Closed Bug 1495905 Opened 6 years ago Closed 7 months ago

Assert crash on js::gc::IsInsideNursery()

Categories

(Core :: JavaScript: GC, defect, P5)

61 Branch
defect

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: mozillabugs, Unassigned)

Details

I just got the following crash with the FF 61.0.2 Win64 debug build, while reloading https://www.washingtonpost.com . The next-to-last stack frame is different from the other IsInsideNursery() bugs I've found, so this looks like a new bug. Initially, |location| was 0x0029d708 on IsInsideNursery(): 431: MOZ_ALWAYS_INLINE bool 432: IsInsideNursery(const js::gc::Cell* cell) 433: { 434: if (!cell) 435: return false; 436: auto location = detail::GetCellLocation(cell); 437: MOZ_ASSERT(location == ChunkLocation::Nursery || location == ChunkLocation::TenuredHeap); 438: return location == ChunkLocation::Nursery; 439: } FWIW, this assert occurred while the debugger was attached, so I tried re-executing the call to detail::GetCellLocation() on line 436, which caused it to return the valid value |ChunkLocation::TenuredHeap::TenuredHeap| (2)! This makes it appear that the crash was due to a race condition. Here's the stack: > xul.dll!js::gc::IsInsideNursery(const js::gc::Cell * cell=0x0000000005694000) Line 437 C++ xul.dll!js::gc::Arena::getAllocKind() Line 330 C++ xul.dll!js::gc::TenuredCell::getAllocKind() Line 342 C++ xul.dll!js::gc::AssertGCThingHasType(js::gc::Cell * cell=0x0000000005694dc0, JS::TraceKind kind=Object) Line 8361 C++ xul.dll!JS::GCCellPtr::checkedCast(void * p=0x0000000005694dc0, JS::TraceKind traceKind=Object) Line 287 C++ xul.dll!JS::GCCellPtr::GCCellPtr<JSObject>(JSObject * p=0x0000000005694dc0) Line 224 C++ xul.dll!JS::CallbackTracer::onObjectEdge(JSObject * * objp=0x000000000029d800) Line 151 C++ xul.dll!JS::CallbackTracer::dispatchToOnEdge(JSObject * * objp=0x000000000029d800) Line 243 C++ xul.dll!DoCallback<JSObject *>(JS::CallbackTracer * trc=0x000000000029dbf0, JSObject * * thingp=0x000000000029d800, const char * name=0x000007fed507d1b0) Line 49 C++ xul.dll!DoCallbackFunctor<js::TaggedProto>::operator()<JSObject>(JSObject * t=0x0000000005694dc0, JS::CallbackTracer * trc=0x000000000029dbf0, const char * name=0x000007fed507d1b0) Line 59 C++ xul.dll!js::DispatchTyped<DoCallbackFunctor<js::TaggedProto>,JS::CallbackTracer * &,char const * &>(DoCallbackFunctor<js::TaggedProto> f={...}, const js::TaggedProto & proto={...}, JS::CallbackTracer * & <args_0>=0x000000000029dbf0, const char * & <args_1>=0x000007fed507d1b0) Line 143 C++ xul.dll!DoCallback<js::TaggedProto>(JS::CallbackTracer * trc=0x000000000029dbf0, js::TaggedProto * protop=0x0000000003e37cd8, const char * name=0x000007fed507d1b0) Line 91 C++ xul.dll!DispatchToTracer<js::TaggedProto>(JSTracer * trc=0x000000000029dbf8, js::TaggedProto * thingp=0x0000000003e37cd8, const char * name=0x000007fed507d1b0) Line 692 C++ xul.dll!js::TraceEdge<js::TaggedProto>(JSTracer * trc=0x000000000029dbf8, js::WriteBarrieredBase<js::TaggedProto> * thingp=0x0000000003e37cd8, const char * name=0x000007fed507d1b0) Line 437 C++ xul.dll!js::ObjectGroup::traceChildren(JSTracer * trc=0x000000000029dbf8) Line 1485 C++ xul.dll!TraceChildrenFunctor::operator()<js::ObjectGroup>(JSTracer * trc=0x000000000029dbf8, void * thingArg=0x0000000003e37cd0) Line 129 C++ xul.dll!JS::DispatchTraceKindTyped<TraceChildrenFunctor,JSTracer * &,void * &>(TraceChildrenFunctor f={...}, JS::TraceKind traceKind=ObjectGroup, JSTracer * & <args_0>=0x000000000029dbf8, void * & <args_1>=0x0000000003e37cd0) Line 201 C++ xul.dll!js::TraceChildren(JSTracer * trc=0x000000000029dbf8, void * thing=0x0000000003e37cd0, JS::TraceKind kind=ObjectGroup) Line 138 C++ xul.dll!JS::TraceChildren(JSTracer * trc=0x000000000029dbf8, JS::GCCellPtr thing={...}) Line 118 C++ xul.dll!HeapCheckTracerBase::traceHeap(js::gc::AutoTraceSession & session={...}) Line 566 C++ xul.dll!CheckGrayMarkingTracer::check(js::gc::AutoTraceSession & session={...}) Line 712 C++ xul.dll!js::CheckGrayMarkingState(JSRuntime * rt=0x0000000003516000) Line 732 C++ xul.dll!mozilla::CycleCollectedJSRuntime::CheckGrayBits() Line 1238 C++ xul.dll!nsCycleCollector::BeginCollection(ccType aCCType=SliceCC, nsICycleCollectorListener * aManualListener=0x0000000000000000) Line 3925 C++ xul.dll!nsCycleCollector::Collect(ccType aCCType=SliceCC, js::SliceBudget & aBudget={...}, nsICycleCollectorListener * aManualListener=0x0000000000000000, bool aPreferShorterSlices=true) Line 3747 C++ xul.dll!nsCycleCollector_collectSlice(js::SliceBudget & budget={...}, bool aPreferShorterSlices=true) Line 4331 C++ xul.dll!nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp aDeadline={...}) Line 1549 C++ xul.dll!CCRunnerFired(mozilla::TimeStamp aDeadline={...}) Line 1951 C++ xul.dll!std::_Invoker_functor::_Call<bool (__cdecl*&)(mozilla::TimeStamp),mozilla::TimeStamp>(bool(*)(mozilla::TimeStamp) & _Obj=0x000007fecd885240, mozilla::TimeStamp && <_Args_0>={...}) C++ xul.dll!std::invoke<bool (__cdecl*&)(mozilla::TimeStamp),mozilla::TimeStamp>(bool(*)(mozilla::TimeStamp) & _Obj=0x000007fecd885240, mozilla::TimeStamp && <_Args_0>={...}) C++ xul.dll!std::_Invoker_ret<bool,0>::_Call<bool (__cdecl*&)(mozilla::TimeStamp),mozilla::TimeStamp>(bool(*)(mozilla::TimeStamp) & <_Vals_0>=0x000007fecd885240, mozilla::TimeStamp && <_Vals_1>={...}) C++ xul.dll!std::_Func_impl_no_alloc<bool (__cdecl*)(mozilla::TimeStamp),bool,mozilla::TimeStamp>::_Do_call(mozilla::TimeStamp && <_Args_0>={...}) C++ xul.dll!std::_Func_class<bool,mozilla::TimeStamp>::operator()(mozilla::TimeStamp <_Args_0>={...}) C++ xul.dll!mozilla::IdleTaskRunner::Run() Line 62 C++ xul.dll!mozilla::TimedOut(nsITimer * aTimer=0x000000000bd79060, void * aClosure=0x0000000006207970) Line 85 C++ xul.dll!nsTimerImpl::Fire(int aGeneration=0x00000052) Line 702 C++ xul.dll!nsTimerEvent::Run() Line 292 C++ xul.dll!nsThread::ProcessNextEvent(bool aMayWait=false, bool * aResult=0x000000000029e932) Line 1093 C++ xul.dll!NS_ProcessNextEvent(nsIThread * aThread=0x0000000000a14600, bool aMayWait=false) Line 519 C++ xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate=0x0000000000a3e080) Line 97 C++ xul.dll!MessageLoop::RunInternal() Line 327 C++ xul.dll!MessageLoop::RunHandler() Line 320 C++ xul.dll!MessageLoop::Run() Line 300 C++ xul.dll!nsBaseAppShell::Run() Line 159 C++ xul.dll!nsAppShell::Run() Line 415 C++ xul.dll!nsAppStartup::Run() Line 290 C++ xul.dll!XREMain::XRE_mainRun() Line 4900 C++ xul.dll!XREMain::XRE_main(int argc=0x00000003, char * * argv=0x0000000000a03060, const mozilla::BootstrapConfig & aConfig={...}) Line 5045 C++ xul.dll!XRE_main(int argc=0x00000003, char * * argv=0x0000000000a03060, const mozilla::BootstrapConfig & aConfig={...}) Line 5137 C++ xul.dll!mozilla::BootstrapImpl::XRE_main(int argc=0x00000003, char * * argv=0x0000000000a03060, const mozilla::BootstrapConfig & aConfig={...}) Line 50 C++ firefox.exe!do_main(int argc=0x00000003, char * * argv=0x0000000000a03060, char * * envp=0x0000000000495cf0) Line 232 C++ firefox.exe!NS_internal_main(int argc=0x00000003, char * * argv=0x0000000000a03060, char * * envp=0x0000000000495cf0) Line 304 C++ firefox.exe!wmain(int argc=0x00000003, wchar_t * * argv=0x0000000000497780) Line 129 C++ [Inline Frame] firefox.exe!invoke_main() Line 90 C++ firefox.exe!__scrt_common_main_seh() Line 288 C++ kernel32.dll!BaseThreadInitThunk() Unknown ntdll.dll!RtlUserThreadStart() Unknown
Component: JavaScript Engine → JavaScript: GC

This looks like heap corruption of some sort. Did this happen again? Any STR?

Flags: needinfo?(mozillabugs)
Priority: -- → P5

I haven't seen this crash again, and so have no STR. I will update this bug if I see it again.

Flags: needinfo?(mozillabugs)
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.