Closed
Bug 1495905
Opened 6 years ago
Closed 7 months ago
Assert crash on js::gc::IsInsideNursery()
Categories
(Core :: JavaScript: GC, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: mozillabugs, Unassigned)
Details
I just got the following crash with the FF 61.0.2 Win64 debug build, while reloading https://www.washingtonpost.com . The next-to-last stack frame is different from the other IsInsideNursery() bugs I've found, so this looks like a new bug.
Initially, |location| was 0x0029d708 on IsInsideNursery():
431: MOZ_ALWAYS_INLINE bool
432: IsInsideNursery(const js::gc::Cell* cell)
433: {
434: if (!cell)
435: return false;
436: auto location = detail::GetCellLocation(cell);
437: MOZ_ASSERT(location == ChunkLocation::Nursery || location == ChunkLocation::TenuredHeap);
438: return location == ChunkLocation::Nursery;
439: }
FWIW, this assert occurred while the debugger was attached, so I tried re-executing the call to detail::GetCellLocation() on line 436, which caused it to return the valid value |ChunkLocation::TenuredHeap::TenuredHeap| (2)!
This makes it appear that the crash was due to a race condition.
Here's the stack:
> xul.dll!js::gc::IsInsideNursery(const js::gc::Cell * cell=0x0000000005694000) Line 437 C++
xul.dll!js::gc::Arena::getAllocKind() Line 330 C++
xul.dll!js::gc::TenuredCell::getAllocKind() Line 342 C++
xul.dll!js::gc::AssertGCThingHasType(js::gc::Cell * cell=0x0000000005694dc0, JS::TraceKind kind=Object) Line 8361 C++
xul.dll!JS::GCCellPtr::checkedCast(void * p=0x0000000005694dc0, JS::TraceKind traceKind=Object) Line 287 C++
xul.dll!JS::GCCellPtr::GCCellPtr<JSObject>(JSObject * p=0x0000000005694dc0) Line 224 C++
xul.dll!JS::CallbackTracer::onObjectEdge(JSObject * * objp=0x000000000029d800) Line 151 C++
xul.dll!JS::CallbackTracer::dispatchToOnEdge(JSObject * * objp=0x000000000029d800) Line 243 C++
xul.dll!DoCallback<JSObject *>(JS::CallbackTracer * trc=0x000000000029dbf0, JSObject * * thingp=0x000000000029d800, const char * name=0x000007fed507d1b0) Line 49 C++
xul.dll!DoCallbackFunctor<js::TaggedProto>::operator()<JSObject>(JSObject * t=0x0000000005694dc0, JS::CallbackTracer * trc=0x000000000029dbf0, const char * name=0x000007fed507d1b0) Line 59 C++
xul.dll!js::DispatchTyped<DoCallbackFunctor<js::TaggedProto>,JS::CallbackTracer * &,char const * &>(DoCallbackFunctor<js::TaggedProto> f={...}, const js::TaggedProto & proto={...}, JS::CallbackTracer * & <args_0>=0x000000000029dbf0, const char * & <args_1>=0x000007fed507d1b0) Line 143 C++
xul.dll!DoCallback<js::TaggedProto>(JS::CallbackTracer * trc=0x000000000029dbf0, js::TaggedProto * protop=0x0000000003e37cd8, const char * name=0x000007fed507d1b0) Line 91 C++
xul.dll!DispatchToTracer<js::TaggedProto>(JSTracer * trc=0x000000000029dbf8, js::TaggedProto * thingp=0x0000000003e37cd8, const char * name=0x000007fed507d1b0) Line 692 C++
xul.dll!js::TraceEdge<js::TaggedProto>(JSTracer * trc=0x000000000029dbf8, js::WriteBarrieredBase<js::TaggedProto> * thingp=0x0000000003e37cd8, const char * name=0x000007fed507d1b0) Line 437 C++
xul.dll!js::ObjectGroup::traceChildren(JSTracer * trc=0x000000000029dbf8) Line 1485 C++
xul.dll!TraceChildrenFunctor::operator()<js::ObjectGroup>(JSTracer * trc=0x000000000029dbf8, void * thingArg=0x0000000003e37cd0) Line 129 C++
xul.dll!JS::DispatchTraceKindTyped<TraceChildrenFunctor,JSTracer * &,void * &>(TraceChildrenFunctor f={...}, JS::TraceKind traceKind=ObjectGroup, JSTracer * & <args_0>=0x000000000029dbf8, void * & <args_1>=0x0000000003e37cd0) Line 201 C++
xul.dll!js::TraceChildren(JSTracer * trc=0x000000000029dbf8, void * thing=0x0000000003e37cd0, JS::TraceKind kind=ObjectGroup) Line 138 C++
xul.dll!JS::TraceChildren(JSTracer * trc=0x000000000029dbf8, JS::GCCellPtr thing={...}) Line 118 C++
xul.dll!HeapCheckTracerBase::traceHeap(js::gc::AutoTraceSession & session={...}) Line 566 C++
xul.dll!CheckGrayMarkingTracer::check(js::gc::AutoTraceSession & session={...}) Line 712 C++
xul.dll!js::CheckGrayMarkingState(JSRuntime * rt=0x0000000003516000) Line 732 C++
xul.dll!mozilla::CycleCollectedJSRuntime::CheckGrayBits() Line 1238 C++
xul.dll!nsCycleCollector::BeginCollection(ccType aCCType=SliceCC, nsICycleCollectorListener * aManualListener=0x0000000000000000) Line 3925 C++
xul.dll!nsCycleCollector::Collect(ccType aCCType=SliceCC, js::SliceBudget & aBudget={...}, nsICycleCollectorListener * aManualListener=0x0000000000000000, bool aPreferShorterSlices=true) Line 3747 C++
xul.dll!nsCycleCollector_collectSlice(js::SliceBudget & budget={...}, bool aPreferShorterSlices=true) Line 4331 C++
xul.dll!nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp aDeadline={...}) Line 1549 C++
xul.dll!CCRunnerFired(mozilla::TimeStamp aDeadline={...}) Line 1951 C++
xul.dll!std::_Invoker_functor::_Call<bool (__cdecl*&)(mozilla::TimeStamp),mozilla::TimeStamp>(bool(*)(mozilla::TimeStamp) & _Obj=0x000007fecd885240, mozilla::TimeStamp && <_Args_0>={...}) C++
xul.dll!std::invoke<bool (__cdecl*&)(mozilla::TimeStamp),mozilla::TimeStamp>(bool(*)(mozilla::TimeStamp) & _Obj=0x000007fecd885240, mozilla::TimeStamp && <_Args_0>={...}) C++
xul.dll!std::_Invoker_ret<bool,0>::_Call<bool (__cdecl*&)(mozilla::TimeStamp),mozilla::TimeStamp>(bool(*)(mozilla::TimeStamp) & <_Vals_0>=0x000007fecd885240, mozilla::TimeStamp && <_Vals_1>={...}) C++
xul.dll!std::_Func_impl_no_alloc<bool (__cdecl*)(mozilla::TimeStamp),bool,mozilla::TimeStamp>::_Do_call(mozilla::TimeStamp && <_Args_0>={...}) C++
xul.dll!std::_Func_class<bool,mozilla::TimeStamp>::operator()(mozilla::TimeStamp <_Args_0>={...}) C++
xul.dll!mozilla::IdleTaskRunner::Run() Line 62 C++
xul.dll!mozilla::TimedOut(nsITimer * aTimer=0x000000000bd79060, void * aClosure=0x0000000006207970) Line 85 C++
xul.dll!nsTimerImpl::Fire(int aGeneration=0x00000052) Line 702 C++
xul.dll!nsTimerEvent::Run() Line 292 C++
xul.dll!nsThread::ProcessNextEvent(bool aMayWait=false, bool * aResult=0x000000000029e932) Line 1093 C++
xul.dll!NS_ProcessNextEvent(nsIThread * aThread=0x0000000000a14600, bool aMayWait=false) Line 519 C++
xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate=0x0000000000a3e080) Line 97 C++
xul.dll!MessageLoop::RunInternal() Line 327 C++
xul.dll!MessageLoop::RunHandler() Line 320 C++
xul.dll!MessageLoop::Run() Line 300 C++
xul.dll!nsBaseAppShell::Run() Line 159 C++
xul.dll!nsAppShell::Run() Line 415 C++
xul.dll!nsAppStartup::Run() Line 290 C++
xul.dll!XREMain::XRE_mainRun() Line 4900 C++
xul.dll!XREMain::XRE_main(int argc=0x00000003, char * * argv=0x0000000000a03060, const mozilla::BootstrapConfig & aConfig={...}) Line 5045 C++
xul.dll!XRE_main(int argc=0x00000003, char * * argv=0x0000000000a03060, const mozilla::BootstrapConfig & aConfig={...}) Line 5137 C++
xul.dll!mozilla::BootstrapImpl::XRE_main(int argc=0x00000003, char * * argv=0x0000000000a03060, const mozilla::BootstrapConfig & aConfig={...}) Line 50 C++
firefox.exe!do_main(int argc=0x00000003, char * * argv=0x0000000000a03060, char * * envp=0x0000000000495cf0) Line 232 C++
firefox.exe!NS_internal_main(int argc=0x00000003, char * * argv=0x0000000000a03060, char * * envp=0x0000000000495cf0) Line 304 C++
firefox.exe!wmain(int argc=0x00000003, wchar_t * * argv=0x0000000000497780) Line 129 C++
[Inline Frame] firefox.exe!invoke_main() Line 90 C++
firefox.exe!__scrt_common_main_seh() Line 288 C++
kernel32.dll!BaseThreadInitThunk() Unknown
ntdll.dll!RtlUserThreadStart() Unknown
Updated•6 years ago
|
Component: JavaScript Engine → JavaScript: GC
Comment 1•6 years ago
|
||
This looks like heap corruption of some sort. Did this happen again? Any STR?
Flags: needinfo?(mozillabugs)
Priority: -- → P5
Reporter | ||
Comment 2•6 years ago
|
||
I haven't seen this crash again, and so have no STR. I will update this bug if I see it again.
Flags: needinfo?(mozillabugs)
Updated•2 years ago
|
Severity: normal → S3
Updated•7 months ago
|
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•