Closed Bug 1287047 Opened 8 years ago Closed 8 years ago

Intermittent devtools/client/webconsole/test/browser_console_optimized_out_vars.js | A promise chain failed to handle a rejection: - [object Object]

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- fixed
firefox52 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: shu)

References

Details

(Keywords: assertion, crash, intermittent-failure)

Attachments

(1 file)

ExposeToActiveJS the callee when creating a hollow CallObject for Debugger.Environment.
1.20 KB, patch
jimb
: review+
gchang
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Priority: -- → P3
Has a nice assertion and crash to go with it.

11:53:05     INFO -  Assertion failure: preconditionForWriteBarrierPost(owner, kind, slot, target), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/js/src/gc/Barrier.h:703

11:56:38  WARNING -  PROCESS-CRASH | Main app process exited normally | application crashed [@ js::HeapSlot::post(js::NativeObject*, js::HeapSlot::Kind, unsigned int, JS::Value const&)]
11:56:38     INFO -  Crash dump filename: /var/folders/46/dyhgxyws7270nkhp4l7t8z0800000w/T/tmpwYoJno.mozrunner/minidumps/06100F3C-B439-4641-8E53-1EB384D9A128.dmp
11:56:38     INFO -  Operating system: Mac OS X
11:56:38     INFO -                    10.10.5 14F27
11:56:38     INFO -  CPU: amd64
11:56:38     INFO -       family 6 model 69 stepping 1
11:56:38     INFO -       4 CPUs
11:56:38     INFO -  Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
11:56:38     INFO -  Crash address: 0x0
11:56:38     INFO -  Process uptime: 113 seconds
11:56:38     INFO -  Thread 0 (crashed)
11:56:38     INFO -   0  XUL!js::HeapSlot::post(js::NativeObject*, js::HeapSlot::Kind, unsigned int, JS::Value const&) [Barrier.h:ce2a0cbdb4e8 : 703 + 0x0]
11:56:38     INFO -      rax = 0x0000000000000000   rdx = 0x00007fff741951f8
11:56:38     INFO -      rcx = 0x0000000000000000   rbx = 0x00007fff74195c50
11:56:38     INFO -      rsi = 0x00014f0000014f00   rdi = 0x00014e0000014f03
11:56:38     INFO -      rbp = 0x00007fff5e02b1a0   rsp = 0x00007fff5e02b160
11:56:38     INFO -       r8 = 0x00007fff5e02b110    r9 = 0x00007fff73d0b300
11:56:38     INFO -      r10 = 0x0000000000000000   r11 = 0x0000000000000246
11:56:38     INFO -      r12 = 0x0000000000000000   r13 = 0x0000000110408238
11:56:38     INFO -      r14 = 0x00007fff5e02b278   r15 = 0x0000000000000001
11:56:38     INFO -      rip = 0x0000000106a9af7e
11:56:38     INFO -      Found by: given as instruction pointer in context
11:56:38     INFO -   1  XUL!js::CallObject::createHollowForDebug(JSContext*, JS::Handle<JSFunction*>) [Barrier.h:ce2a0cbdb4e8 : 680 + 0xf]
11:56:38     INFO -      rbx = 0x0000000110408238   rbp = 0x00007fff5e02b340
11:56:38     INFO -      rsp = 0x00007fff5e02b1b0   r12 = 0x00007fff5e02b2e0
11:56:38     INFO -      r13 = 0x000000010f46d000   r14 = 0x00007fff5e02b278
11:56:38     INFO -      r15 = 0x00007fff5e02b210   rip = 0x0000000106a2adf8
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   2  XUL!GetDebugEnvironment [EnvironmentObject.cpp:ce2a0cbdb4e8 : 2878 + 0x8]
11:56:38     INFO -      rbx = 0x00007fff5e02b410   rbp = 0x00007fff5e02b440
11:56:38     INFO -      rsp = 0x00007fff5e02b350   r12 = 0x000000010f46d000
11:56:38     INFO -      r13 = 0x00007fff5e02b388   r14 = 0x00007fff5e02b458
11:56:38     INFO -      r15 = 0x00007fff5e02b3a0   rip = 0x0000000106a385c9
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   3  XUL!js::GetDebugEnvironmentForFrame(JSContext*, js::AbstractFramePtr, unsigned char*) [EnvironmentObject.cpp:ce2a0cbdb4e8 : 2966 + 0xb]
11:56:38     INFO -      rbx = 0x000000010f46d000   rbp = 0x00007fff5e02b4c0
11:56:38     INFO -      rsp = 0x00007fff5e02b450   r12 = 0x0000000000000000
11:56:38     INFO -      r13 = 0x0000000119594800   r14 = 0x00007fff5e02b458
11:56:38     INFO -      r15 = 0x0000000110a144f9   rip = 0x0000000106a088a7
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   4  XUL!js::DebuggerFrame::getEnvironment(JSContext*, JS::Handle<js::DebuggerFrame*>, JS::MutableHandle<js::DebuggerEnvironment*>) [Debugger.cpp:ce2a0cbdb4e8 : 7282 + 0xb]
11:56:38     INFO -      rbx = 0x00007fff5e02b9c0   rbp = 0x00007fff5e02b980
11:56:38     INFO -      rsp = 0x00007fff5e02b4d0   r12 = 0x00007fff5e02b500
11:56:38     INFO -      r13 = 0x0000000119594800   r14 = 0x000000010f46d000
11:56:38     INFO -      r15 = 0x00007fff5e02b9a8   rip = 0x0000000106a08280
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   5  XUL!js::DebuggerFrame::environmentGetter(JSContext*, unsigned int, JS::Value*) [Debugger.cpp:ce2a0cbdb4e8 : 7801 + 0x8]
11:56:38     INFO -      rbx = 0x000000010f46d000   rbp = 0x00007fff5e02ba00
11:56:38     INFO -      rsp = 0x00007fff5e02b990   r12 = 0x00007fff5e02b998
11:56:38     INFO -      r13 = 0x00007fff5e02ba20   r14 = 0x00007fff5e02bb30
11:56:38     INFO -      r15 = 0x00007fff5e02b9b0   rip = 0x0000000106a0b092
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   6  XUL!js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [jscntxtinlines.h:ce2a0cbdb4e8 : 235 + 0x6]
11:56:38     INFO -      rbx = 0x00007fff5e02bb40   rbp = 0x00007fff5e02ba50
11:56:38     INFO -      rsp = 0x00007fff5e02ba10   r12 = 0x00007fff5e02baf8
11:56:38     INFO -      r13 = 0x00007fff5e02ba20   r14 = 0x000000010f46d000
11:56:38     INFO -      r15 = 0x0000000106a0af80   rip = 0x0000000106ab742e
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   7  XUL!js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:ce2a0cbdb4e8 : 442 + 0xe]
11:56:38     INFO -      rbx = 0x0000000000000001   rbp = 0x00007fff5e02bae0
11:56:38     INFO -      rsp = 0x00007fff5e02ba60   r12 = 0xfffdffffffffffff
11:56:38     INFO -      r13 = 0x00007fff5e02baf8   r14 = 0x000000010f46d000
11:56:38     INFO -      r15 = 0x0000000000000000   rip = 0x0000000106ab6fd9
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   8  XUL!js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) [Interpreter.cpp:ce2a0cbdb4e8 : 518 + 0x8]
11:56:38     INFO -      rbx = 0x000000010f46d000   rbp = 0x00007fff5e02bb70
11:56:38     INFO -      rsp = 0x00007fff5e02baf0   r12 = 0x00007fff5e02bd90
11:56:38     INFO -      r13 = 0x00007fff5e02bba8   r14 = 0x00007fff5e02bb10
11:56:38     INFO -      r15 = 0x0000000110a14850   rip = 0x0000000106ab84da
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -   9  XUL!GetExistingProperty<js::AllowGC::CanGC> [NativeObject.cpp:ce2a0cbdb4e8 : 1757 + 0xe]
11:56:38     INFO -      rbx = 0x00007fff5e02bb98   rbp = 0x00007fff5e02bbe0
11:56:38     INFO -      rsp = 0x00007fff5e02bb80   r12 = 0x000000010f46d000
11:56:38     INFO -      r13 = 0x00007fff5e02bc90   r14 = 0x0000000110a14850
11:56:38     INFO -      r15 = 0x00007fff5e02bd90   rip = 0x0000000106adee00
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -  10  XUL!NativeGetPropertyInline<js::AllowGC::CanGC> [NativeObject.cpp:ce2a0cbdb4e8 : 2032 + 0x8]
11:56:38     INFO -      rbx = 0x00007fff5e02bc60   rbp = 0x00007fff5e02bd10
11:56:38     INFO -      rsp = 0x00007fff5e02bbf0   r12 = 0x000000010f46d000
11:56:38     INFO -      r13 = 0x00007fff5e02bc98   r14 = 0x0000000110a14850
11:56:38     INFO -      r15 = 0x0000000000000000   rip = 0x0000000106adf9d6
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -  11  XUL!js::Wrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const [NativeObject.h:ce2a0cbdb4e8 : 1491 + 0xe]
11:56:38     INFO -      rbx = 0x00007fff5e02bf08   rbp = 0x00007fff5e02bd60
11:56:38     INFO -      rsp = 0x00007fff5e02bd20   r12 = 0x00007fff5e02bea0
11:56:38     INFO -      r13 = 0x000000010f46d000   r14 = 0x00007fff5e02bd20
11:56:38     INFO -      r15 = 0x00007fff5e02bd90   rip = 0x00000001069c5e3d
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -  12  XUL!js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const [CrossCompartmentWrapper.cpp:ce2a0cbdb4e8 : 209 + 0x1c]
11:56:38     INFO -      rbx = 0x000000010f46d000   rbp = 0x00007fff5e02bdc0
11:56:38     INFO -      rsp = 0x00007fff5e02bd70   r12 = 0x0000000108c2c000
11:56:38     INFO -      r13 = 0x0000000110a14850   r14 = 0x00000001086084c8
11:56:38     INFO -      r15 = 0x00007fff5e02bd90   rip = 0x0000000106970579
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -  13  XUL!js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) [Proxy.cpp:ce2a0cbdb4e8 : 310 + 0x16]
11:56:38     INFO -      rbx = 0x000000010f46d000   rbp = 0x00007fff5e02be80
11:56:38     INFO -      rsp = 0x00007fff5e02bdd0   r12 = 0x00007fff5e02bea0
11:56:38     INFO -      r13 = 0x00007fff5e02bf08   r14 = 0x00000001086084c8
11:56:38     INFO -      r15 = 0x00007fff5e02bdf8   rip = 0x00000001069768fa
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -  14  XUL!js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) [NativeObject.h:ce2a0cbdb4e8 : 1490 + 0xb]
11:56:38     INFO -      rbx = 0x0000000106978ce0   rbp = 0x00007fff5e02bed0
11:56:38     INFO -      rsp = 0x00007fff5e02be90   r12 = 0x00007fff5e02bf08
11:56:38     INFO -      r13 = 0x000000010f46d000   r14 = 0x00007fff5e02be90
11:56:38     INFO -      r15 = 0x00007fff5e02bf20   rip = 0x0000000106a95b5f
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -  15  XUL!js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) [Interpreter.cpp:ce2a0cbdb4e8 : 4245 + 0x8]
11:56:38     INFO -      rbx = 0x00007fff5e02bef8   rbp = 0x00007fff5e02bf50
11:56:38     INFO -      rsp = 0x00007fff5e02bee0   r12 = 0x00007fff5e02c3d0
11:56:38     INFO -      r13 = 0x00007fff5e02bf10   r14 = 0x000000010f46d000
11:56:38     INFO -      r15 = 0x00007fff5e02c388   rip = 0x0000000106abb32a
11:56:38     INFO -      Found by: call frame info
11:56:38     INFO -  16  XUL!Interpret [Interpreter.cpp:ce2a0cbdb4e8 : 190 + 0x8]
11:56:38     INFO -      rbx = 0x00007fff5e02c3c0   rbp = 0x00007fff5e02c480
11:56:38     INFO -      rsp = 0x00007fff5e02bf60   r12 = 0x00007fff5e02c340
11:56:38     INFO -      r13 = 0x0000000110a147c0   r14 = 0x000000010f46d000
11:56:38     INFO -      r15 = 0x0000000110a14850   rip = 0x0000000106aad457
11:56:38     INFO -      Found by: call frame info
Keywords: assertion, crash
Nick, can you please look at this?
Flags: needinfo?(nfitzgerald)
Forwarding ni to GC folks.
Component: Developer Tools: Console → JavaScript: GC
Flags: needinfo?(terrence)
Flags: needinfo?(sphink)
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(jcoppeard)
Product: Firefox → Core
This is preconditionWriteBarrierPost returning false, so presumably http://searchfox.org/mozilla-central/source/js/src/gc/Barrier.cpp#61-62 is false, e.g.:

     bool isBlackToGray = target.isMarkable() &&
                          IsMarkedBlack(obj) && JS::GCThingIsMarkedGray(JS::GCCellPtr(target));

So presumably |callee| is gray in CallObject::createHollowForDebug. I think it comes from here:

http://searchfox.org/mozilla-central/source/js/src/vm/EnvironmentObject.cpp#2874

Which means that it comes from:

http://searchfox.org/mozilla-central/source/js/src/vm/Scope.h#432

I'm not sure what the underlying storage is or how it's used though.
I'm pretty sure this is the same bug as bug 1302441. I still have no idea why |callee| can be gray.
Flags: needinfo?(shu)
See Also: → 1302441
(In reply to Shu-yu Guo [:shu] from comment #11)
> I'm pretty sure this is the same bug as bug 1302441. I still have no idea
> why |callee| can be gray.

That bug has steps to reproduce, and a Mozillian who can reproduce it reliably. (Unfortunately, Shu and Alex have no overlapping working hours...)
This should stop crashes in the meantime. I'll get a try run started.
Attachment #8801380 - Flags: review?(jimb)
Attachment #8801380 - Flags: review?(jimb) → review+
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bfc054a2bf66
ExposeToActiveJS the callee when creating a hollow CallObject for Debugger.Environment. (r=jimb)
https://hg.mozilla.org/mozilla-central/rev/bfc054a2bf66
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox52: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
OrangeFactor shows the failures disappearing from trees as this patch got merged around, thanks! Please request Aurora approval on this when you get a chance.
Assignee: nobody → shu
Flags: needinfo?(terrence.d.cole)
Flags: needinfo?(sphink)
Flags: needinfo?(shu)
Flags: needinfo?(jcoppeard)
Comment on attachment 8801380 [details] [diff] [review]
ExposeToActiveJS the callee when creating a hollow CallObject for Debugger.Environment.

Approval Request Comment
[Feature/regressing bug #]: Unknown
[User impact if declined]: I guess some rare crashes? Not sure actually
[Describe test coverage new/current, TreeHerder]: On m-c
[Risks and why]: Low, bugfix only
[String/UUID change made/needed]: None
Flags: needinfo?(shu)
Attachment #8801380 - Flags: approval-mozilla-aurora?
Comment on attachment 8801380 [details] [diff] [review]
ExposeToActiveJS the callee when creating a hollow CallObject for Debugger.Environment.

Fix an intermittent-failure. Take it in 51 aurora.
Attachment #8801380 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: