / js::gc::Chunk::allocateArena / js::gc::ArenaLists::allocateFromArena
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla36
Tracking | Status | |
---|---|---|
firefox34 | --- | unaffected |
firefox35 | --- | unaffected |
firefox36 | --- | fixed |
firefox-esr31 | --- | unaffected |
People
(Reporter: RyanVM, Assigned: terrence)
References
Details
(Keywords: intermittent-failure)
Hard to believe this isn't related to bug 1087892 as well. https://treeherder.mozilla.org/ui/logviewer.html#?job_id=3247710&repo=mozilla-inbound builder Linux x86-64 mozilla-inbound valgrind buildid 20141023072317 builduid c9e933c918484ef7987199d239a1b3d6 results failure (2) revision 934e7c6d8811 slave bld-linux64-spot-187 starttime Thu Oct 23 2014 10:29:01 GMT-0400 (Eastern Standard Time) TEST-UNEXPECTED-FAIL | valgrind-test | Invalid write of size 4 at js::gc::Chunk::findDecommittedArenaOffset / js::gc::Chunk::fetchNextDecommittedArena / js::gc::Chunk::allocateArena / js::gc::ArenaLists::allocateFromArena ==24166== Invalid write of size 4 ==24166== at 0xA6653A8: js::gc::Chunk::findDecommittedArenaOffset() (jsgc.cpp:858) ==24166== by 0xA6653C6: js::gc::Chunk::fetchNextDecommittedArena() (jsgc.cpp:867) ==24166== by 0xA667371: js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind) (jsgc.cpp:924) ==24166== by 0xA6780E7: js::gc::ArenaLists::allocateFromArena(JS::Zone*, js::gc::AllocKind, js::gc::AutoMaybeStartBackgroundAllocation&) (jsgc.cpp:1910) ==24166== by 0xA6AE015: void* js::gc::GCRuntime::refillFreeListFromMainThread<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) (jsgc.cpp:2678) ==24166== by 0xA6AE14D: void* js::gc::GCRuntime::refillFreeListFromAnyThread<(js::AllowGC)1>(js::ThreadSafeContext*, js::gc::AllocKind) (jsgc.cpp:2737) ==24166== by 0xA3ABA0F: JSObject* js::gc::AllocateObject<(js::AllowGC)1>(js::ThreadSafeContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap) (jsgcinlines.h:607) ==24166== by 0xA5D93D5: NewGCObject<(js::AllowGC)1u> (jsgcinlines.h:705) ==24166== by 0xA5D93D5: JSObject::create(js::ExclusiveContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::types::TypeObject*>) (jsobjinlines.h:324) ==24166== by 0xA6BD577: NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind) (jsobj.cpp:1437) ==24166== by 0xA6BF161: js::NewObjectWithClassProtoCommon(js::ExclusiveContext*, js::Class const*, JSObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind) (jsobj.cpp:1631) ==24166== by 0xA6BF64C: NewObjectWithClassProto (jsobjinlines.h:656) ==24166== by 0xA6BF64C: js::NewFunctionWithProto(js::ExclusiveContext*, JS::Handle<JSObject*>, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, JSFunction::Flags, JS::Handle<JSObject*>, JS::Handle<JSAtom*>, JSObject*, js::gc::AllocKind, js::NewObjectKind) (jsfun.cpp:1967) ==24166== by 0xA6BF68F: js::NewFunction(js::ExclusiveContext*, JS::Handle<JSObject*>, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, JSFunction::Flags, JS::Handle<JSObject*>, JS::Handle<JSAtom*>, js::gc::AllocKind, js::NewObjectKind) (jsfun.cpp:1941) ==24166== by 0xA6BF9E8: js::DefineFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, unsigned int, js::gc::AllocKind, js::NewObjectKind) (jsfun.cpp:2133) ==24166== by 0xA641E2E: JS_DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*) (jsapi.cpp:4012) ==24166== by 0xA716A9A: js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) (GlobalObject.cpp:178) ==24166== by 0xA716C6F: js::GlobalObject::ensureConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) (GlobalObject.cpp:95) ==24166== by 0xA716E7F: js::GlobalObject::initStandardClasses(JSContext*, JS::Handle<js::GlobalObject*>) (GlobalObject.cpp:283) ==24166== by 0xA640A0A: JS_InitStandardClasses(JSContext*, JS::Handle<JSObject*>) (jsapi.cpp:1156) ==24166== by 0x8815869: XPCWrappedNative::WrapNewGlobal(xpcObjectHelper&, nsIPrincipal*, bool, JS::CompartmentOptions&, XPCWrappedNative**) (XPCWrappedNative.cpp:182) ==24166== by 0x8815C29: nsXPConnect::InitClassesWithNewWrappedGlobal(JSContext*, nsISupports*, nsIPrincipal*, unsigned int, JS::CompartmentOptions&, nsIXPConnectJSObjectHolder**) (nsXPConnect.cpp:485) ==24166== by 0x95DDA88: nsFrameScriptExecutor::InitTabChildGlobalInternal(nsISupports*, nsACString_internal const&) (nsFrameMessageManager.cpp:1605) ==24166== by 0x95F4BCD: nsInProcessTabChildGlobal::InitTabChildGlobal() (nsInProcessTabChildGlobal.cpp:321) ==24166== by 0x9603D4F: nsInProcessTabChildGlobal::Init() (nsInProcessTabChildGlobal.cpp:141) ==24166== by 0x9603F02: nsInProcessTabChildGlobal::LoadFrameScript(nsAString_internal const&, bool) (nsInProcessTabChildGlobal.cpp:351) ==24166== by 0x9603F8A: nsAsyncScriptLoad::Run() (nsInProcessTabChildGlobal.cpp:334) ==24166== by 0x952D748: nsContentUtils::RemoveScriptBlocker() (nsContentUtils.cpp:5022) ==24166== by 0x95DAE31: nsDocument::EndUpdate(unsigned int) (nsDocument.cpp:4790) ==24166== by 0x9805FC0: mozilla::dom::XULDocument::EndUpdate(unsigned int) (XULDocument.cpp:3243) ==24166== by 0x960780E: ~mozAutoDocUpdate (mozAutoDocUpdate.h:38) ==24166== by 0x960780E: nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) (nsINode.cpp:2215) ==24166== by 0x8F7EC08: InsertBefore (nsINode.h:1604) ==24166== by 0x8F7EC08: AppendChild (nsINode.h:1608) ==24166== by 0x8F7EC08: mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) (NodeBinding.cpp:598) ==24166== by 0x91FF567: mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (BindingUtils.cpp:2425) ==24166== by 0xA7472ED: CallJSNative (jscntxtinlines.h:231) ==24166== by 0xA7472ED: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:482) ==24166== by 0xA73E4E8: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2537) ==24166== by 0xA746B34: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:432) ==24166== by 0xA747253: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:501) ==24166== by 0xA747FEE: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:538) ==24166== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Reporter | ||
Comment 1•10 years ago
|
||
Should be fixed by Terrence's backout.
Assignee: nobody → terrence
Blocks: 1074961
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox34:
--- → unaffected
status-firefox35:
--- → unaffected
status-firefox36:
--- → fixed
status-firefox-esr31:
--- → unaffected
No longer depends on: 1087892
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•