1151856 - Crash in js::TraceManuallyBarrieredEdge

Status: RESOLVED DUPLICATE of bug 1278440

(Core :: JavaScript Engine: JIT, defect)

Description

[Hubert Figuiere [:hub]]

My Firefox (from mozilla-inbound, revision 644662d12dfa ~Sat April 4) crashed.
There is no real STR as all the tabs did reopen, including the one it crashed on.

Here is the stack trace. 

[Switching to Thread 0x7fffdbdff700 (LWP 17918)]
zone (this=0x0) at /home/hub/source/mozilla/src/js/src/gc/Heap.h:1392
1392	    JS::Zone* zone = arenaHeader()->zone;
(gdb) where
#0  0x00007ffff486a3e9 in js::TraceManuallyBarrieredEdge<js::jit::JitCode*>(JSTracer*, js::jit::JitCode**, char const*) (this=0x0) at /home/hub/source/mozilla/src/js/src/gc/Heap.h:1392
#1  0x00007ffff486a3e9 in js::TraceManuallyBarrieredEdge<js::jit::JitCode*>(JSTracer*, js::jit::JitCode**, char const*) (thing=0x0) at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:506
#2  0x00007ffff486a3e9 in js::TraceManuallyBarrieredEdge<js::jit::JitCode*>(JSTracer*, js::jit::JitCode**, char const*) (thing=0x0, gcmarker=0x7fffdbe1efb8)
    at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:553
#3  0x00007ffff486a3e9 in js::TraceManuallyBarrieredEdge<js::jit::JitCode*>(JSTracer*, js::jit::JitCode**, char const*) (i=18446744073709551615, name=0x7ffff4fa4b07 "baseline-stub-jitcode", thingp=0x7fffdbdfe508, trc=0x7fffdbe1efb8) at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:497
#4  0x00007ffff486a3e9 in js::TraceManuallyBarrieredEdge<js::jit::JitCode*>(JSTracer*, js::jit::JitCode**, char const*) (trc=0x7fffdbe1efb8, thingp=0x7fffdbdfe508, name=0x7ffff4fa4b07 "baseline-stub-jitcode") at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:415
#5  0x00007ffff49f3ea1 in js::jit::ICStub::trace(JSTracer*) (name=0x7ffff4fa4b07 "baseline-stub-jitcode", trc=0x7fffdbe1efb8, this=this@entry=0x7fff80935d78)
    at /home/hub/source/mozilla/src/js/src/jit/BaselineIC.cpp:157
#6  0x00007ffff49f3ea1 in js::jit::ICStub::trace(JSTracer*) (this=this@entry=0x7fff80935d78, trc=trc@entry=0x7fffdbe1efb8) at /home/hub/source/mozilla/src/js/src/jit/BaselineIC.cpp:180
#7  0x00007ffff49f62eb in js::jit::BaselineScript::trace(JSTracer*) (this=0x7fff80688400, trc=0x7fffdbe1efb8) at /home/hub/source/mozilla/src/js/src/jit/BaselineJIT.cpp:425
#8  0x00007ffff49f6343 in js::jit::BaselineScript::Trace(JSTracer*, js::jit::BaselineScript*) (trc=<optimized out>, script=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/jit/BaselineJIT.cpp:440
#9  0x00007ffff4a81a4c in js::jit::TraceJitScripts(JSTracer*, JSScript*) (trc=<optimized out>, script=script@entry=0x7fffda957380) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:3045
#10 0x00007ffff4c695af in JSScript::markChildren(JSTracer*) (this=this@entry=0x7fffda957380, trc=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsscript.cpp:3478
#11 0x00007ffff486c663 in js::TraceManuallyBarrieredEdge<JSScript*>(JSTracer*, JSScript**, char const*) (thing=0x7fffda957380, this=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:2076
#12 0x00007ffff486c663 in js::TraceManuallyBarrieredEdge<JSScript*>(JSTracer*, JSScript**, char const*) (thing=0x7fffda957380, this=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/gc/Tracer.h:256
#13 0x00007ffff486c663 in js::TraceManuallyBarrieredEdge<JSScript*>(JSTracer*, JSScript**, char const*) (thing=0x7fffda957380, this=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/gc/Tracer.h:165
#14 0x00007ffff486c663 in js::TraceManuallyBarrieredEdge<JSScript*>(JSTracer*, JSScript**, char const*) (thing=0x7fffda957380, gcmarker=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:93
#15 0x00007ffff486c663 in js::TraceManuallyBarrieredEdge<JSScript*>(JSTracer*, JSScript**, char const*) (thing=0x7fffda957380, gcmarker=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:556
#16 0x00007ffff486c663 in js::TraceManuallyBarrieredEdge<JSScript*>(JSTracer*, JSScript**, char const*) (i=18446744073709551615, name=<optimized out>, thingp=<optimized out>, trc=<optimized out>) at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:497
#17 0x00007ffff486c663 in js::TraceManuallyBarrieredEdge<JSScript*>(JSTracer*, JSScript**, char const*) (trc=<optimized out>, thingp=<optimized out>, name=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:415
#18 0x00007ffff4be94f3 in fun_trace(JSTracer*, JSObject*) (trc=0x7fffdbe1efb8, this=0x7fffda955880) at /home/hub/source/mozilla/src/js/src/jsfun.cpp:755
#19 0x00007ffff4be94f3 in fun_trace(JSTracer*, JSObject*) (trc=0x7fffdbe1efb8, obj=0x7fffda955880) at /home/hub/source/mozilla/src/js/src/jsfun.cpp:768
#20 0x00007ffff4873974 in js::GCMarker::processMarkStackTop(js::SliceBudget&) (this=0x7fffdbe1efb8, budget=...) at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:1981
#21 0x00007ffff484cbdd in js::GCMarker::drainMarkStack(js::SliceBudget&) (this=this@entry=0x7fffdbe1efb8, budget=...) at /home/hub/source/mozilla/src/js/src/gc/Marking.cpp:2048
#22 0x00007ffff4bfa614 in js::gc::GCRuntime::drainMarkStack(js::SliceBudget&, js::gcstats::Phase) (this=this@entry=0x7fffdbe17330, sliceBudget=..., phase=phase@entry=js::gcstats::PHASE_MARK)
    at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5066
#23 0x00007ffff4c3a04e in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffdbe17330, budget=..., reason=reason@entry=JS::gcreason::DOM_WORKER) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5756
#24 0x00007ffff4c3aa71 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffdbe17330, incremental=incremental@entry=false, budget=..., reason=reason@entry=JS::gcreason::DOM_WORKER) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5977
#25 0x00007ffff4c3acad in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) (this=0x7fffdbe17330, incremental=incremental@entry=false, budget=..., reason=JS::gcreason::DOM_WORKER) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6089
#26 0x00007ffff4c3b018 in JS::GCForReason(JSRuntime*, JSGCInvocationKind, JS::gcreason::Reason) (reason=<optimized out>, gckind=<optimized out>, this=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6150
#27 0x00007ffff4c3b018 in JS::GCForReason(JSRuntime*, JSGCInvocationKind, JS::gcreason::Reason) (rt=<optimized out>, gckind=<optimized out>, reason=<optimized out>)
    at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6954
#28 0x00007ffff3d601df in mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal(JSContext*, bool, bool) (this=
    0x7fffe2240800, aCx=0x7fffde14bec0, aShrinking=true, aCollectChildren=<optimized out>) at /home/hub/source/mozilla/src/dom/workers/WorkerPrivate.cpp:6924
#29 0x00007ffff3d60245 in (anonymous namespace)::GarbageCollectRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) (this=<optimized out>, aCx=<optimized out>, aWorkerPrivate=<optimized out>) at /home/hub/source/mozilla/src/dom/workers/WorkerPrivate.cpp:2032
#30 0x00007ffff3d655b1 in mozilla::dom::workers::WorkerRunnable::Run() (this=0x7fffdbedbac0) at /home/hub/source/mozilla/src/dom/workers/WorkerRunnable.cpp:350
#31 0x00007ffff3d6733f in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() (this=this@entry=0x7fffe2240800)
    at /home/hub/source/mozilla/src/dom/workers/WorkerPrivate.cpp:5703
#32 0x00007ffff3d692d9 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) (this=0x7fffe2240800, aCx=aCx@entry=0x7fffde14bec0)
    at /home/hub/source/mozilla/src/dom/workers/WorkerPrivate.cpp:5113
#33 0x00007ffff3d4d37f in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() (this=0x7fffdbe8cc40) at /home/hub/source/mozilla/src/dom/workers/RuntimeService.cpp:2725
#34 0x00007ffff2d154f3 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffdc139940, aMayWait=<optimized out>, aResult=0x7fffdbdfedef)
    at /home/hub/source/mozilla/src/xpcom/threads/nsThread.cpp:841
#35 0x00007ffff2d2ae1f in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=<optimized out>) at /home/hub/source/mozilla/src/xpcom/glue/nsThreadUtils.cpp:265
#36 0x00007ffff2f166a5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (this=0x7fffdbe9a7c0, aDelegate=0x7fffddebdc40)
    at /home/hub/source/mozilla/src/ipc/glue/MessagePump.cpp:368
#37 0x00007ffff2ef8a9c in MessageLoop::Run() (this=0x7fffddebdc40) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:226
#38 0x00007ffff2ef8a9c in MessageLoop::Run() (this=this@entry=0x7fffddebdc40) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:200
#39 0x00007ffff2d16556 in nsThread::ThreadFunc(void*) (aArg=0x7fffdc139940) at /home/hub/source/mozilla/src/xpcom/threads/nsThread.cpp:348
#40 0x00007ffff7aea2f3 in _pt_root (arg=0x7fffddeb3f20) at /home/hub/source/mozilla/src/nsprpub/pr/src/pthreads/ptthread.c:212
#41 0x000000324160752a in start_thread (arg=0x7fffdbdff700) at pthread_create.c:310
#42 0x000000324130022d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb)

Comment 1

[Hubert Figuiere [:hub]]

Possibly related, I got that crash:

(gdb) where
#0  0x00007ffff4a7fff0 in js::jit::JitCode::togglePreBarriers(bool) (this=0x0, enabled=enabled@entry=true) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:705
#1  0x00007ffff4acdfcc in js::jit::JitCompartment::toggleBarriers(bool) (this=<optimized out>, enabled=enabled@entry=true) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:574
#2  0x00007ffff4ace1b7 in js::jit::ToggleBarriers(JS::Zone*, bool) (zone=zone@entry=0x7fffe8584000, needs=needs@entry=true) at /home/hub/source/mozilla/src/js/src/jit/Ion.cpp:1144
#3  0x00007ffff49b2ab2 in JS::Zone::setNeedsIncrementalBarrier(bool, JS::Zone::ShouldUpdateJit) (this=0x7fffe8584000, needs=needs@entry=true, updateJit=updateJit@entry=JS::Zone::UpdateJit)
    at /home/hub/source/mozilla/src/js/src/gc/Zone.cpp:72
#4  0x00007ffff4be5000 in (anonymous namespace)::AutoGCSlice::~AutoGCSlice() (this=this@entry=0x7fffffffc1c0, __in_chrg=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5655
#5  0x00007ffff4c39fa2 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffe852a330, budget=..., reason=reason@entry=JS::gcreason::CC_WAITING) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5693
#6  0x00007ffff4c3aa71 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffe852a330, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::CC_WAITING) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5977
#7  0x00007ffff4c3acad in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) (this=this@entry=0x7fffe852a330, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::CC_WAITING) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6089
#8  0x00007ffff4c3b41a in JS::StartIncrementalGC(JSRuntime*, JSGCInvocationKind, JS::gcreason::Reason, long) (millis=140737091117872, reason=JS::gcreason::CC_WAITING, gckind=(GC_SHRINK | unknown: 32766), this=0x7fffe852a330) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6158
#9  0x00007ffff4c3b41a in JS::StartIncrementalGC(JSRuntime*, JSGCInvocationKind, JS::gcreason::Reason, long) (rt=0x7fffe852a000, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::CC_WAITING, millis=millis@entry=0) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6961
#10 0x00007ffff34ce6ed in nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) (aReason=JS::gcreason::CC_WAITING, aIncremental=<optimized out>, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=0) at /home/hub/source/mozilla/src/dom/base/nsJSEnvironment.cpp:1306
#11 0x00007ffff2d16e8d in nsTimerImpl::Fire() (this=0x7fffb3973580) at /home/hub/source/mozilla/src/xpcom/threads/nsTimerImpl.cpp:628
#12 0x00007ffff2d17387 in nsTimerEvent::Run() (this=0x7fffc2a172a0) at /home/hub/source/mozilla/src/xpcom/threads/nsTimerImpl.cpp:721
#13 0x00007ffff2d154f3 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffeac0d480, aMayWait=<optimized out>, aResult=0x7fffffffc50f)
    at /home/hub/source/mozilla/src/xpcom/threads/nsThread.cpp:841
#14 0x00007ffff2d2ae1f in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=<optimized out>) at /home/hub/source/mozilla/src/xpcom/glue/nsThreadUtils.cpp:265
#15 0x00007ffff2f163ea in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffeace5f00, aDelegate=0x7ffff7d563a0)
    at /home/hub/source/mozilla/src/ipc/glue/MessagePump.cpp:140
#16 0x00007ffff2ef8a9c in MessageLoop::Run() (this=0x7ffff7d563a0) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:226
#17 0x00007ffff2ef8a9c in MessageLoop::Run() (this=0x7ffff7d563a0) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:200
#18 0x00007ffff3e3b70a in nsBaseAppShell::Run() (this=0x7fffeac73f20) at /home/hub/source/mozilla/src/widget/nsBaseAppShell.cpp:164
#19 0x00007ffff43a3a46 in nsAppStartup::Run() (this=0x7fffe501c100) at /home/hub/source/mozilla/src/toolkit/components/startup/nsAppStartup.cpp:281
#20 0x00007ffff43d8753 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffc7c0) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4173
#21 0x00007ffff43d89f6 in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffc7c0, argc=argc@entry=1, argv=argv@entry=0x7fffffffdcc8, aAppData=aAppData@entry=0x7fffffffc9c0) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4249
#22 0x00007ffff43d8c21 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=1, argv=0x7fffffffdcc8, aAppData=0x7fffffffc9c0, aFlags=<optimized out>)
    at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4469
#23 0x0000000000404785 in do_main(int, char**, nsIFile*) (argc=argc@entry=1, argv=argv@entry=0x7fffffffdcc8, xreDirectory=0x7ffff7d4d900)
    at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:294
#24 0x0000000000404069 in main(int, char**) (argc=1, argv=0x7fffffffdcc8) at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:667

Comment 2

[Tom S [:evilpie]]

Incomplete, and there is an other bug with more stats.