Closed
Bug 1259387
Opened 8 years ago
Closed 5 years ago
crash in js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox45 | --- | wontfix |
firefox47 | --- | affected |
firefox-esr45 | --- | affected |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
People
(Reporter: calixte, Unassigned)
References
Details
(Keywords: crash, regression, topcrash)
Crash Data
This bug was filed from the Socorro interface and is report bp-13a3d395-3577-4241-98f4-0dde62160324. ============================================================= This crash is #28 (with 1226 crashes) and occured mainly in 45.0.1. Frame Module Signature Source 0 xul.dll js::AutoEnterOOMUnsafeRegion::crash(char const*) js/src/jscntxt.cpp 1 xul.dll js::GCHashSetOperations<JS::MutableHandle<js::GCHashSet<JSObject*, js::MovableCellHasher<JSObject*>, js::TempAllocPolicy, js::DefaultGCPolicy<JSObject*> > >, JSObject*, js::MovableCellHasher<JSObject*>, js::TempAllocPolicy, js::DefaultGCPolicy<JSObject*> >::lookupForAdd(JSObject* const&) js/public/GCHashTable.h 2 xul.dll JO js/src/json.cpp 3 xul.dll Str js/src/json.cpp 4 xul.dll JO js/src/json.cpp 5 xul.dll Str js/src/json.cpp 6 xul.dll js::GCHashSet<JSObject*, js::MovableCellHasher<JSObject*>, js::TempAllocPolicy, js::DefaultGCPolicy<JSObject*> >::trace(JSTracer*) js/public/GCHashTable.h
Reporter | ||
Comment 1•8 years ago
|
||
No crash in 46: - 45.*: 98.4% - 47.*: 1.6% This crash rose by 2000% since 2016-03-17.
Keywords: topcrash
Reporter | ||
Comment 2•8 years ago
|
||
No specific URLs
Reporter | ||
Updated•8 years ago
|
Crash Signature: [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] → [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd]
[@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd]
Comment 3•8 years ago
|
||
The crashes I looked at are all inside a call to CycleDetector::foundCycle() in json.cpp, called from inside GCHashSet::trace(). Off-hand, it looks like we're doing JSON stringification during tracing? That sounds bad. This is an AutoEnterOOMUnsafeRegion crash where it would be nice to get a size annotation. (Unlike the other common ones that are likely failing due to a need for a new chunk.) This table is likely getting very large. Maybe this is a regression from bug 1224048, though if it isn't showing up in 46 or later maybe it was fixed somehow. Do you have any idea, Terrence?
Flags: needinfo?(terrence)
Comment 4•8 years ago
|
||
The OOM|small is not the real story here. Click on the "Show other threads" link. The most recent 3 crashes have 1191, 361, and 1128 threads reported in the crashdump. I expect that's the real problem.
Flags: needinfo?(terrence)
Comment 5•8 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #4) > The OOM|small is not the real story here. It isn't clear that this is an OOM|small. Hash tables can grow very large. > Click on the "Show other threads" > link. The most recent 3 crashes have 1191, 361, and 1128 threads reported in > the crashdump. I expect that's the real problem. That does sound bad. I vaguely recall a bug about media code creating too many threads, so maybe that's related? I haven't been able to find the bug yet.
Comment 6•8 years ago
|
||
Anyways, if this is only affecting 45 in any great volume, I suppose it isn't worth spending much time thinking about this.
Comment 7•8 years ago
|
||
Looks like this moved to CycleDetector::foundCycle in 45.0.2
Crash Signature: [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd]
[@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd] → [@ js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd]
[@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::GCHashSetOperations<T>::lookupForAdd]
[@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | CycleDetector:…
Comment 8•8 years ago
|
||
(In reply to Robert Kaiser from comment #7) > Looks like this moved to CycleDetector::foundCycle in 45.0.2 Even that trickled down toward zero https://crash-stats.mozilla.com/signature/?date=%3E2016-05-01&signature=OOM%20%7C%20unknown%20%7C%20js%3A%3AAutoEnterOOMUnsafeRegion%3A%3Acrash%20%7C%20CycleDetector%3A%3AfoundCycle#graphs
Updated•7 years ago
|
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr45:
--- → affected
OS: Windows NT → Windows
Comment 10•5 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
Comment 11•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•