Hit MOZ_CRASH(Association not found: 0x270161787250 0x0 1) at src/js/src/gc/Zone.cpp:578

RESOLVED FIXED in Firefox 68

Status

()

defect
RESOLVED FIXED
Last month
9 days ago

People

(Reporter: tsmith, Assigned: jonco)

Tracking

(Blocks 1 bug, Regression, {assertion, testcase})

unspecified
mozilla68
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox67 unaffected, firefox68 fixed)

Details

Attachments

(2 attachments)

Reporter

Description

Last month
Posted file testcase.html

Reduced with: m-c 20190506-3c70f36ad62c

Looks similar to bug 1549234.

Hit MOZ_CRASH(Association not found: 0x270161787250 0x0 1) at src/js/src/gc
/Zone.cpp:578

rax = 0x0000563c2e70fe40   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x0000563c2e70fa40
rsi = 0x00007f50f93fd8b0   rdi = 0x00007f50f93fc680
rbp = 0x00007fff692ba440   rsp = 0x00007fff692ba370
r8 = 0x00007f50f93fd8b0    r9 = 0x00007f50fa57f740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007fff692ba3c0   r13 = 0x00007f50c67e08c8
r14 = 0x00007fff692ba3e0   r15 = 0x0000270161787250
rip = 0x00007f50ec1a18f9
OS|Linux|0.0.0 Linux 4.19.13-coreos #1 SMP Mon Jan 7 23:51:04 -00 2019 x86_64
CPU|amd64|family 6 model 79 stepping 1|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|js::gc::MemoryTracker::untrackMemory(js::gc::Cell*, unsigned long, JS::MemoryUse)|hg:hg.mozilla.org/mozilla-central:js/src/gc/Zone.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|581|0x19
0|1|libxul.so|JS::RemoveAssociatedMemory(JSObject*, unsigned long, JS::MemoryUse)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1168|0x2a
0|2|libxul.so|mozilla::dom::CanvasRenderingContext2D::ClearTarget(int, int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1495|0x5
0|3|libxul.so|mozilla::dom::CanvasRenderingContext2D::SetDimensions(int, int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContext2D.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1475|0x5
0|4|libxul.so|mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/CanvasRenderingContextHelper.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|216|0x1b
0|5|libxul.so|mozilla::dom::HTMLCanvasElement::AfterMaybeChangeAttr(int, nsAtom*, bool)|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLCanvasElement.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|461|0x18
0|6|libxul.so|mozilla::dom::HTMLCanvasElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool)|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLCanvasElement.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|440|0x8
0|7|libxul.so|mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|2540|0x30
0|8|libxul.so|mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|2407|0x2d
0|9|libxul.so|mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/Element.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1407|0x4e
0|10|libxul.so|mozilla::dom::Element_Binding::setAttribute|s3:gecko-generated-sources:558a6a73f7baabfaf4dbd3ae918f3baaec0ffdd9a354eca117ab28feefd7ddd0b75a4bd56933fba631702170d809e3c298cc48721d4d7d1aba80806eb75409b4/dom/bindings/ElementBinding.cpp:|1490|0x5
0|11|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|3153|0x24
0|12|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|443|0x13
0|13|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|535|0x12
0|14|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|590|0xd
0|15|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|594|0x13
0|16|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|423|0xb
0|17|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|563|0xf
0|18|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|590|0xd
0|19|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|606|0x5
0|20|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|2647|0x1c
0|21|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:9ca8646d8042e9b4b76d2e1b358b984be17743b71b832c0897d61bb500e0fecbe38fa54273dc522878c87fcb2c9bfd274a8190c7bc56fbbb58cb3ca68462e527/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|22|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|23|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1040|0x1e
0|24|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1240|0x19
0|25|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|351|0x6
0|26|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|551|0x12
0|27|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1048|0x1a
0|28|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1148|0x19
0|29|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1026|0x5
0|30|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|3947|0x30
0|31|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|3918|0x19
0|32|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|4995|0x40
0|33|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:3c70f36ad62c9c714db3199fc00e60800ee82bde|1174|0x13
0|34|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|1180|0x15
0|35|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|486|0x11
0|36|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|88|0xa
0|37|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c70f36ad62c9c714db3199fc00e60800ee82bde|315|0x17
0|38|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3c70f36ad62c9c714db3199fc00e60800ee82bde|290|0x8
0|39|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|137|0xd
0|40|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|276|0xe
0|41|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|4548|0x11
0|42|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|4686|0x8
0|43|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|4767|0x5
0|44|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|212|0x22
0|45|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:3c70f36ad62c9c714db3199fc00e60800ee82bde|291|0xd
0|46|libc-2.27.so||||0x21b97
0|47|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:3c70f36ad62c9c714db3199fc00e60800ee82bde|184|0x5
Flags: in-testsuite?
Reporter

Updated

Last month
See Also: → 1549234
Assignee

Updated

Last month
Assignee: nobody → jcoppeard
Component: Canvas: 2D → JavaScript: GC
Assignee

Updated

Last month
Duplicate of this bug: 1549234
Assignee

Comment 2

Last month

We're crashing because a zero-size association is not found. We should skip zero-size associations, both adding and removing. Doing so fixes this crash and the one in bug 1549234.

Comment 4

Last month
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c84376bb87f1
Ignore associations of zero bytes of malloc memory with a GC thing r=sfink?

Comment 5

Last month
bugherder
Status: NEW → RESOLVED
Closed: Last month
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: in-testsuite? → in-testsuite+
Regressed by: 1536154
You need to log in before you can comment on or make changes to this bug.