Closed Bug 1113932 Opened 10 years ago Closed 10 years ago

Intermittent test_condition_text.html | application crashed [@ js::Nursery::setCurrentChunk(int)] after "Assertion failure: chunkno < numNurseryChunks_, at js/src/gc/Nursery.h:256"

Categories

(Core :: DOM: Core & HTML, defect)

ARM
Android
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: RyanVM, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, intermittent-failure)

14:59:01 INFO - 287 INFO TEST-START | layout/style/test/test_condition_text.html 14:59:01 INFO - INFO | automation.py | Application ran for: 0:04:03.191260 14:59:01 INFO - INFO | zombiecheck | Reading PID log: /tmp/tmp8moeP6pidlog 14:59:02 INFO - Contents of /data/anr/traces.txt: 14:59:02 INFO - /data/tombstones does not exist; tombstone check skipped 14:59:03 INFO - mozcrash Downloading symbols from: https://ftp-ssl.mozilla.org/pub/mozilla.org/mobile/tinderbox-builds/b2g-inbound-android-api-11-debug/1419025516/fennec-37.0a1.en-US.android-arm.crashreporter-symbols.zip 14:59:09 INFO - mozcrash Saved minidump as /builds/panda-0051/test/build/blobber_upload_dir/7d5036fd-7918-5b31-45f7b381-716fd16f.dmp 14:59:09 INFO - mozcrash Saved app info as /builds/panda-0051/test/build/blobber_upload_dir/7d5036fd-7918-5b31-45f7b381-716fd16f.extra 14:59:09 WARNING - PROCESS-CRASH | layout/style/test/test_condition_text.html | application crashed [@ js::Nursery::setCurrentChunk(int)] 14:59:09 INFO - Crash dump filename: /tmp/tmpZJKGHA/7d5036fd-7918-5b31-45f7b381-716fd16f.dmp 14:59:09 INFO - Operating system: Android 14:59:09 INFO - 0.0.0 Linux 3.2.0+ #2 SMP PREEMPT Thu Nov 29 08:06:57 EST 2012 armv7l pandaboard/pandaboard/pandaboard:4.0.4/IMM76I/5:eng/test-keys 14:59:09 INFO - CPU: arm 14:59:09 INFO - 2 CPUs 14:59:09 INFO - Crash reason: SIGSEGV 14:59:09 INFO - Crash address: 0x0 14:59:09 INFO - Thread 13 (crashed) 14:59:09 INFO - 0 libxul.so!js::Nursery::setCurrentChunk(int) [Nursery.h:60721a39769d : 257 + 0x8] 14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x70d37784 r6 = 0x6a3451c0 r7 = 0x00000000 14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fb8b8 lr = 0x6373947d pc = 0x6373df44 14:59:09 INFO - Found by: given as instruction pointer in context 14:59:09 INFO - 1 libxul.so!MarkInternal<JSObject> [Marking.cpp:60721a39769d : 211 + 0x5] 14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x70d37784 r6 = 0x6a3451c0 r7 = 0x00000000 14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fb8c8 pc = 0x6374c721 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 2 0x6dc29bfe 14:59:09 INFO - r4 = 0x70d37780 r5 = 0x5c4fbab8 r6 = 0x70d37780 r7 = 0x5c4fbab8 14:59:09 INFO - r8 = 0x70d37780 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fb8f8 pc = 0x6dc29c00 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 3 libxul.so!js::TraceChildren(JSTracer*, void*, JSGCTraceKind) [Marking.cpp:60721a39769d : 344 + 0x5] 14:59:09 INFO - sp = 0x5c4fb900 pc = 0x6375043d 14:59:09 INFO - Found by: stack scanning 14:59:09 INFO - 4 libxul.so!NoteJSChild [CycleCollectedJSRuntime.cpp:60721a39769d : 428 + 0x9] 14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x0000003f r6 = 0x70d37780 r7 = 0x70d37780 14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fb940 pc = 0x6223e099 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 5 libxul.so!MarkInternal<js::types::TypeObject> [Marking.cpp:60721a39769d : 316 + 0x7] 14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x705c1784 r6 = 0x6223e0b9 r7 = 0x70d37780 14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fba28 pc = 0x6374cc91 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 6 libxul.so!JSObject::markChildren(JSTracer*) [jsobj.cpp:60721a39769d : 4116 + 0x5] 14:59:09 INFO - r4 = 0x705c1780 r5 = 0x5c4fbab8 r6 = 0x00000000 r7 = 0x705c1780 14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fba58 pc = 0x63969e29 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 7 libxul.so!js::TraceChildren(JSTracer*, void*, JSGCTraceKind) [Marking.cpp:60721a39769d : 1372 + 0x7] 14:59:09 INFO - r4 = 0x705c1780 r5 = 0x5c4fbab8 r6 = 0x00000000 r7 = 0x705c1780 14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fba78 pc = 0x63750367 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 8 libxul.so!mozilla::CycleCollectedJSRuntime::NoteGCThingJSChildren(void*, JSGCTraceKind, nsCycleCollectionTraversalCallback&) const [CycleCollectedJSRuntime.cpp:60721a39769d : 599 + 0x3] 14:59:09 INFO - r4 = 0x6781e000 r5 = 0x5c2e87e0 r6 = 0x00000000 r7 = 0x705c1780 14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fbab8 pc = 0x6223e695 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 9 libxul.so!mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, void*, JSGCTraceKind, nsCycleCollectionTraversalCallback&) [CycleCollectedJSRuntime.cpp:60721a39769d : 655 + 0xb] 14:59:09 INFO - r4 = 0x705c1780 r5 = 0x00000000 r6 = 0x5c2e87e0 r7 = 0x5c256400 14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fbaf0 pc = 0x6223e87b 14:59:09 INFO - Found by: call frame info 14:59:09 INFO - 10 libxul.so!mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) [CycleCollectedJSRuntime.cpp:60721a39769d : 350 + 0x11] 14:59:09 INFO - r4 = 0x705c1780 r5 = 0x5c256404 r6 = 0x5c2e87e0 r7 = 0x71635abc 14:59:09 INFO - r8 = 0x5c2b1078 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 14:59:09 INFO - sp = 0x5c4fbb18 pc = 0x6223e90d 14:59:09 INFO - Found by: call frame info
This is out of NoteGCThingJSChildren; top frame of the stack looks totally busted -- at a guess it's sharing code with something else. The actual line in the second frame in Marking looks like |MOZ_ASSERT(thing->isAligned())|. This is b2g? But I didn't think we had debug builds there? Although the buildname contains "debug" and the crash line is an assertion, so maybe we do? Or maybe b2g-inbound is wildly different from mozilla-inbound? I guess if we /do/ have assertions, the crash at 0x0 could either by the alignment assertion failing or the |arenaHeader()->|, if we're passed a low but non-zero address.
Component: JavaScript: GC → DOM
We do have some B2G debug mochitests now.
If you look at the actual log, it seems like the assertion is: Assertion failure: chunkno < numNurseryChunks_ What does that mean? Does it indicate anything more than "some JS is messed up"?
(In reply to Andrew McCreight [:mccr8] from comment #4) > If you look at the actual log, it seems like the assertion is: > Assertion failure: chunkno < numNurseryChunks_ > What does that mean? Does it indicate anything more than "some JS is messed > up"? I just took that message as busted and ignored it completely. There should be absolutely no way that marking can result in the nursery growing -- the alloc paths already have !isHeapBusy assertions and even if execution did reach there, there's no particular reason why this exception should ever fire.
Inactive; closing (see bug 1180138).
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.