1116814 - Crash in JitCode::togglePreBarriers

Status: RESOLVED INCOMPLETE

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Hubert Figuiere [:hub]]

I get crashs in JitCode::togglePreBarriers. Don't have a reproducable case, but it has happened several time for several weeks. Linux x86_64

This is m-i I use as my browser.
parent: 221596:2f51262d2cab tip
 Bug 865561 Fix bustage of non-unified r=me CLOSED TREE

Stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fc3740 (LWP 22682)]
js::jit::JitCode::togglePreBarriers (this=0x0, enabled=enabled@entry=true) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:801
801	{
(gdb) where
#0  0x00007ffff4a44e90 in js::jit::JitCode::togglePreBarriers(bool) (this=0x0, enabled=enabled@entry=true) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:801
#1  0x00007ffff4aaa9cc in js::jit::JitCompartment::toggleBarriers(bool) (this=<optimized out>, enabled=enabled@entry=true) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:684
#2  0x00007ffff4aaaba7 in js::jit::ToggleBarriers(JS::Zone*, bool) (zone=zone@entry=0x7fffe9249800, needs=needs@entry=true) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:1264
#3  0x00007ffff4978a32 in JS::Zone::setNeedsIncrementalBarrier(bool, JS::Zone::ShouldUpdateJit) (this=0x7fffe9249800, needs=needs@entry=true, updateJit=updateJit@entry=JS::Zone::UpdateJit)
    at /home/hub/source/mozilla/src/js/src/gc/Zone.cpp:72
#4  0x00007ffff4b9dbd4 in (anonymous namespace)::AutoGCSlice::~AutoGCSlice() (this=this@entry=0x7fffffffc330, __in_chrg=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5838
#5  0x00007ffff4bdcf42 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffe9226308, budget=..., reason=reason@entry=JS::gcreason::CC_WAITING) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5865
#6  0x00007ffff4bdd732 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, js::JSGCInvocationKind, JS::gcreason::Reason) (this=this@entry=0x7fffe9226308, incremental=incremental@entry=true, budget=..., gckind=gckind@entry=js::GC_NORMAL, reason=reason@entry=JS::gcreason::CC_WAITING) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6155
#7  0x00007ffff4bdd942 in js::gc::GCRuntime::collect(bool, js::SliceBudget&, js::JSGCInvocationKind, JS::gcreason::Reason) (this=0x7fffe9226308, incremental=<optimized out>, budget=..., gckind=js::GC_NORMAL, reason=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6284
#8  0x00007ffff4bddca0 in js::gc::GCRuntime::gcSlice(js::JSGCInvocationKind, JS::gcreason::Reason, long) (this=<optimized out>, gckind=gckind@entry=js::GC_NORMAL, reason=JS::gcreason::CC_WAITING, millis=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6346
#9  0x00007ffff4bddd78 in JS::IncrementalGC(JSRuntime*, JS::gcreason::Reason, long) (rt=<optimized out>, reason=<optimized out>, millis=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/jsfriendapi.cpp:213
#10 0x00007ffff36ad61a in nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) (aReason=JS::gcreason::CC_WAITING, aIncremental=<optimized out>, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=0) at /home/hub/source/mozilla/src/dom/base/nsJSEnvironment.cpp:1475
#11 0x00007ffff2f5681d in nsTimerImpl::Fire() (this=0x7fffca2e71a0) at /home/hub/source/mozilla/src/xpcom/threads/nsTimerImpl.cpp:631
#12 0x00007ffff2f56d5b in nsTimerEvent::Run() (this=0x7fffe4507408) at /home/hub/source/mozilla/src/xpcom/threads/nsTimerImpl.cpp:724
#13 0x00007ffff2f54989 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffeb10ca00, aMayWait=<optimized out>, aResult=0x7fffffffc66f)
    at /home/hub/source/mozilla/src/xpcom/threads/nsThread.cpp:855
#14 0x00007ffff2f69f2f in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=<optimized out>) at /home/hub/source/mozilla/src/xpcom/glue/nsThreadUtils.cpp:265
#15 0x00007ffff314c791 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffeb1e5f80, aDelegate=0x7ffff7d563a0)
    at /home/hub/source/mozilla/src/ipc/glue/MessagePump.cpp:99
#16 0x00007ffff3137aa4 in MessageLoop::Run() (this=0x7ffff7d563a0) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:226
#17 0x00007ffff3137aa4 in MessageLoop::Run() (this=0x7ffff7d563a0) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:200
#18 0x00007ffff3f3e17c in nsBaseAppShell::Run() (this=0x7fffeb174c80) at /home/hub/source/mozilla/src/widget/nsBaseAppShell.cpp:164
#19 0x00007ffff4490ace in nsAppStartup::Run() (this=0x7fffe6232100) at /home/hub/source/mozilla/src/toolkit/components/startup/nsAppStartup.cpp:281
#20 0x00007ffff44c42d5 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffc910) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4150
#21 0x00007ffff44c4579 in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffc910, argc=argc@entry=1, argv=argv@entry=0x7fffffffde18, aAppData=aAppData@entry=0x7fffffffcb10) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4226
#22 0x00007ffff44c47da in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=1, argv=0x7fffffffde18, aAppData=0x7fffffffcb10, aFlags=<optimized out>)
    at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4446
#23 0x0000000000404425 in do_main(int, char**, nsIFile*) (argc=argc@entry=1, argv=argv@entry=0x7fffffffde18, xreDirectory=0x7ffff7d4d900)
    at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:292
#24 0x0000000000403d09 in main(int, char**) (argc=1, argv=0x7fffffffde18) at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:661

Comment 1

[Hubert Figuiere [:hub]]

Happened again in 

parent: 238314:d34160cac9cd tip
 Bug 1152509. Use Mask with alpha to avoid allocating a surface. r=bas

Same stack trace. NULL this.

Comment 2

[Hubert Figuiere [:hub]]

Still happening running

parent: 247423:a657a4840aee tip
 Bug 1165819 followup: Add missing 'override' keyword to TrackBuffer::Dump() declaration. rs=ehsan