Closed Bug 1218322 Opened 9 years ago Closed 9 years ago

Crash in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&)

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
41 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1191465

People

(Reporter: letharion, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36

Steps to reproduce:

Unfortunately this keeps happening "all the time", so I don't have specific reproduction instructions. I have tried to see some pattern among the crashes, and the only one I've found so far is that image-heavy sites tend to be more likely to crash.


Actual results:

Program received signal SIGSEGV, Segmentation fault.


Expected results:

No segmentation fault would be nice. :)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff7fb3780 (LWP 15092)]
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff4f8f710 in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&) () from /usr/lib64/firefox/libxul.so
#2  0x00007ffff4f6dd25 in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) () from /usr/lib64/firefox/libxul.so
#3  0x00007ffff53113b3 in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) () from /usr/lib64/firefox/libxul.so
#4  0x00007ffff5311b6d in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) () from /usr/lib64/firefox/libxul.so
#5  0x00007ffff5312855 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) () from /usr/lib64/firefox/libxul.so
#6  0x00007ffff5312b4d in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) () from /usr/lib64/firefox/libxul.so
#7  0x00007ffff53140e4 in JS::NotifyDidPaint(JSRuntime*) () from /usr/lib64/firefox/libxul.so
#8  0x00007ffff2f5e1a3 in nsXPConnect::NotifyDidPaint() () from /usr/lib64/firefox/libxul.so
#9  0x00007ffff437969f in nsRefreshDriver::Tick(long, mozilla::TimeStamp) () from /usr/lib64/firefox/libxul.so
#10 0x00007ffff437bb42 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) () from /usr/lib64/firefox/libxul.so
#11 0x00007ffff437bcc2 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) () from /usr/lib64/firefox/libxul.so
#12 0x00007ffff437a1a9 in nsRunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, mozilla::TimeStamp>::Run() () from /usr/lib64/firefox/libxul.so
#13 0x00007ffff28a7882 in nsThread::ProcessNextEvent(bool, bool*) () from /usr/lib64/firefox/libxul.so
#14 0x00007ffff28cfa5b in NS_ProcessNextEvent(nsIThread*, bool) () from /usr/lib64/firefox/libxul.so
#15 0x00007ffff2b5264e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /usr/lib64/firefox/libxul.so
#16 0x00007ffff2b24646 in MessageLoop::Run() () from /usr/lib64/firefox/libxul.so
#17 0x00007ffff41de9be in nsBaseAppShell::Run() () from /usr/lib64/firefox/libxul.so
#18 0x00007ffff4991bdf in nsAppStartup::Run() () from /usr/lib64/firefox/libxul.so
#19 0x00007ffff49ddef9 in XREMain::XRE_mainRun() () from /usr/lib64/firefox/libxul.so
#20 0x00007ffff49de211 in XREMain::XRE_main(int, char**, nsXREAppData const*) () from /usr/lib64/firefox/libxul.so
#21 0x00007ffff49de457 in XRE_main () from /usr/lib64/firefox/libxul.so
#22 0x000055555555bcfd in do_main(int, char**, nsIFile*) ()
#23 0x000055555555b347 in main ()


$ firefox --version
Mozilla Firefox 41.0.2
"Self-built" with -ggdb using Gentoo's package manager.
Looks somewhat similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1112741 in that they end in js::ConstraintTypeSet::sweep, but the bt to there looks different, so I'm filing a new bug.
Don't know if it's relevant, but one of the last things I get as output in the CLI where FF is running is:

[NPAPI 15269] ###!!! ABORT: Aborting on channel error.: file /var/tmp/portage/www-client/firefox-41.0.2/work/mozilla-release/ipc/glue/MessageChannel.cpp, line 1768
Got another crash of what might be the same error:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4f8f65b in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&) () from /usr/lib64/firefox/libxul.so
(gdb) bt
#0  0x00007ffff4f8f65b in js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&) () from /usr/lib64/firefox/libxul.so
#1  0x00007ffff4f6dd25 in JSScript::maybeSweepTypes(js::AutoClearTypeInferenceStateOnOOM*) () from /usr/lib64/firefox/libxul.so
#2  0x00007ffff53113b3 in js::gc::GCRuntime::sweepPhase(js::SliceBudget&) () from /usr/lib64/firefox/libxul.so
#3  0x00007ffff5311b6d in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) () from /usr/lib64/firefox/libxul.so
#4  0x00007ffff5312855 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) () from /usr/lib64/firefox/libxul.so
#5  0x00007ffff5312b4d in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) () from /usr/lib64/firefox/libxul.so
#6  0x00007ffff5314330 in JS::IncrementalGCSlice(JSRuntime*, JS::gcreason::Reason, long) () from /usr/lib64/firefox/libxul.so
#7  0x00007ffff343f09c in nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) () from /usr/lib64/firefox/libxul.so
#8  0x00007ffff28a9198 in nsTimerImpl::Fire() () from /usr/lib64/firefox/libxul.so
#9  0x00007ffff28a9525 in nsTimerEvent::Run() () from /usr/lib64/firefox/libxul.so
#10 0x00007ffff28a7882 in nsThread::ProcessNextEvent(bool, bool*) () from /usr/lib64/firefox/libxul.so
#11 0x00007ffff28cfa5b in NS_ProcessNextEvent(nsIThread*, bool) () from /usr/lib64/firefox/libxul.so
#12 0x00007ffff2b5264e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () from /usr/lib64/firefox/libxul.so
#13 0x00007ffff2b24646 in MessageLoop::Run() () from /usr/lib64/firefox/libxul.so
#14 0x00007ffff41de9be in nsBaseAppShell::Run() () from /usr/lib64/firefox/libxul.so
#15 0x00007ffff4991bdf in nsAppStartup::Run() () from /usr/lib64/firefox/libxul.so
#16 0x00007ffff49ddef9 in XREMain::XRE_mainRun() () from /usr/lib64/firefox/libxul.so
#17 0x00007ffff49de211 in XREMain::XRE_main(int, char**, nsXREAppData const*) () from /usr/lib64/firefox/libxul.so
#18 0x00007ffff49de457 in XRE_main () from /usr/lib64/firefox/libxul.so
#19 0x000055555555bcfd in do_main(int, char**, nsIFile*) ()
#20 0x000055555555b347 in main ()
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
Should be fixed in Firefox 42 See Bug 1191465
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.