Closed
Bug 1201483
Opened 10 years ago
Closed 5 years ago
crash in js::ObjectGroupCompartment::sweep
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: martin, Unassigned)
Details
(Keywords: crash, regression)
Crash Data
Running 41b4 I got this crash:
Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 9]
IsAboutToBeFinalizedInternal<JSScript*> (thingp=0xffffffffedbfdaf0)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/gc/Marking.cpp:2150
2150 if (rt->isHeapMinorCollecting()) {
(gdb) bt
#0 IsAboutToBeFinalizedInternal<JSScript*> (thingp=0xffffffffedbfdaf0)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/gc/Marking.cpp:2150
#1 0xfffffffffce98038 in js::ObjectGroupCompartment::sweep (
this=0xffffffffe9ce3570, fop=<optimized out>)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/vm/ObjectGroup.cpp:1519
#2 0xfffffffffd040af8 in SweepObjectGroupsTask::run (this=0xffffffffffff9cc0)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/jsgc.cpp:4819
#3 0xfffffffffd0d15e4 in js::GCParallelTask::runFromHelperThread (
this=0xffffffffffff9cc0)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/vm/HelperThreads.cpp:842
#4 0xfffffffffd0dcf34 in js::HelperThread::handleGCParallelWorkload (
this=this@entry=0xfffffffff022e500)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/vm/HelperThreads.cpp:866
#5 0xfffffffffd0e93f0 in js::HelperThread::threadLoop (
this=0xfffffffff022e500)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/vm/HelperThreads.cpp:1443
#6 0xfffffffff7736070 in _pt_root (arg=0xffffffffef3306a0) at ptthread.c:208
(gdb) up
#1 0xfffffffffce98038 in js::ObjectGroupCompartment::sweep (
this=0xffffffffe9ce3570, fop=<optimized out>)
at /usr/pkgobj/www/firefox/work/mozilla-beta/js/src/vm/ObjectGroup.cpp:1519
1519 bool keyDying = IsAboutToBeFinalizedUnbarriered(&key.script);
(gdb) list
1514 }
1515
1516 if (allocationSiteTable) {
1517 for (AllocationSiteTable::Enum e(*allocationSiteTable); !e.empty(); e.popFront()) {
1518 AllocationSiteKey key = e.front().key();
1519 bool keyDying = IsAboutToBeFinalizedUnbarriered(&key.script);
1520 bool valDying = IsAboutToBeFinalized(&e.front().value());
1521 if (keyDying || valDying)
1522 e.removeFront();
1523 else if (key.script != e.front().key().script)
(gdb) p e
$2 = {<js::detail::HashTable<js::HashMapEntry<js::ObjectGroupCompartment::AllocationSiteKey, js::ReadBarriered<js::ObjectGroup*> >, js::HashMap<js::ObjectGroupCompartment::AllocationSiteKey, js::ReadBarriered<js::ObjectGroup*>, js::ObjectGroupCompartment::AllocationSiteKey, js::SystemAllocPolicy>::MapHashPolicy, js::SystemAllocPolicy>::Range> = {cur = 0xffffffffd4cea980,
end = 0xffffffffd4ceac00}, table_ = @0xffffffffe9cbb440, rekeyed = false,
removed = true}
(gdb) p key
$3 = {<js::DefaultHasher<js::ObjectGroupCompartment::AllocationSiteKey>> = {<No data fields>}, script = 0x0, offset = 0, kind = JSProto_Null,
static OFFSET_LIMIT = 8388608}
|
||
Updated•9 years ago
|
|
||
Comment 1•9 years ago
|
||
Crash volume for signature 'js::ObjectGroupCompartment::sweep':
- nightly (version 50): 0 crash from 2016-06-06.
- aurora (version 49): 0 crash from 2016-06-07.
- beta (version 48): 8 crashes from 2016-06-06.
- release (version 47): 2 crashes from 2016-05-31.
- esr (version 45): 204 crashes from 2016-04-07.
Crash volume on the last weeks:
Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7
- nightly 0 0 0 0 0 0 0
- aurora 0 0 0 0 0 0 0
- beta 3 0 0 0 0 0 0
- release 0 0 0 0 0 1 1
- esr 30 24 23 13 24 25 12
Affected platforms: Windows, Linux
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox-esr45:
--- → affected
|
|
||
Comment 2•5 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 3•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•