Closed
Bug 1549234
Opened 5 years ago
Closed 5 years ago
Hit MOZ_CRASH() at src/js/src/gc/Zone.cpp:548
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
DUPLICATE
of bug 1549853
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | fixed |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
|
203 bytes,
text/html
|
Details |
This is only triggered on debug builds after a few seconds. Not sure if it is s-s so marking it to be safe.
Hit MOZ_CRASH() at src/js/src/gc/Zone.cpp:548
#0 0x7f9c4141cfb7 in js::gc::MemoryTracker::~MemoryTracker() src/js/src/gc/Zone.cpp:544:13
#1 0x7f9c4141869d in JS::Zone::~Zone() src/js/src/gc/Zone.cpp:105:1
#2 0x7f9c412ffb79 in void js::FreeOp::delete_<JS::Zone>(JS::Zone*) src/js/src/gc/FreeOp.h:74:11
#3 0x7f9c412ffac0 in JS::Zone::destroy(js::FreeOp*) src/js/src/gc/GC.cpp:3790:8
#4 0x7f9c41300990 in js::gc::GCRuntime::sweepZones(js::FreeOp*, bool) src/js/src/gc/GC.cpp:3914:15
#5 0x7f9c4131c25a in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, js::gc::AutoGCSession&) src/js/src/gc/GC.cpp:7140:9
#6 0x7f9c4131ebae in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) src/js/src/gc/GC.cpp:7476:3
#7 0x7f9c41320775 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) src/js/src/gc/GC.cpp:7649:9
#8 0x7f9c41321280 in js::gc::GCRuntime::gcSlice(JS::GCReason, long) src/js/src/gc/GC.cpp:7753:3
#9 0x7f9c398d75c7 in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) src/dom/base/nsJSEnvironment.cpp:1126:5
#10 0x7f9c398e2374 in InterSliceGCRunnerFired(mozilla::TimeStamp, void*) src/dom/base/nsJSEnvironment.cpp:1748:3
#11 0x7f9c36afbf73 in std::function<bool (mozilla::TimeStamp)>::operator()(mozilla::TimeStamp) const src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
#12 0x7f9c36afba53 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:58:14
#13 0x7f9c36afc9af in mozilla::TimedOut(nsITimer*, void*) src/xpcom/threads/IdleTaskRunner.cpp:78:13
#14 0x7f9c36b3a402 in nsTimerImpl::Fire(int) src/xpcom/threads/nsTimerImpl.cpp:561:7
#15 0x7f9c36b39ea9 in nsTimerEvent::Run() src/xpcom/threads/TimerThread.cpp:260:11
#16 0x7f9c36b0f989 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#17 0x7f9c36b4af6f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:14
#18 0x7f9c36b5166c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#19 0x7f9c37906945 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#20 0x7f9c3782ae6c in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#21 0x7f9c3782ace0 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#22 0x7f9c3d33adca in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#23 0x7f9c4028af94 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#24 0x7f9c37907619 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#25 0x7f9c3782ae6c in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#26 0x7f9c3782ace0 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#27 0x7f9c4028a5de in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#28 0x5602054a2a87 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#29 0x5602054a2d10 in main src/browser/app/nsBrowserApp.cpp:263:18
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Looks like the MemoryTracker got added in bug 1536154.
Flags: needinfo?(jcoppeard)
Keywords: regression
|
|
||
Comment 2•5 years ago
|
||
From the code, it looks like the dtor prints out "Missing calls to JS::RemoveAssociatedMemory" before it crashes, whatever that means. It seems like this could just be a symptom of a leak. eg if we leak an XPCWN, then maybe we don't call XPCWrappedNative::UnsetFlatJSObject(), and we hit this assert.
|
||
Comment 3•5 years ago
|
||
Not s-s. Yes, this is likely to be the result of not cleaning up an XPCWrappedNative.
Group: javascript-core-security
|
|
||
Comment 4•5 years ago
|
||
Reproduced. The failure output is:
Missing calls to JS::RemoveAssociatedMemory:
0x2911bbead190 0x0 1
Hit MOZ_CRASH() at /home/jon/clone/dev/js/src/gc/Zone.cpp:548
So this one is a dupe of bug 1549853.
Flags: needinfo?(jcoppeard)
|
|
||
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•