1605343 - Crash in [@ js::gc::TraceEdgeInternal<T>]

Status: RESOLVED INCOMPLETE

(Core :: JavaScript: GC, defect)

Description

[Christian Holler (:decoder)]

This bug is for crash report bp-285a2d6d-f8f8-45d0-b349-e721b0191218.

Top 10 frames of crashing thread:

0 xul.dll bool js::gc::TraceEdgeInternal<JSScript*> js/src/gc/Marking.cpp:587
1 xul.dll JS::Zone::fixupScriptMapsAfterMovingGC js/src/gc/Zone.cpp:746
2 xul.dll void js::gc::GCRuntime::updateZonePointersToRelocatedCells js/src/gc/GC.cpp:2470
3 xul.dll js::gc::IncrementalProgress js::gc::GCRuntime::compactPhase js/src/gc/GC.cpp:6429
4 xul.dll void js::gc::GCRuntime::incrementalSlice js/src/gc/GC.cpp:6881
5 xul.dll js::gc::GCRuntime::IncrementalResult js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7242
6 xul.dll void js::gc::GCRuntime::collect js/src/gc/GC.cpp:7426
7 xul.dll js::gc::GCRuntime::gcSlice js/src/gc/GC.cpp:7524
8 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:1167
9 xul.dll InterSliceGCRunnerFired dom/base/nsJSEnvironment.cpp:1738

This is a PHC report, manually symbolized PHC stacks:

Free stack:

#0    static struct WeakMapping * nsTArray_Impl<WeakMapping,nsTArrayInfallibleAllocator>::AppendElements<nsTArrayInfallibleAllocator>(unsigned __int64)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsTArray.h:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1705
#1    static void mozilla::CycleCollectedJSContext::PromiseRejectionTrackerCallback(struct JSContext *, bool, class JS::Handle<JSObject *>, JS::PromiseRejectionHandlingState, void *)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 339
#2    static void mozilla::CycleCollectedJSContext::PromiseRejectionTrackerCallback(struct JSContext *, bool, class JS::Handle<JSObject *>, JS::PromiseRejectionHandlingState, void *)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 351
#3    void nsBaseHashtable<nsUint64HashKey,RefPtr<mozilla::dom::Promise>,mozilla::dom::Promise *>::Put(const unsigned __int64 & const, class mozilla::dom::Promise * *)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsBaseHashtable.h:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 169
#4    mozilla::EventStateManager::GetEventTargetContent(mozilla::WidgetEvent *)
    in file hg:hg.mozilla.org/mozilla-central:dom/events/EventStateManager.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 5290
#5    nsThread::ProcessNextEvent(bool,bool *)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1293
#6    nsThread::ProcessNextEvent(bool,bool *)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1127
#7    void mozilla::dom::ipc::StringTableBuilder<nsStringHashKey,nsTString<char16_t> >::Write(const class mozilla::RangedPtr<unsigned char> & const)
    in file hg:hg.mozilla.org/mozilla-central:dom/ipc/StringTable.h:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 88
#8    base::MessagePumpWin::Run(base::MessagePump::Delegate *)
    in file hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_pump_win.h:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 79
#9    nsIEventTarget::IsOnCurrentThread()
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 616
#10    class mozilla::Result<mozilla::Ok,nsresult> mozilla::dom::ipc::SharedStringMapBuilder::Finalize(class mozilla::loader::AutoMemMap & const)
    in file hg:hg.mozilla.org/mozilla-central:dom/ipc/SharedStringMap.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 141
#11    nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const &,unsigned int)
    in file hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 2097
#12    nsresult nsFormFillController::GetSearchAt(unsigned int, class nsTSubstring<char> & const)
    in file hg:hg.mozilla.org/mozilla-central:toolkit/components/satchel/nsFormFillController.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 497
#13    base::MessagePumpWin::Run(base::MessagePump::Delegate *)
    in file hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_pump_win.h:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 79
#14    nsIEventTarget::IsOnCurrentThread()
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 616
#15    nsresult nsFormFillController::AttachPopupElementToDocument(class mozilla::dom::Document *, class mozilla::dom::Element *)
    in file hg:hg.mozilla.org/mozilla-central:toolkit/components/satchel/nsFormFillController.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 235

Alloc stack:

#0    NS_ProcessPendingEvents(nsIThread *,unsigned int)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 410
#1    bool mozilla::dom::Navigator::SendBeaconInternal(const class nsTSubstring<char16_t> & const, class mozilla::dom::BodyExtractorBase *, mozilla::dom::Navigator::BeaconType, class mozilla::ErrorResult & const)
    in file hg:hg.mozilla.org/mozilla-central:dom/base/Navigator.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 1214
#2    mozilla::dom::HkdfParams::Init(JSContext *,JS::Handle<JS::Value>,char const *,bool)
    in file s3:gecko-generated-sources:045feb2b1c462163eb696ab2e659164b0b9a26738105624b7328d739bf5b1b63f34b9c0a05dbd852fcfa52683df9276f53c992802a9f8f7eac2e5b803d7ea274/dom/bindings/SubtleCryptoBinding.cpp: line 1731
#3    static bool js::ctypes::CDataFinalizer::Methods::Forget(struct JSContext *, unsigned int, class JS::Value *)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 8247
#4    static bool js::ctypes::CData::GetRuntime(struct JSContext *, unsigned int, class JS::Value *)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 7653
#5    static class JSObject * js::ctypes::CClosure::Create(struct JSContext *, class JS::Handle<JSObject *>, class JS::Handle<JSObject *>, class JS::Handle<JSObject *>, class JS::Handle<JS::Value>,  * *)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 7224
#6    static void js::ctypes::BuildCStyleTypeSource(struct JSContext *, class JSObject *, class js::ctypes::StringBuilder<char16_t,0> & const)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 863
#7    void js::detail::OrderedHashTable<js::OrderedHashMap<JS::Value,JS::Value,js::UnbarrieredHashPolicy,js::ZoneAllocPolicy>::Entry,js::OrderedHashMap<JS::Value,JS::Value,js::UnbarrieredHashPolicy,js::ZoneAllocPolicy>::MapOps,js::ZoneAllocPolicy>::rekeyOneEntry(const class JS::Value & const, const class JS::Value & const, const class js::OrderedHashMap<JS::Value,JS::Value,js::UnbarrieredHashPolicy,js::ZoneAllocPolicy>::Entry & const)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ds/OrderedHashTable.h:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 553
#8    static bool nsAutoTObserverArray<mozilla::Observer<mozilla::hal::ScreenConfiguration> *,0>::RemoveElement<mozilla::Observer<mozilla::hal::ScreenConfiguration> *>(class mozilla::Observer<mozilla::hal::ScreenConfiguration> * & const)
    in file hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsTObserverArray.h:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 219
#9    static void js::ctypes::BuildCStyleTypeSource(struct JSContext *, class JSObject *, class js::ctypes::StringBuilder<char16_t,0> & const)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 863
#10    static bool js::ctypes::CData::GetRuntime(struct JSContext *, unsigned int, class JS::Value *)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 7655
#11    static class JSObject * js::ctypes::CClosure::Create(struct JSContext *, class JS::Handle<JSObject *>, class JS::Handle<JSObject *>, class JS::Handle<JSObject *>, class JS::Handle<JS::Value>,  * *)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 7224
#12    static void js::ctypes::BuildCStyleTypeSource(struct JSContext *, class JSObject *, class js::ctypes::StringBuilder<char16_t,0> & const)
    in file hg:hg.mozilla.org/mozilla-central:js/src/ctypes/CTypes.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 863
#13    bool js::jit::BaselineInterpreterGenerator::emitInterpreterLoop()
    in file hg:hg.mozilla.org/mozilla-central:js/src/jit/BaselineCodeGen.cpp:053b0bb00fedc42ea54e7a6b8e32843d7d6b7849 line 7070
#14    (frame in unknown module)

I have no clue if the stacks are just mismatched or if they are even garbled. A mismatched stack seems likely given that there is GC and CC on the stack but I'm not sure if the alloc/free stacks on their own make sense either. Would be glad to hear from a developer about this, so we can investigate if we have a problem with the stacks.

Comment 1

[Andrew McCreight [:mccr8]]

The stacks don't make a ton of sense, either by themselves or relative to the crash stack. Ctypes into crypto bindings into SendBeaconInternal seems weird.

The free stack isn't for the cycle collector, it is for the event loop stuff for promises. (We should really rename CycleCollectedJSContext to something that doesn't involve CC.)

Comment 2

[Andrew McCreight [:mccr8]]

Jon, any ideas?

Comment 3

[Andrew McCreight [:mccr8]]

Seems unlikely to go anywhere, but if this is valid it is sec-high.

Comment 4

[Jon Coppeard (:jonco)]

I don't think this is actionable.

Comment 5

[Christian Holler (:decoder)]

(In reply to Jon Coppeard (:jonco) from comment #4)

I don't think this is actionable.

Thanks for looking!