1605341 - Crash in [@ js::gc::SweepingTracer::onObjectEdge]

Status: RESOLVED INCOMPLETE

(Core :: JavaScript: GC, defect)

Description

[Christian Holler (:decoder)]

This bug is for crash report bp-326af038-0149-47e0-b601-1d4d90191208.

Top 10 frames of crashing thread:

0 xul.dll js::gc::SweepingTracer::onObjectEdge 
1 xul.dll DoCallback<JSObject> js/src/gc/Tracer.cpp:46
2 xul.dll void JS::GCHashSet<js::WeakHeapPtr<js::SavedFrame*>, js::SavedFrame::HashPolicy, js::SystemAllocPolicy>::traceWeak js/public/GCHashTable.h:282
3 xul.dll static void SweepMisc js/src/gc/GC.cpp:5158
4 xul.dll void js::HelperThread::handleGCParallelWorkload js/src/vm/HelperThreads.cpp:1860
5 xul.dll static void js::HelperThread::ThreadMain js/src/vm/HelperThreads.cpp:2182
6 xul.dll static unsigned int js::detail::ThreadTrampoline<void  js/src/threading/Thread.h:207
7 ucrtbase.dll o_strcat_s 
8 kernel32.dll BaseThreadInitThunk 
9 ntdll.dll RtlUserThreadStart 

This is a PHC report, manually symbolized PHC stacks:

Free stack:

#0    static void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(class SnowWhiteKiller & const)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 956
#1    nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget &)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 2625
#2    nsresult AsyncFreeSnowWhite::Run()
    in file hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSRuntime.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 146
#3    nsresult IdleRunnableWrapper::Run()
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 331
#4    nsThread::ProcessNextEvent(bool,bool *)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1250
#5    NS_ProcessNextEvent(nsIThread *,bool)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 486
#6    void mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *)
    in file hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 87
#7    void MessageLoop::RunHandler()
    in file hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 309
#8    MessageLoop::Run()
    in file hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 291
#9    nsBaseAppShell::Run()
    in file hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 139
#10    nsAppShell::Run()
    in file hg:hg.mozilla.org/mozilla-central:widget/windows/nsAppShell.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 406
#11    nsresult nsAppStartup::Run()
    in file hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 273
#12    nsresult XREMain::XRE_mainRun()
    in file hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 4600
#13    int XREMain::XRE_main(int, char * *, const struct mozilla::BootstrapConfig & const)
    in file hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 4737
#14    XRE_main(int,char * * const,mozilla::BootstrapConfig const &)
    in file hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 4818
#15    static int NS_internal_main(int, char * *, char * *)
    in file hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 339

Alloc stack:

#0    nsIContent::QueryInterface(nsID const &,void * *)
    in file hg:hg.mozilla.org/mozilla-central:dom/base/FragmentOrElement.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 139
#1    nsresult mozilla::dom::XULFrameElement::QueryInterface(const struct nsID & const, void * *)
    in file hg:hg.mozilla.org/mozilla-central:dom/xul/XULFrameElement.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 33
#2    NS_GetWeakReference(nsISupports *,nsresult *)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/base/nsWeakReference.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 91
#3    void nsXULTooltipListener::MouseMove(class mozilla::dom::Event *)
    in file hg:hg.mozilla.org/mozilla-central:layout/xul/nsXULTooltipListener.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 159
#4    nsresult nsXULTooltipListener::HandleEvent(class mozilla::dom::Event *)
    in file hg:hg.mozilla.org/mozilla-central:layout/xul/nsXULTooltipListener.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 264
#5    nsresult mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *, class mozilla::dom::Event *, class mozilla::dom::EventTarget *)
    in file hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1074
#6    void mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *, class mozilla::WidgetEvent *, class mozilla::dom::Event * *, class mozilla::dom::EventTarget *, nsEventStatus *, bool)
    in file hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1270
#7    void mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor & const, class mozilla::ELMCreationDetector & const)
    in file hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 356
#8    static void mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<mozilla::EventTargetChainItem> & const, class mozilla::EventChainPostVisitor & const, class mozilla::EventDispatchingCallback *, class mozilla::ELMCreationDetector & const)
    in file hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 560
#9    static void mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<mozilla::EventTargetChainItem> & const, class mozilla::EventChainPostVisitor & const, class mozilla::EventDispatchingCallback *, class mozilla::ELMCreationDetector & const)
    in file hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 639
#10    mozilla::EventDispatcher::Dispatch(nsISupports *,nsPresContext *,mozilla::WidgetEvent *,mozilla::dom::Event *,nsEventStatus *,mozilla::EventDispatchingCallback *,nsTArray<mozilla::dom::EventTarget *> *)
    in file hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1059
#11    nsresult mozilla::PresShell::EventHandler::DispatchEventToDOM(class mozilla::WidgetEvent *, nsEventStatus *, class nsPresShellEventCB *)
    in file hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 8227
#12    nsresult mozilla::PresShell::EventHandler::DispatchEvent(class mozilla::EventStateManager *, class mozilla::WidgetEvent *, bool, nsEventStatus *, class nsIContent *)
    in file hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 7789
#13    nsresult mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(class mozilla::WidgetEvent *, nsEventStatus *, bool, class nsIContent *)
    in file hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 7719
#14    nsresult mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(class nsIFrame *, class mozilla::WidgetGUIEvent *, nsEventStatus *, bool)
    in file hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 6678
#15    nsresult mozilla::PresShell::EventHandler::HandleEvent(class nsIFrame *, class mozilla::WidgetGUIEvent *, bool, nsEventStatus *)
    in file hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 6483

I guess this is yet another mismatched stack, but I am not sure. The alloc stack seems to indicate a XULFrameElement that has been cycle-collected. Maybe this information is also helpful if the "use" stack (the primary crash stack here) is mismatched (if it is, then this is most likely caused by us reallocating the memory too early again).

Comment 1

[Andrew McCreight [:mccr8]]

Huh, the nsIContent QI does actually allocate a nsNodeSupportsWeakRefTearoff. But yeah, it doesn't really make sense that a XUL element is getting hit when sweeping an object off main thread. If it was main thread, maybe the JS object could be a reflector for the XUL element?

Comment 2

[Andrew McCreight [:mccr8]]

Any ideas, Jon?

Comment 3

[Jon Coppeard (:jonco)]

The crash looks like we're operating on a null GC thing pointer. It doesn't seem related to the alloc stack though.

No good ideas how to attack this.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:jonco, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 5

[Steven DeTar [:sdetar]]

Jonco investigated this issue and this looks to be not actionable at this time. After some discussion we are deciding to make this stalled at this time.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:jonco, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.