Closed Bug 1217332 Opened 10 years ago Closed 10 years ago

Intermittent browser_syncui.js | application crashed [@ JS::Value::setObject(JSObject&)] | Assertion failure: uintptr_t(obj) > 0x1000 || uintptr_t(obj) == 0x42, at ../../dist/include/js/Value.h:863

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla45
Tracking Flags:
Tracking Status
firefox44 --- disabled
firefox45 --- fixed

People

(Reporter: cbook, Assigned: jonco)

References

(
URL
)

Details

(Keywords: assertion, crash, intermittent-failure)

Attachments

(1 file, 1 obsolete file)

bug1217332-reenable-syncui-test
911 bytes, patch
philor
: review+
Details | Diff | Splinter Review
https://treeherder.mozilla.org/logviewer.html#?job_id=16087484&repo=mozilla-inbound 01:55:54 INFO - Assertion failure: uintptr_t(obj) > 0x1000 || uintptr_t(obj) == 0x42, at ../../dist/include/js/Value.h:863 01:55:54 INFO - #01: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) [js/src/jsobj.h:1106] 01:55:54 INFO - #02: js::InvokeGetter(JSContext*, JS::Value const&, JS::Value, JS::MutableHandle<JS::Value>) [js/src/vm/Interpreter.cpp:652] 01:55:54 INFO - #03: GetExistingProperty<js::AllowGC::CanGC> [js/src/vm/NativeObject.cpp:1703] 01:55:54 INFO - #04: js::NativeGetExistingProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) [js/public/RootingAPI.h:686] 01:55:54 INFO - #05: bool js::FetchName<false>(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) [js/src/vm/Interpreter-inl.h:247] 01:55:54 INFO - #06: Interpret [js/public/RootingAPI.h:686] 01:55:54 INFO - #07: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:430] 01:55:54 INFO - #08: js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [js/src/vm/Interpreter.cpp:507] 01:55:54 INFO - #09: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) [js/src/vm/Interpreter.cpp:542] 01:55:54 INFO - #10: js::jit::DoCallFallback [js/src/jit/BaselineIC.cpp:9027] 01:55:56 INFO - TEST-INFO | Main app process: exit 1 01:56:15 WARNING - PROCESS-CRASH | browser/base/content/test/general/browser_syncui.js | application crashed [@ JS::Value::setObject(JSObject&)] 01:56:15 INFO - Crash dump filename: /var/folders/oc/ocvsin6xEtS4v5dMG4fT9U+++-k/-Tmp-/tmpi4W5yG.mozrunner/minidumps/169A943C-7B32-45FB-AA00-512340957E11.dmp 01:56:15 INFO - Operating system: Mac OS X 01:56:15 INFO - 10.6.8 10K549 01:56:15 INFO - CPU: amd64 01:56:15 INFO - family 6 model 23 stepping 10 01:56:15 INFO - 2 CPUs 01:56:15 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 01:56:15 INFO - Crash address: 0x0 01:56:15 INFO - Process uptime: 746 seconds 01:56:15 INFO - Thread 0 (crashed) 01:56:15 INFO - 0 XUL!JS::Value::setObject(JSObject&) [Value.h:dc161b1cddbf : 863 + 0x0] 01:56:15 INFO - rax = 0x0000000000000000 rdx = 0x0000000000000000 01:56:15 INFO - rcx = 0x0000000000000001 rbx = 0x00007fff7095a2f8 01:56:15 INFO - rsi = 0x0000000000000000 rdi = 0x0000000105c92c3e 01:56:15 INFO - rbp = 0x00007fff5fbf3250 rsp = 0x00007fff5fbf3240 01:56:15 INFO - r8 = 0x00007fff7095da60 r9 = 0x0000000000000000 01:56:15 INFO - r10 = 0x0000000000000000 r11 = 0x0000000000000000 01:56:15 INFO - r12 = 0x00007fff5fbf32b0 r13 = 0x00007fff5fbf33a0 01:56:15 INFO - r14 = 0x0000000100528500 r15 = 0x00007fff5fbf3468 01:56:15 INFO - rip = 0x00000001016c9f8d 01:56:15 INFO - Found by: given as instruction pointer in context 01:56:15 INFO - 1 XUL!mozilla::dom::ObjectToOuterObjectValue(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) [Value.h:dc161b1cddbf : 1797 + 0xb] 01:56:15 INFO - rbx = 0x00007fff5fbf3310 rbp = 0x00007fff5fbf3270 01:56:15 INFO - rsp = 0x00007fff5fbf3260 r12 = 0x00007fff5fbf32b0 01:56:15 INFO - r13 = 0x00007fff5fbf33a0 r14 = 0x0000000100528500 01:56:15 INFO - r15 = 0x00007fff5fbf3468 rip = 0x00000001031a91a9 01:56:15 INFO - Found by: call frame info 01:56:15 INFO - 2 XUL!js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) [jsobj.h:dc161b1cddbf : 1106 + 0x5] 01:56:15 INFO - rbx = 0x00007fff5fbf3298 rbp = 0x00007fff5fbf3380 01:56:15 INFO - rsp = 0x00007fff5fbf3280 r12 = 0x00007fff5fbf32b0 01:56:15 INFO - r13 = 0x00007fff5fbf33a0 r14 = 0x0000000100528500 01:56:15 INFO - r15 = 0x00007fff5fbf3468 rip = 0x000000010578df52 01:56:15 INFO - Found by: call frame info 01:56:15 INFO - 3 XUL!js::InvokeGetter(JSContext*, JS::Value const&, JS::Value, JS::MutableHandle<JS::Value>) [Interpreter.cpp:dc161b1cddbf : 651 + 0x13] 01:56:15 INFO - rbx = 0x0000000100528500 rbp = 0x00007fff5fbf33c0 01:56:15 INFO - rsp = 0x00007fff5fbf3390 r12 = 0x0000000100528500 01:56:15 INFO - r13 = 0x00007fff5fbf3401 r14 = 0x00007fff5fbf37e8 01:56:15 INFO - r15 = 0x00007fff5fbf3468 rip = 0x000000010578e862 01:56:15 INFO - Found by: call frame info 01:56:15 INFO - 4 XUL!GetExistingProperty<js::AllowGC::CanGC> [NativeObject.cpp:dc161b1cddbf : 1655 + 0xf] 01:56:15 INFO - rbx = 0x00007fff5fbf37e8 rbp = 0x00007fff5fbf3440 01:56:15 INFO - rsp = 0x00007fff5fbf33d0 r12 = 0x0000000100528500 01:56:15 INFO - r13 = 0x00007fff5fbf3401 r14 = 0x00007fff5fbf3978 01:56:15 INFO - r15 = 0x00007fff5fbf38e8 rip = 0x00000001057e7531 01:56:15 INFO - Found by: call frame info 01:56:15 INFO - 5 XUL!js::NativeGetExistingProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) [NativeObject.cpp:dc161b1cddbf : 1726 + 0x11] 01:56:15 INFO - rbx = 0x0000000100528500 rbp = 0x00007fff5fbf34a0 01:56:15 INFO - rsp = 0x00007fff5fbf3450 r12 = 0x00007fff5fbf3978 01:56:15 INFO - r13 = 0x00007fff5fbf3458 r14 = 0x00007fff5fbf37e8 01:56:15 INFO - r15 = 0x00007fff5fbf38e8 rip = 0x00000001057e71
Keywords: leave-open
Whiteboard: [test disabled on OS X debug]
Blocks: 1221159
removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion
status-b2g-v2.5: fixed → ---
Attached patch general-browser-ini.patch (obsolete) — Splinter Review
This test case is failing (crashing) intermittently on Mac 10.10 opt, as well as Mac debug. Please land this patch to disable it on Mac.
Attachment #8684370 - Flags: review?(jmathies)
Attachment #8684370 - Flags: review?(jmathies) → review+
Keywords: checkin-needed
I'm not sure of the exact code path, but I think this is the same issue as bug 1223021. So js::BoxNonStrictThis() is hitting OOM and incorrectly returning |null| for this. We then hit an assertion trying to outerise it. The bug itself was fixed in the course of bug 1125423. This test is passing again on try now: https://treeherder.mozilla.org/#/jobs?repo=try&revision=1a445c528c93
Patch to re-enable this test.
Assignee: nobody → jcoppeard
Attachment #8685491 - Flags: review?(jmathies)
the patch to disable this hasn't landed yet. The reason we disabled it was due to interference with another test we're trying to get turned on in bug 1221159.
Flags: needinfo?(jcoppeard)
Attachment #8685491 - Flags: review?(jmathies) → review-
No longer blocks: 1221159
Comment on attachment 8684370 [details] [diff] [review] general-browser-ini.patch No longer needed.
Attachment #8684370 - Attachment is obsolete: true
Attachment #8684370 - Flags: review+
Oh, neat, despite the keyword still being on the bug and no mention of it landing being added to the bug, attachment 8684370 [details] [diff] [review] actually did land, in https://hg.mozilla.org/integration/mozilla-inbound/rev/2b997fda5610, with the wrong bug number so only bug 1217322 got to hear about it landing.
Comment on attachment 8685491 [details] [diff] [review] bug1217332-reenable-syncui-test So since this does revert the thing which was landed on inbound, despite not being in the least little bit necessary to land for the bug it was purportedly for, or for the bug number in the commit, landing *this* is the right thing to do, since the crashes and assertions are now fixed.
Attachment #8685491 - Flags: review- → review+
Fixed by bug 1125423.
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v2.5: fixed → ---
status-firefox45: --- → fixed
Flags: needinfo?(jcoppeard)
Keywords: leave-open
Resolution: --- → FIXED
Whiteboard: [test disabled on OS X debug]
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: