Closed
Bug 1113932
Opened 10 years ago
Closed 10 years ago
Intermittent test_condition_text.html | application crashed [@ js::Nursery::setCurrentChunk(int)] after "Assertion failure: chunkno < numNurseryChunks_, at js/src/gc/Nursery.h:256"
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: RyanVM, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, intermittent-failure)
14:59:01 INFO - 287 INFO TEST-START | layout/style/test/test_condition_text.html
14:59:01 INFO - INFO | automation.py | Application ran for: 0:04:03.191260
14:59:01 INFO - INFO | zombiecheck | Reading PID log: /tmp/tmp8moeP6pidlog
14:59:02 INFO - Contents of /data/anr/traces.txt:
14:59:02 INFO - /data/tombstones does not exist; tombstone check skipped
14:59:03 INFO - mozcrash Downloading symbols from: https://ftp-ssl.mozilla.org/pub/mozilla.org/mobile/tinderbox-builds/b2g-inbound-android-api-11-debug/1419025516/fennec-37.0a1.en-US.android-arm.crashreporter-symbols.zip
14:59:09 INFO - mozcrash Saved minidump as /builds/panda-0051/test/build/blobber_upload_dir/7d5036fd-7918-5b31-45f7b381-716fd16f.dmp
14:59:09 INFO - mozcrash Saved app info as /builds/panda-0051/test/build/blobber_upload_dir/7d5036fd-7918-5b31-45f7b381-716fd16f.extra
14:59:09 WARNING - PROCESS-CRASH | layout/style/test/test_condition_text.html | application crashed [@ js::Nursery::setCurrentChunk(int)]
14:59:09 INFO - Crash dump filename: /tmp/tmpZJKGHA/7d5036fd-7918-5b31-45f7b381-716fd16f.dmp
14:59:09 INFO - Operating system: Android
14:59:09 INFO - 0.0.0 Linux 3.2.0+ #2 SMP PREEMPT Thu Nov 29 08:06:57 EST 2012 armv7l pandaboard/pandaboard/pandaboard:4.0.4/IMM76I/5:eng/test-keys
14:59:09 INFO - CPU: arm
14:59:09 INFO - 2 CPUs
14:59:09 INFO - Crash reason: SIGSEGV
14:59:09 INFO - Crash address: 0x0
14:59:09 INFO - Thread 13 (crashed)
14:59:09 INFO - 0 libxul.so!js::Nursery::setCurrentChunk(int) [Nursery.h:60721a39769d : 257 + 0x8]
14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x70d37784 r6 = 0x6a3451c0 r7 = 0x00000000
14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fb8b8 lr = 0x6373947d pc = 0x6373df44
14:59:09 INFO - Found by: given as instruction pointer in context
14:59:09 INFO - 1 libxul.so!MarkInternal<JSObject> [Marking.cpp:60721a39769d : 211 + 0x5]
14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x70d37784 r6 = 0x6a3451c0 r7 = 0x00000000
14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fb8c8 pc = 0x6374c721
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 2 0x6dc29bfe
14:59:09 INFO - r4 = 0x70d37780 r5 = 0x5c4fbab8 r6 = 0x70d37780 r7 = 0x5c4fbab8
14:59:09 INFO - r8 = 0x70d37780 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fb8f8 pc = 0x6dc29c00
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 3 libxul.so!js::TraceChildren(JSTracer*, void*, JSGCTraceKind) [Marking.cpp:60721a39769d : 344 + 0x5]
14:59:09 INFO - sp = 0x5c4fb900 pc = 0x6375043d
14:59:09 INFO - Found by: stack scanning
14:59:09 INFO - 4 libxul.so!NoteJSChild [CycleCollectedJSRuntime.cpp:60721a39769d : 428 + 0x9]
14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x0000003f r6 = 0x70d37780 r7 = 0x70d37780
14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fb940 pc = 0x6223e099
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 5 libxul.so!MarkInternal<js::types::TypeObject> [Marking.cpp:60721a39769d : 316 + 0x7]
14:59:09 INFO - r4 = 0x5c4fbab8 r5 = 0x705c1784 r6 = 0x6223e0b9 r7 = 0x70d37780
14:59:09 INFO - r8 = 0x6dc29c00 r9 = 0x6781e000 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fba28 pc = 0x6374cc91
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 6 libxul.so!JSObject::markChildren(JSTracer*) [jsobj.cpp:60721a39769d : 4116 + 0x5]
14:59:09 INFO - r4 = 0x705c1780 r5 = 0x5c4fbab8 r6 = 0x00000000 r7 = 0x705c1780
14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fba58 pc = 0x63969e29
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 7 libxul.so!js::TraceChildren(JSTracer*, void*, JSGCTraceKind) [Marking.cpp:60721a39769d : 1372 + 0x7]
14:59:09 INFO - r4 = 0x705c1780 r5 = 0x5c4fbab8 r6 = 0x00000000 r7 = 0x705c1780
14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fba78 pc = 0x63750367
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 8 libxul.so!mozilla::CycleCollectedJSRuntime::NoteGCThingJSChildren(void*, JSGCTraceKind, nsCycleCollectionTraversalCallback&) const [CycleCollectedJSRuntime.cpp:60721a39769d : 599 + 0x3]
14:59:09 INFO - r4 = 0x6781e000 r5 = 0x5c2e87e0 r6 = 0x00000000 r7 = 0x705c1780
14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fbab8 pc = 0x6223e695
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 9 libxul.so!mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, void*, JSGCTraceKind, nsCycleCollectionTraversalCallback&) [CycleCollectedJSRuntime.cpp:60721a39769d : 655 + 0xb]
14:59:09 INFO - r4 = 0x705c1780 r5 = 0x00000000 r6 = 0x5c2e87e0 r7 = 0x5c256400
14:59:09 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fbaf0 pc = 0x6223e87b
14:59:09 INFO - Found by: call frame info
14:59:09 INFO - 10 libxul.so!mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) [CycleCollectedJSRuntime.cpp:60721a39769d : 350 + 0x11]
14:59:09 INFO - r4 = 0x705c1780 r5 = 0x5c256404 r6 = 0x5c2e87e0 r7 = 0x71635abc
14:59:09 INFO - r8 = 0x5c2b1078 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
14:59:09 INFO - sp = 0x5c4fbb18 pc = 0x6223e90d
14:59:09 INFO - Found by: call frame info
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment 2•10 years ago
|
||
This is out of NoteGCThingJSChildren; top frame of the stack looks totally busted -- at a guess it's sharing code with something else. The actual line in the second frame in Marking looks like |MOZ_ASSERT(thing->isAligned())|. This is b2g? But I didn't think we had debug builds there? Although the buildname contains "debug" and the crash line is an assertion, so maybe we do? Or maybe b2g-inbound is wildly different from mozilla-inbound? I guess if we /do/ have assertions, the crash at 0x0 could either by the alignment assertion failing or the |arenaHeader()->|, if we're passed a low but non-zero address.
Component: JavaScript: GC → DOM
Comment 3•10 years ago
|
||
We do have some B2G debug mochitests now.
Comment 4•10 years ago
|
||
If you look at the actual log, it seems like the assertion is:
Assertion failure: chunkno < numNurseryChunks_
What does that mean? Does it indicate anything more than "some JS is messed up"?
Comment 5•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4)
> If you look at the actual log, it seems like the assertion is:
> Assertion failure: chunkno < numNurseryChunks_
> What does that mean? Does it indicate anything more than "some JS is messed
> up"?
I just took that message as busted and ignored it completely. There should be absolutely no way that marking can result in the nursery growing -- the alloc paths already have !isHeapBusy assertions and even if execution did reach there, there's no particular reason why this exception should ever fire.
Updated•10 years ago
|
Blocks: GC.stability
Comment 6•10 years ago
|
||
Inactive; closing (see bug 1180138).
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•