Closed Bug 1088110 Opened 10 years ago Closed 10 years ago

Intermittent valgrind-test | Invalid write of size 4 at js::gc::Chunk::findDecommittedArenaOffset / js::gc::Chunk::fetchNextDecommittedArena / js::gc::Chunk::allocateArena / js::gc::ArenaLists::allocateFromArena

Categories

(Core :: JavaScript: GC, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla36
Tracking Status
firefox34 --- unaffected
firefox35 --- unaffected
firefox36 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: RyanVM, Assigned: terrence)

References

Details

(Keywords: intermittent-failure)

Hard to believe this isn't related to bug 1087892 as well.

https://treeherder.mozilla.org/ui/logviewer.html#?job_id=3247710&repo=mozilla-inbound

builder 	Linux x86-64 mozilla-inbound valgrind
buildid 	20141023072317
builduid 	c9e933c918484ef7987199d239a1b3d6
results 	failure (2)
revision 	934e7c6d8811
slave 		bld-linux64-spot-187
starttime 	Thu Oct 23 2014 10:29:01 GMT-0400 (Eastern Standard Time)

TEST-UNEXPECTED-FAIL | valgrind-test | Invalid write of size 4 at js::gc::Chunk::findDecommittedArenaOffset / js::gc::Chunk::fetchNextDecommittedArena / js::gc::Chunk::allocateArena / js::gc::ArenaLists::allocateFromArena
==24166== Invalid write of size 4
==24166== at 0xA6653A8: js::gc::Chunk::findDecommittedArenaOffset() (jsgc.cpp:858)
==24166== by 0xA6653C6: js::gc::Chunk::fetchNextDecommittedArena() (jsgc.cpp:867)
==24166== by 0xA667371: js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind) (jsgc.cpp:924)
==24166== by 0xA6780E7: js::gc::ArenaLists::allocateFromArena(JS::Zone*, js::gc::AllocKind, js::gc::AutoMaybeStartBackgroundAllocation&) (jsgc.cpp:1910)
==24166== by 0xA6AE015: void* js::gc::GCRuntime::refillFreeListFromMainThread<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) (jsgc.cpp:2678)
==24166== by 0xA6AE14D: void* js::gc::GCRuntime::refillFreeListFromAnyThread<(js::AllowGC)1>(js::ThreadSafeContext*, js::gc::AllocKind) (jsgc.cpp:2737)
==24166== by 0xA3ABA0F: JSObject* js::gc::AllocateObject<(js::AllowGC)1>(js::ThreadSafeContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap) (jsgcinlines.h:607)
==24166== by 0xA5D93D5: NewGCObject<(js::AllowGC)1u> (jsgcinlines.h:705)
==24166== by 0xA5D93D5: JSObject::create(js::ExclusiveContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::types::TypeObject*>) (jsobjinlines.h:324)
==24166== by 0xA6BD577: NewObject(js::ExclusiveContext*, js::types::TypeObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind) (jsobj.cpp:1437)
==24166== by 0xA6BF161: js::NewObjectWithClassProtoCommon(js::ExclusiveContext*, js::Class const*, JSObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind) (jsobj.cpp:1631)
==24166== by 0xA6BF64C: NewObjectWithClassProto (jsobjinlines.h:656)
==24166== by 0xA6BF64C: js::NewFunctionWithProto(js::ExclusiveContext*, JS::Handle<JSObject*>, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, JSFunction::Flags, JS::Handle<JSObject*>, JS::Handle<JSAtom*>, JSObject*, js::gc::AllocKind, js::NewObjectKind) (jsfun.cpp:1967)
==24166== by 0xA6BF68F: js::NewFunction(js::ExclusiveContext*, JS::Handle<JSObject*>, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, JSFunction::Flags, JS::Handle<JSObject*>, JS::Handle<JSAtom*>, js::gc::AllocKind, js::NewObjectKind) (jsfun.cpp:1941)
==24166== by 0xA6BF9E8: js::DefineFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool (*)(JSContext*, unsigned int, JS::Value*), unsigned int, unsigned int, js::gc::AllocKind, js::NewObjectKind) (jsfun.cpp:2133)
==24166== by 0xA641E2E: JS_DefineFunctions(JSContext*, JS::Handle<JSObject*>, JSFunctionSpec const*) (jsapi.cpp:4012)
==24166== by 0xA716A9A: js::GlobalObject::resolveConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) (GlobalObject.cpp:178)
==24166== by 0xA716C6F: js::GlobalObject::ensureConstructor(JSContext*, JS::Handle<js::GlobalObject*>, JSProtoKey) (GlobalObject.cpp:95)
==24166== by 0xA716E7F: js::GlobalObject::initStandardClasses(JSContext*, JS::Handle<js::GlobalObject*>) (GlobalObject.cpp:283)
==24166== by 0xA640A0A: JS_InitStandardClasses(JSContext*, JS::Handle<JSObject*>) (jsapi.cpp:1156)
==24166== by 0x8815869: XPCWrappedNative::WrapNewGlobal(xpcObjectHelper&, nsIPrincipal*, bool, JS::CompartmentOptions&, XPCWrappedNative**) (XPCWrappedNative.cpp:182)
==24166== by 0x8815C29: nsXPConnect::InitClassesWithNewWrappedGlobal(JSContext*, nsISupports*, nsIPrincipal*, unsigned int, JS::CompartmentOptions&, nsIXPConnectJSObjectHolder**) (nsXPConnect.cpp:485)
==24166== by 0x95DDA88: nsFrameScriptExecutor::InitTabChildGlobalInternal(nsISupports*, nsACString_internal const&) (nsFrameMessageManager.cpp:1605)
==24166== by 0x95F4BCD: nsInProcessTabChildGlobal::InitTabChildGlobal() (nsInProcessTabChildGlobal.cpp:321)
==24166== by 0x9603D4F: nsInProcessTabChildGlobal::Init() (nsInProcessTabChildGlobal.cpp:141)
==24166== by 0x9603F02: nsInProcessTabChildGlobal::LoadFrameScript(nsAString_internal const&, bool) (nsInProcessTabChildGlobal.cpp:351)
==24166== by 0x9603F8A: nsAsyncScriptLoad::Run() (nsInProcessTabChildGlobal.cpp:334)
==24166== by 0x952D748: nsContentUtils::RemoveScriptBlocker() (nsContentUtils.cpp:5022)
==24166== by 0x95DAE31: nsDocument::EndUpdate(unsigned int) (nsDocument.cpp:4790)
==24166== by 0x9805FC0: mozilla::dom::XULDocument::EndUpdate(unsigned int) (XULDocument.cpp:3243)
==24166== by 0x960780E: ~mozAutoDocUpdate (mozAutoDocUpdate.h:38)
==24166== by 0x960780E: nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) (nsINode.cpp:2215)
==24166== by 0x8F7EC08: InsertBefore (nsINode.h:1604)
==24166== by 0x8F7EC08: AppendChild (nsINode.h:1608)
==24166== by 0x8F7EC08: mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) (NodeBinding.cpp:598)
==24166== by 0x91FF567: mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (BindingUtils.cpp:2425)
==24166== by 0xA7472ED: CallJSNative (jscntxtinlines.h:231)
==24166== by 0xA7472ED: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:482)
==24166== by 0xA73E4E8: Interpret(JSContext*, js::RunState&) (Interpreter.cpp:2537)
==24166== by 0xA746B34: js::RunScript(JSContext*, js::RunState&) (Interpreter.cpp:432)
==24166== by 0xA747253: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (Interpreter.cpp:501)
==24166== by 0xA747FEE: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (Interpreter.cpp:538)
==24166== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Should be fixed by Terrence's backout.
Assignee: nobody → terrence
Blocks: 1074961
Status: NEW → RESOLVED
Closed: 10 years ago
No longer depends on: 1087892
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.