Closed Bug 1240231 Opened 8 years ago Closed 8 years ago

Intermittent browser_wa_properties-view-params.js | application crashed [@ js::gc::ZoneCellIterUnderGC::ZoneCellIterUnderGC(JS::Zone*, js::gc::AllocKind)]

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1237795

People

(Reporter: KWierso, Unassigned)

References

Details

(Keywords: assertion, crash, intermittent-failure) 

GC crash it appears. Terrence, any thoughts? :)

Assertion failure: zone->runtimeFromAnyThread()->gc.nursery.isEmpty(), at /builds/slave/try-m64-d-00000000000000000000/build/src/js/src/jsgcinlines.h:247

 10:09:46  WARNING -  PROCESS-CRASH | devtools/client/webaudioeditor/test/browser_wa_properties-view-params.js | application crashed [@ js::gc::ZoneCellIterUnderGC::ZoneCellIterUnderGC(JS::Zone*, js::gc::AllocKind)]
 10:09:46     INFO -  Crash dump filename: /var/folders/5D/5DY0jF3XFEWKauREF9-mc++++-k/-Tmp-/tmpwHftMz.mozrunner/minidumps/B03B8423-5583-40E3-997E-AF7B3B7D6208.dmp
 10:09:46     INFO -  Operating system: Mac OS X
 10:09:46     INFO -                    10.6.8 10K549
 10:09:46     INFO -  CPU: amd64
 10:09:46     INFO -       family 6 model 23 stepping 10
 10:09:46     INFO -       2 CPUs
 10:09:46     INFO -  Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
 10:09:46     INFO -  Crash address: 0x0
 10:09:46     INFO -  Process uptime: 119 seconds
 10:09:46     INFO -  Thread 0 (crashed)
 10:09:46     INFO -   0  XUL!js::gc::ZoneCellIterUnderGC::ZoneCellIterUnderGC(JS::Zone*, js::gc::AllocKind) [jsgcinlines.h:bc058a50af58 : 247 + 0x0]
 10:09:46     INFO -      rax = 0x0000000000000000   rdx = 0x0000000000000000
 10:09:46     INFO -      rcx = 0x0000000000000001   rbx = 0x00007fff7012b2f8
 10:09:46     INFO -      rsi = 0x0000000000000000   rdi = 0x00007fff7012ea60
 10:09:46     INFO -      rbp = 0x00007fff5fbf90e0   rsp = 0x00007fff5fbf90c0
 10:09:46     INFO -       r8 = 0x00007fff7012ea60    r9 = 0x0000000000000000
 10:09:46     INFO -      r10 = 0x0000000000000400   r11 = 0x0000000000000246
 10:09:46     INFO -      r12 = 0x000000011da08000   r13 = 0x0000000135be2000
 10:09:46     INFO -      r14 = 0x000000000000000e   r15 = 0x000000012526d000
 10:09:46     INFO -      rip = 0x0000000106139a11
 10:09:46     INFO -      Found by: given as instruction pointer in context
 10:09:46     INFO -   1  XUL!js::IterateScripts(JSRuntime*, JSCompartment*, void*, void (*)(JSRuntime*, void*, JSScript*)) [jsgcinlines.h:bc058a50af58 : 246 + 0xa]
 10:09:46     INFO -      rbx = 0x000000011da08750   rbp = 0x00007fff5fbf91d0
 10:09:46     INFO -      rsp = 0x00007fff5fbf90f0   r12 = 0x000000011da08000
 10:09:46     INFO -      r13 = 0x0000000135be2000   r14 = 0x0000000106251ff0
 10:09:46     INFO -      r15 = 0x00007fff5fbf92a0   rip = 0x000000010647ef0f
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   2  XUL!js::Debugger::ScriptQuery::findScripts() [Debugger.cpp:bc058a50af58 : 3800 + 0xf]
 10:09:46     INFO -      rbx = 0x00007fff5fbf9288   rbp = 0x00007fff5fbf9260
 10:09:46     INFO -      rsp = 0x00007fff5fbf91e0   r12 = 0x000000010b270000
 10:09:46     INFO -      r13 = 0x00007fff5fbf92a0   r14 = 0x00007fff5fbf95c8
 10:09:46     INFO -      r15 = 0x0000000121323800   rip = 0x0000000106243b7a
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   3  XUL!js::Debugger::findScripts(JSContext*, unsigned int, JS::Value*) [Debugger.cpp:bc058a50af58 : 4056 + 0x5]
 10:09:46     INFO -      rbx = 0x00007fff5fbf9288   rbp = 0x00007fff5fbf9460
 10:09:46     INFO -      rsp = 0x00007fff5fbf9270   r12 = 0x000000010b270000
 10:09:46     INFO -      r13 = 0x00007fff5fbf95d8   r14 = 0x00007fff5fbf95c8
 10:09:46     INFO -      r15 = 0x0000000121323800   rip = 0x000000010621a172
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   4  XUL!js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [jscntxtinlines.h:bc058a50af58 : 235 + 0x5]
 10:09:46     INFO -      rbx = 0x0000000106219f90   rbp = 0x00007fff5fbf94b0
 10:09:46     INFO -      rsp = 0x00007fff5fbf9470   r12 = 0x00007fff5fbf9570
 10:09:46     INFO -      r13 = 0x00007fff5fbf9480   r14 = 0x000000010b270000
 10:09:46     INFO -      r15 = 0x00000000ffffffff   rip = 0x0000000106298695
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   5  XUL!js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:bc058a50af58 : 463 + 0xe]
 10:09:46     INFO -      rbx = 0x00007fff5fbf9570   rbp = 0x00007fff5fbf9540
 10:09:46     INFO -      rsp = 0x00007fff5fbf94c0   r12 = 0x0000000000000000
 10:09:46     INFO -      r13 = 0x0000000000000002   r14 = 0x000000011da08000
 10:09:46     INFO -      r15 = 0x000000010b270000   rip = 0x0000000106265ace
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   6  XUL!js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) [Interpreter.cpp:bc058a50af58 : 527 + 0xc]
 10:09:46     INFO -      rbx = 0x0000000000000000   rbp = 0x00007fff5fbf9640
 10:09:46     INFO -      rsp = 0x00007fff5fbf9550   r12 = 0x00007fff5fbf9570
 10:09:46     INFO -      r13 = 0x00007fff5fbf9660   r14 = 0x0000000000000001
 10:09:46     INFO -      r15 = 0x000000011faf52e8   rip = 0x000000010628bdb0
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   7  XUL!js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [DirectProxyHandler.cpp:bc058a50af58 : 77 + 0x8]
 10:09:46     INFO -      rbx = 0x000000010b270000   rbp = 0x00007fff5fbf9680
 10:09:46     INFO -      rsp = 0x00007fff5fbf9650   r12 = 0x0000000000000001
 10:09:46     INFO -      r13 = 0x00000001078dd090   r14 = 0x00007fff5fbf97f8
 10:09:46     INFO -      r15 = 0x00007fff5fbf9650   rip = 0x00000001061daaa2
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   8  XUL!js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [CrossCompartmentWrapper.cpp:bc058a50af58 : 289 + 0x13]
 10:09:46     INFO -      rbx = 0x000000010b270000   rbp = 0x00007fff5fbf9700
 10:09:46     INFO -      rsp = 0x00007fff5fbf9690   r12 = 0x0000000000000001
 10:09:46     INFO -      r13 = 0x00000001078dd090   r14 = 0x00007fff5fbf97f8
 10:09:46     INFO -      r15 = 0x00007fff5fbf97f0   rip = 0x00000001061bef6f
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -   9  XUL!xpc::AddonWrapper<js::CrossCompartmentWrapper>::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [AddonWrapper.cpp:bc058a50af58 : 141 + 0x11]
 10:09:46     INFO -      rbx = 0x000000010b270000   rbp = 0x00007fff5fbf9740
 10:09:46     INFO -      rsp = 0x00007fff5fbf9710   r12 = 0x000000010833a060
 10:09:46     INFO -      r13 = 0x00000001088c3120   r14 = 0x00007fff5fbf97f8
 10:09:46     INFO -      r15 = 0x00007fff5fbf97f0   rip = 0x00000001025a1a6e
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -  10  XUL!js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) [Proxy.cpp:bc058a50af58 : 391 + 0x14]
 10:09:46     INFO -      rbx = 0x000000010b270000   rbp = 0x00007fff5fbf97d0
 10:09:46     INFO -      rsp = 0x00007fff5fbf9750   r12 = 0x000000010833a060
 10:09:46     INFO -      r13 = 0x00000001088c3120   r14 = 0x000000010881ca30
 10:09:46     INFO -      r15 = 0x00007fff5fbf97f0   rip = 0x00000001061df66b
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -  11  XUL!js::proxy_Call(JSContext*, unsigned int, JS::Value*) [Proxy.cpp:bc058a50af58 : 683 + 0x8]
 10:09:46     INFO -      rbx = 0x000000010b270000   rbp = 0x00007fff5fbf9820
 10:09:46     INFO -      rsp = 0x00007fff5fbf97e0   r12 = 0x00007fff5fbf9a58
 10:09:46     INFO -      r13 = 0x00007fff5fbf9840   r14 = 0x00007fff5fbf97e0
 10:09:46     INFO -      r15 = 0x00000000ffffffff   rip = 0x00000001061e0f6e
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -  12  XUL!js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [jscntxtinlines.h:bc058a50af58 : 235 + 0x5]
 10:09:46     INFO -      rbx = 0x00000001061e0ee0   rbp = 0x00007fff5fbf9870
 10:09:46     INFO -      rsp = 0x00007fff5fbf9830   r12 = 0x00007fff5fbf9a58
 10:09:46     INFO -      r13 = 0x00007fff5fbf9840   r14 = 0x000000010b270000
 10:09:46     INFO -      r15 = 0x00000000ffffffff   rip = 0x0000000106298695
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -  13  XUL!js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:bc058a50af58 : 463 + 0xe]
 10:09:46     INFO -      rbx = 0x00007fff5fbf9a58   rbp = 0x00007fff5fbf9900
 10:09:46     INFO -      rsp = 0x00007fff5fbf9880   r12 = 0x0000000000000000
 10:09:46     INFO -      r13 = 0x0000000000000002   r14 = 0x000000011da08000
 10:09:46     INFO -      r15 = 0x000000010b270000   rip = 0x0000000106265ace
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -  14  XUL!Interpret [Interpreter.cpp:bc058a50af58 : 2798 + 0xa]
 10:09:46     INFO -      rbx = 0x000000011faf52e0   rbp = 0x00007fff5fbf9de0
 10:09:46     INFO -      rsp = 0x00007fff5fbf9910   r12 = 0x00007fff5fbf9ca0
 10:09:46     INFO -      r13 = 0x000000010b270000   r14 = 0x000000010b270000
 10:09:46     INFO -      r15 = 0xfffc000000000000   rip = 0x00000001062823d0
 10:09:46     INFO -      Found by: call frame info
 10:09:46     INFO -  15  XUL!js::RunScript(JSContext*, js::RunState&) [Interpreter.cpp:bc058a50af58 : 425 + 0xb]
 10:09:46     INFO -      rbx = 0x0000000124a90f30   rbp = 0x00007fff5fbf9e30
 10:09:46     INFO -      rsp = 0x00007fff5fbf9df0   r12 = 0x0000000000000000
 10:09:46     INFO -      r13 = 0x0000000000000002   r14 = 0x00007fff5fbf9e60
 10:09:46     INFO -      r15 = 0x000000010b270000   rip = 0x0000000106276492
10:09:46 INFO - Found by: call frame info
Component: Developer Tools: Web Audio Editor → JavaScript: GC
Flags: needinfo?(terrence)
Keywords: assertion, crash
Product: Firefox → Core
NPE with no poison values in the regs indicates an actual nullptr in either the zone or zone->runtime_. Jim landed a patch to Debugger::findScripts very recently in bug 1239813, I think to try to fix this, or something like it. Forwarding the NI? to Jim and Steve.
Flags: needinfo?(terrence)
Flags: needinfo?(sphink)
Flags: needinfo?(jimb)
Hm. The recent change was bug 1239813, which added an AutoEnterIteration guard to prevent findScripts from holding a ScriptQuery object live across a GC that might collect one of the compartments it was storing.

I would guess that something is not happy in the situation where you have a compartment that is now empty and would have been GC'd had it not been suppressed. Though I don't see it. The most dangerous path seems to be if our ScriptQuery has a single compartment, in which case IterateScripts will grab that compartment's zone (which would presumably be the nullptr that we're crashing on here.) zone_ is just a field on the compartment, so I don't see how that could break?
Flags: needinfo?(sphink)
I landed bug 1239813 seven days ago, but this crash has been occurring for around five weeks.

Jandem drafted some assertions in bug 1239813 that should give some insight into these. I've pinged him to get them landed.
Flags: needinfo?(jimb)
This crash is pretty easy to hit on OSX w/ e10s enabled, FWIW.
See Also: → 1237795
See Also: → 1262015
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
See Also: 1237795
You need to log in before you can comment on or make changes to this bug.