Closed Bug 1259387 Opened 4 years ago Closed 2 months ago

crash in js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd

Categories

(Core :: JavaScript: GC, defect, critical)

45 Branch
x86
Windows
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox45 --- wontfix
firefox47 --- affected
firefox-esr45 --- affected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected

People

(Reporter: calixte, Unassigned)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-13a3d395-3577-4241-98f4-0dde62160324.
=============================================================

This crash is #28 (with 1226 crashes) and occured mainly in 45.0.1.

Frame 	Module 	Signature 	Source
0 	xul.dll 	js::AutoEnterOOMUnsafeRegion::crash(char const*) 	js/src/jscntxt.cpp
1 	xul.dll 	js::GCHashSetOperations<JS::MutableHandle<js::GCHashSet<JSObject*, js::MovableCellHasher<JSObject*>, js::TempAllocPolicy, js::DefaultGCPolicy<JSObject*> > >, JSObject*, js::MovableCellHasher<JSObject*>, js::TempAllocPolicy, js::DefaultGCPolicy<JSObject*> >::lookupForAdd(JSObject* const&) 	js/public/GCHashTable.h
2 	xul.dll 	JO 	js/src/json.cpp
3 	xul.dll 	Str 	js/src/json.cpp
4 	xul.dll 	JO 	js/src/json.cpp
5 	xul.dll 	Str 	js/src/json.cpp
6 	xul.dll 	js::GCHashSet<JSObject*, js::MovableCellHasher<JSObject*>, js::TempAllocPolicy, js::DefaultGCPolicy<JSObject*> >::trace(JSTracer*) 	js/public/GCHashTable.h
No crash in 46:
  - 45.*: 98.4%
  - 47.*: 1.6%
This crash rose by 2000% since 2016-03-17.
Keywords: topcrash
No specific URLs
Crash Signature: [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] → [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd]
The crashes I looked at are all inside a call to CycleDetector::foundCycle() in json.cpp, called from inside GCHashSet::trace(). Off-hand, it looks like we're doing JSON stringification during tracing? That sounds bad.

This is an AutoEnterOOMUnsafeRegion crash where it would be nice to get a size annotation. (Unlike the other common ones that are likely failing due to a need for a new chunk.) This table is likely getting very large.

Maybe this is a regression from bug 1224048, though if it isn't showing up in 46 or later maybe it was fixed somehow.

Do you have any idea, Terrence?
Flags: needinfo?(terrence)
The OOM|small is not the real story here. Click on the "Show other threads" link. The most recent 3 crashes have 1191, 361, and 1128 threads reported in the crashdump. I expect that's the real problem.
Flags: needinfo?(terrence)
(In reply to Terrence Cole [:terrence] from comment #4)
> The OOM|small is not the real story here.

It isn't clear that this is an OOM|small. Hash tables can grow very large.

> Click on the "Show other threads"
> link. The most recent 3 crashes have 1191, 361, and 1128 threads reported in
> the crashdump. I expect that's the real problem.

That does sound bad. I vaguely recall a bug about media code creating too many threads, so maybe that's related? I haven't been able to find the bug yet.
Anyways, if this is only affecting 45 in any great volume, I suppose it isn't worth spending much time thinking about this.
Looks like this moved to CycleDetector::foundCycle in 45.0.2
Crash Signature: [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] → [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | CycleDetector:…
Duplicate of this bug: 1271033

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → WORKSFORME

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
You need to log in before you can comment on or make changes to this bug.