Closed
Bug 1192448
Opened 9 years ago
Closed 9 years ago
Crash in JSCompartment destructor
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | affected |
People
(Reporter: dhylands, Unassigned)
References
Details
Every time I launch B2G-desktop it immediately crashes with the following backtrace:
> (gdb) bt
> #0 0x00007f6600c89f3d in nanosleep () at ../sysdeps/unix/syscall-template.S:81
> #1 0x00007f6600c89dd4 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:137
> #2 0x00007f65f54ed2ae in ah_crap_handler (signum=11) at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsSigHandlers.cpp:103
> #3 0x00007f65f54e02c0 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7ffc51adcd30, context=0x7ffc51adcc00) at /home/work/B2G-desktop/mozilla-central/toolkit/profile/nsProfileLock.cpp:195
> #4 0x00007f65f5b14351 in AsmJSFaultHandler (signum=<optimized out>, info=0x7ffc51adcd30, context=0x7ffc51adcc00) at /home/work/B2G-desktop/mozilla-central/js/src/asmjs/AsmJSSignalHandlers.cpp:1135
> #5 <signal handler called>
> #6 0x00007f65f60b33c2 in ~LinkedList (this=0x7f65d75efba8, __in_chrg=<optimized out>) at ../../dist/include/mozilla/LinkedList.h:308
> #7 JSCompartment::~JSCompartment (this=0x7f65d75ef800, __in_chrg=<optimized out>) at /home/work/B2G-desktop/mozilla-central/js/src/jscompartment.cpp:90
> #8 0x00007f65f61320b7 in js_delete<JSCompartment> (p=0x7f65d75ef800) at ../../dist/include/js/Utility.h:254
> #9 sweepCompartments (keepAtleastOne=false, destroyingRuntime=false, fop=0x7ffc51add3f0, this=0x7f65d75ea000) at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:3604
> #10 js::gc::GCRuntime::sweepZones (this=0x7f65ee3d43d8, fop=0x7ffc51add3f0, destroyingRuntime=false) at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:3645
> #11 0x00007f65f614feee in js::gc::GCRuntime::endSweepPhase (this=this@entry=0x7f65ee3d43d8, destroyingRuntime=destroyingRuntime@entry=false)
> at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:5369
> #12 0x00007f65f616d249 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7f65ee3d43d8, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
> at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:5883
> #13 0x00007f65f616e202 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7f65ee3d43d8, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
> at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:6063
> #14 0x00007f65f616e65a in js::gc::GCRuntime::collect (this=0x7f65ee3d43d8, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC)
> at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:6177
> #15 0x00007f65f616eca4 in js::gc::GCRuntime::gcSlice (this=<optimized out>, reason=JS::gcreason::INTER_SLICE_GC, millis=<optimized out>) at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:6253
> #16 0x00007f65f407af74 in nsJSContext::GarbageCollectNow (aReason=JS::gcreason::INTER_SLICE_GC, aIncremental=nsJSContext::IncrementalGC, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=40)
> at /home/work/B2G-desktop/mozilla-central/dom/base/nsJSEnvironment.cpp:1325
> #17 0x00007f65f35e04c0 in nsTimerImpl::Fire (this=0x7f65cac23800) at /home/work/B2G-desktop/mozilla-central/xpcom/threads/nsTimerImpl.cpp:437
> #18 0x00007f65f35e065c in nsTimerEvent::Run (this=0x7f65dd1422c0) at /home/work/B2G-desktop/mozilla-central/xpcom/threads/TimerThread.cpp:268
> #19 0x00007f65f35dd5a7 in nsThread::ProcessNextEvent (this=0x7f660096ec70, aMayWait=<optimized out>, aResult=0x7ffc51add95f) at /home/work/B2G-desktop/mozilla-central/xpcom/threads/nsThread.cpp:867
> #20 0x00007f65f3606f4f in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=<optimized out>) at /home/work/B2G-desktop/mozilla-central/xpcom/glue/nsThreadUtils.cpp:277
> #21 0x00007f65f384bfc7 in mozilla::ipc::MessagePump::Run (this=0x7f65f0986f00, aDelegate=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/glue/MessagePump.cpp:127
> #22 0x00007f65f38239a9 in MessageLoop::RunInternal (this=this@entry=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/chromium/src/base/message_loop.cc:234
> #23 0x00007f65f38239da in RunHandler (this=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/chromium/src/base/message_loop.cc:227
> #24 MessageLoop::Run (this=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/chromium/src/base/message_loop.cc:201
> #25 0x00007f65f4e61f83 in nsBaseAppShell::Run (this=0x7f65ec4cfa80) at /home/work/B2G-desktop/mozilla-central/widget/nsBaseAppShell.cpp:165
> #26 0x00007f65f5495196 in nsAppStartup::Run (this=0x7f65eb832150) at /home/work/B2G-desktop/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:280
> #27 0x00007f65f54ea8fe in XREMain::XRE_mainRun (this=this@entry=0x7ffc51addcb0) at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsAppRunner.cpp:4288
> #28 0x00007f65f54eae0a in XREMain::XRE_main (this=this@entry=0x7ffc51addcb0, argc=argc@entry=4, argv=argv@entry=0x7f66009b4fa0, aAppData=aAppData@entry=0x4369d0 <sAppData>)
> at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsAppRunner.cpp:4385
> #29 0x00007f65f54eb0be in XRE_main (argc=4, argv=0x7f66009b4fa0, aAppData=0x4369d0 <sAppData>, aFlags=<optimized out>) at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsAppRunner.cpp:4474
> #30 0x00000000004051a7 in do_main (argv=0x7f66009b4fa0, argc=4) at /home/work/B2G-desktop/mozilla-central/b2g/app/nsBrowserApp.cpp:167
> #31 main (argc=4, argv=<optimized out>) at /home/work/B2G-desktop/mozilla-central/b2g/app/nsBrowserApp.cpp:299
|
Reporter | |
Updated•9 years ago
|
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
|
|
Reporter | |
Comment 1•9 years ago
|
||
It seems to be hitting: Assertion failure: isEmpty(), at ../../dist/include/mozilla/LinkedList.h:308
|
||
Comment 2•9 years ago
|
||
That assertion generally indicates misuse: someone's trying to destroy a LinkedList without emptying it first. The only LinkedList in JSCompartment appears to be for UnboxedLayouts: paging bhackett. Knowing when this arose might also be helpful to know -- any regression range, even a hazy one?
Flags: needinfo?(bhackett1024)
|
|
Reporter | |
Comment 3•9 years ago
|
||
I started to do a bisection and got this far: changeset 256479:888019c4ff5b fails changeset 256165:a4baa2a12eef fails changeset 256008:b28d496da7bf fails changeset 255851:51672b103c61 works
|
|
Reporter | |
Comment 4•9 years ago
|
||
Continuing the bisection I get: changeset 256479:888019c4ff5b fails changeset 256165:a4baa2a12eef fails changeset 256008:b28d496da7bf fails changeset 255988:579d50cc0ca7 fails changeset 255968:4e05c3afe0e0 fails changeset 255967:2f16fb18314a fails - This seems to be the culprit changeset 255966:8ad982618f06 works changeset 255963:502c196722eb works changeset 255958:d1288e84b4a0 works changeset 255948:0ebb7da63ced works changeset 255929:c2b099fa12ee works changeset 255851:51672b103c61 works I'm not sure why this changeset would cause the problem: changeset: 255967:2f16fb18314a user: Boris Zbarsky <bzbarsky@mit.edu> date: Mon Aug 03 11:51:57 2015 -0400 summary: Bug 1181908. The CompileOptions constructor should properly copy the introducerFilename and isRunOnce state. r=luke Perhaps its exposing a race? ni'ing luke (since he reviewed it - bz is on PTO until 8/24)
Flags: needinfo?(luke)
|
||
Comment 5•9 years ago
|
||
That's pretty bizarre. I don't have time to dig into this, so probably just need to back out. But before that, Terrence, any idea what this could be?
Flags: needinfo?(luke) → needinfo?(terrence)
|
||
Updated•9 years ago
|
Flags: needinfo?(bhackett1024)
|
|
||
Updated•9 years ago
|
Flags: needinfo?(terrence)
|
|
||
Comment 7•9 years ago
|
||
This is fixed by https://hg.mozilla.org/integration/mozilla-inbound/rev/8cd6dd07c27a
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•