Closed
Bug 1174997
Opened 9 years ago
Closed 7 years ago
Crash in js::ConstraintTypeSet::sweep
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
DUPLICATE
of bug 1220385
People
(Reporter: hub, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [tbird crash])
Attachments
(1 file)
|
5.42 KB,
text/plain
|
Details |
Stack trace
Program received signal SIGSEGV, Segmentation fault.
js::ConstraintTypeSet::sweep (this=this@entry=0x7fffc6bd3980, zone=0x7fffe857a000, oom=...) at /home/hub/source/mozilla/src/js/src/vm/TypeInference.cpp:4060
4060 ObjectKey* key = oldArray[i];
Missing separate debuginfos, use: dnf debuginfo-install dconf-0.24.0-1.fc22.x86_64 fontconfig-2.11.94-1.fc22.x86_64 gtk3-3.16.3-1.fc22.x86_64 gvfs-1.24.1-1.fc22.x86_64 libbluray-0.7.0-1.fc22.x86_64 nss-mdns-0.10-15.fc22.x86_64 nss-softokn-freebl-3.19.1-1.0.fc22.x86_64 PackageKit-gtk3-module-1.0.6-4.fc22.x86_64
(gdb) where
#0 0x00007ffff4a121f3 in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&) (this=this@entry=0x7fffc6bd3980, zone=0x7fffe857a000, oom=...)
at /home/hub/source/mozilla/src/js/src/vm/TypeInference.cpp:4060
#1 0x00007ffff49da0d2 in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) (this=0x7fffcc4f8da8, oom=oom@entry=0x7fffffffbfb0)
at /home/hub/source/mozilla/src/js/src/vm/TypeInference.cpp:4287
#2 0x00007ffff4cbf7fb in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) (oom=0x7fffffffbfb0, script=<optimized out>) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5156
#3 0x00007ffff4cbf7fb in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) (sliceBudget=..., arenasToSweep=0x7fffe857a4b0) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5171
#4 0x00007ffff4cbf7fb in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) (this=this@entry=0x7fffe8550338, sliceBudget=...) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5212
#5 0x00007ffff4cc5e07 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffe8550338, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:5868
#6 0x00007ffff4cc6be3 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffe8550338, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6051
#7 0x00007ffff4cc6e3e in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) (this=this@entry=0x7fffe8550338, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC) at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6163
#8 0x00007ffff4cc7818 in JS::IncrementalGCSlice(JSRuntime*, JS::gcreason::Reason, long) (millis=140737091273528, reason=JS::gcreason::INTER_SLICE_GC, this=0x7fffe8550338)
at /home/hub/source/mozilla/src/js/src/jsgc.cpp:6239
#9 0x00007ffff4cc7818 in JS::IncrementalGCSlice(JSRuntime*, JS::gcreason::Reason, long) (rt=0x7fffe8550000, reason=reason@entry=JS::gcreason::INTER_SLICE_GC, millis=millis@entry=40)
at /home/hub/source/mozilla/src/js/src/jsgc.cpp:7069
#10 0x00007ffff34259b6 in nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) (aReason=JS::gcreason::INTER_SLICE_GC, aIncremental=nsJSContext::IncrementalGC, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=40) at /home/hub/source/mozilla/src/dom/base/nsJSEnvironment.cpp:1309
#11 0x00007ffff2c342e3 in nsTimerImpl::Fire() (this=0x7fffba14f160) at /home/hub/source/mozilla/src/xpcom/threads/nsTimerImpl.cpp:616
#12 0x00007ffff2c3445d in nsTimerEvent::Run() (this=0x7fffc169a200) at /home/hub/source/mozilla/src/xpcom/threads/nsTimerImpl.cpp:703
#13 0x00007ffff2c32d1a in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffeac12a00, aMayWait=<optimized out>, aResult=0x7fffffffc46f)
at /home/hub/source/mozilla/src/xpcom/threads/nsThread.cpp:846
#14 0x00007ffff2c4ddd7 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=<optimized out>) at /home/hub/source/mozilla/src/xpcom/glue/nsThreadUtils.cpp:265
#15 0x00007ffff2e3ae8c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffeb0dfa40, aDelegate=0x7fffeb009540)
at /home/hub/source/mozilla/src/ipc/glue/MessagePump.cpp:127
#16 0x00007ffff2e1e029 in MessageLoop::Run() (this=<optimized out>) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:226
#17 0x00007ffff2e1e029 in MessageLoop::Run() (this=<optimized out>) at /home/hub/source/mozilla/src/ipc/chromium/src/base/message_loop.cc:200
#18 0x00007ffff3dee159 in nsBaseAppShell::Run() (this=0x7fffeac900f0) at /home/hub/source/mozilla/src/widget/nsBaseAppShell.cpp:165
#19 0x00007ffff439dddc in nsAppStartup::Run() (this=0x7fffe4740100) at /home/hub/source/mozilla/src/toolkit/components/startup/nsAppStartup.cpp:280
#20 0x00007ffff43d7dab in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffc708) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4257
#21 0x00007ffff43d8096 in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffc708, argc=argc@entry=1, argv=argv@entry=0x7fffffffdc18, aAppData=aAppData@entry=0x7fffffffc910) at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4341
#22 0x00007ffff43d82e3 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=1, argv=0x7fffffffdc18, aAppData=0x7fffffffc910, aFlags=<optimized out>)
at /home/hub/source/mozilla/src/toolkit/xre/nsAppRunner.cpp:4430
#23 0x00000000004047d5 in do_main(int, char**, nsIFile*) (argc=argc@entry=1, argv=argv@entry=0x7fffffffdc18, xreDirectory=0x7ffff7d64a80)
at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:214
#24 0x00000000004040a9 in main(int, char**) (argc=1, argv=0x7fffffffdc18) at /home/hub/source/mozilla/src/browser/app/nsBrowserApp.cpp:478
changeset: 248804:fbfb01908458
Linux x86_64
|
Reporter | |
Comment 1•9 years ago
|
||
I don't have STR. It is just my daily browser that crashes several times a day lately.
I’m experiencing segfaults in the same function.
The segfault is at:
for (unsigned i = 0; i < oldCapacity; i++) {
ObjectKey* key = oldArray[i];
This looks hard to debug to me. :/
The segfaults are annoying. If I could at least turn something off, so they won't happen.|
|
Reporter | |
Comment 3•9 years ago
|
||
(In reply to Tomasz Sobczyk from comment #2) > > The segfaults are annoying. If I could at least turn something off, so they > won't happen. Which platform are you on? Is that a build from Mozilla?
Flags: needinfo?(dottomi)
|
||
Comment 4•9 years ago
|
||
I've just got this on Debian testing with iceweasel 38.2.1esr-1~deb8u1:
#0 0x00007ffff30d9378 in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&) (this=this@entry=0x7fffb658c628, zone=0x7fffe2c09000, oom=...) at /tmp/buildd/iceweasel-38.2.1esr/js/src/vm/TypeInference.cpp:3793
#1 0x00007ffff30fffc9 in js::ObjectGroup::maybeSweep(js::AutoClearTypeInferenceStateOnOOM*) (this=0x7fffc890eee0, oom=oom@entry=0x7fffffffc800) at /tmp/buildd/iceweasel-38.2.1esr/js/src/vm/TypeInference.cpp:3897
#2 0x00007ffff33697eb in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) (oom=0x7fffffffc800, group=<optimized out>) at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:5216
#3 0x00007ffff33697eb in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) (sliceBudget=..., arenasToSweep=<optimized out>) at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:5225
#4 0x00007ffff33697eb in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) (this=this@entry=0x7fffe5f2f318, sliceBudget=...) at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:5270
#5 0x00007ffff33719c8 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffe5f2f318, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:5903
#6 0x00007ffff3372403 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) (this=this@entry=0x7fffe5f2f318, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:6076
#7 0x00007ffff3372698 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) (this=this@entry=0x7fffe5f2f318, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:6190
#8 0x00007ffff3372c7a in JS::IncrementalGCSlice(JSRuntime*, JS::gcreason::Reason, long) (millis=140737051292440, reason=JS::gcreason::INTER_SLICE_GC, this=0x7fffe5f2f318) at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:6266
#9 0x00007ffff3372c7a in JS::IncrementalGCSlice(JSRuntime*, JS::gcreason::Reason, long) (rt=0x7fffe5f2f000, reason=reason@entry=JS::gcreason::INTER_SLICE_GC, millis=millis@entry=40)
at /tmp/buildd/iceweasel-38.2.1esr/js/src/jsgc.cpp:7064
#10 0x00007ffff1d17e26 in nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) (aReason=JS::gcreason::INTER_SLICE_GC, aIncremental=<optimized out>, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=40) at /tmp/buildd/iceweasel-38.2.1esr/dom/base/nsJSEnvironment.cpp:1283
#11 0x00007ffff1684bc8 in nsTimerImpl::Fire() (this=0x7ffc513de520) at /tmp/buildd/iceweasel-38.2.1esr/xpcom/threads/nsTimerImpl.cpp:631
#12 0x00007ffff1684ec1 in nsTimerEvent::Run() (this=0x7fffce1c2020) at /tmp/buildd/iceweasel-38.2.1esr/xpcom/threads/nsTimerImpl.cpp:724
#13 0x00007ffff1681a61 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fffe7b0b3d0, aMayWait=<optimized out>, aResult=0x7fffffffcc57) at /tmp/buildd/iceweasel-38.2.1esr/xpcom/threads/nsThread.cpp:855
#14 0x00007ffff1696e41 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=<optimized out>, aMayWait=aMayWait@entry=true) at /tmp/buildd/iceweasel-38.2.1esr/xpcom/glue/nsThreadUtils.cpp:265
#15 0x00007ffff184e534 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fffe7b17280, aDelegate=0x7fffe7b181c0) at /tmp/buildd/iceweasel-38.2.1esr/ipc/glue/MessagePump.cpp:140
#16 0x00007ffff1843249 in MessageLoop::Run() (this=0x7fffe7b181c0) at /tmp/buildd/iceweasel-38.2.1esr/ipc/chromium/src/base/message_loop.cc:226
#17 0x00007ffff1843249 in MessageLoop::Run() (this=0x7fffe7b181c0) at /tmp/buildd/iceweasel-38.2.1esr/ipc/chromium/src/base/message_loop.cc:200
#18 0x00007ffff25e3dc6 in nsBaseAppShell::Run() (this=0x7fffb658c628) at /tmp/buildd/iceweasel-38.2.1esr/widget/nsBaseAppShell.cpp:164
#19 0x00007ffff2b10567 in nsAppStartup::Run() (this=0x7fffe1459060) at /tmp/buildd/iceweasel-38.2.1esr/toolkit/components/startup/nsAppStartup.cpp:281
#20 0x00007ffff2b43791 in XREMain::XRE_mainRun() (this=this@entry=0x7fffffffcee0) at /tmp/buildd/iceweasel-38.2.1esr/toolkit/xre/nsAppRunner.cpp:4240
#21 0x00007ffff2b43a82 in XREMain::XRE_main(int, char**, nsXREAppData const*) (this=this@entry=0x7fffffffcee0, argc=argc@entry=1, argv=argv@entry=0x7fffffffe408, aAppData=aAppData@entry=0x7fffffffd0f8)
at /tmp/buildd/iceweasel-38.2.1esr/toolkit/xre/nsAppRunner.cpp:4320
#22 0x00007ffff2b43d62 in XRE_main(int, char**, nsXREAppData const*, uint32_t) (argc=1, argv=0x7fffffffe408, aAppData=0x7fffffffd0f8, aFlags=<optimized out>) at /tmp/buildd/iceweasel-38.2.1esr/toolkit/xre/nsAppRunner.cpp:4539
#23 0x000055555555846e in do_main(int, char**, nsIFile*) (argc=1, argv=0x7fffffffe408, xreDirectory=0x7ffff6b64780) at /tmp/buildd/iceweasel-38.2.1esr/browser/app/nsBrowserApp.cpp:294
#24 0x0000555555557bb6 in main(int, char**) (argc=1, argv=0x7fffffffe408) at /tmp/buildd/iceweasel-38.2.1esr/browser/app/nsBrowserApp.cpp:667A build on Gentoo from the official ebuild, x86_64. I think disabling system-cairo helped as I'm not having any crashes for a long time now. I tried it after reading about some other bug about a similar crash. I forgot the number, but if I remember correctly, people were referring to some new multi-threaded page rendering improvements. I think it's related. I haven't tested with a recent version.
Flags: needinfo?(dottomi)
|
||
Comment 6•8 years ago
|
||
Thunderbird examples: bp-c7e3bbe4-43ad-42d6-bb99-6534d2160229 bp-5260b9bd-bbdb-4b12-81b6-67b012160309 bp-88630a45-c53a-40e6-a864-1d0a22160309
Crash Signature: [@ js::ConstraintTypeSet::sweep]
Whiteboard: [tbird crash]
|
||
Comment 7•8 years ago
|
||
Also reported via the Debian bts for TB 45.2.0: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829531
|
||
Comment 8•8 years ago
|
||
Crash volume for signature 'js::ConstraintTypeSet::sweep':
- nightly (version 50): 115 crashes from 2016-06-06.
- aurora (version 49): 178 crashes from 2016-06-07.
- beta (version 48): 92 crashes from 2016-06-06.
- release (version 47): 934 crashes from 2016-05-31.
- esr (version 45): 77 crashes from 2016-04-07.
Crash volume on the last weeks:
Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7
- nightly 13 22 23 22 9 12 8
- aurora 37 15 25 16 29 31 12
- beta 16 15 13 10 17 13 2
- release 140 124 138 144 165 137 35
- esr 4 8 10 10 3 2 12
Affected platforms: Windows, Mac OS X, Linux
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr45:
--- → affected
|
|
||
Comment 9•8 years ago
|
||
(In reply to Guido Günther from comment #7) > Also reported via the Debian bts for TB 45.2.0: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829531 see bug 1287306 for Thunderbird crash
|
|
||
Updated•8 years ago
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•7 years ago
|
Crash Signature: [@ js::ConstraintTypeSet::sweep]
You need to log in
before you can comment on or make changes to this bug.
Description
•