Crash in [@ js::Nursery::collectToObjectFixedPoint]
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
People
(Reporter: aryx, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
4.42 MB,
image/gif
|
Details |
9 crashes from 5+ installations, oldest affected build is Firefox 94.0a1 20210912090527.
Bug 1601228 sounds like there shouldn't have been changes to crash signatures but a search for collectToObjectFixedPoint
didn't yield any existing bugs.
Maybe Fission related. (DOMFissionEnabled=1)
Crash report: https://crash-stats.mozilla.org/report/index/d16149e7-23a3-4b66-9857-c3e420210913
Reason: SIGSEGV /0x00000080
Top 9 frames of crashing thread:
0 libxul.so js::Nursery::collectToObjectFixedPoint js/src/gc/Tenuring.cpp:864
1 libxul.so js::Nursery::collect js/src/gc/Nursery.cpp:1099
2 libxul.so js::gc::GCRuntime::collectNursery js/src/gc/GC.cpp:7187
3 libxul.so js::gc::GCRuntime::minorGC js/src/gc/GC.cpp:7153
4 libxul.so JSObject* js::AllocateObject< js/src/gc/Allocator.cpp:78
5 libxul.so js::ArrayConstructorOneArg js/src/builtin/Array.cpp:3720
6 @0x8a634c9efbd
7 libxul.so _fini
8 libxul.so _fini
Comment 1•3 years ago
|
||
(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #0)
This is probably a signature change. This could be due to inlining changes now Nursery::collectToObjectFixedPoint and Nursery::collect are no longer in the same source file. There have been no functional changes to nursery collection recently.
Updated•3 years ago
|
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Comment 2•3 years ago
•
|
||
Hello! I am hitting this crash and bug 1721164 crash when opening https://gisanddata.maps.arcgis.com/apps/dashboards/bda7594740fd40299423467b48e9ecf6 on Windows7x64 with Firefox 95.0b6 (32bit). Sometimes it happens when loading the page or sometimes zooming in/out the map or dragging cases scrollbar up and down while the page is loading.
Crash reports inside about:crashes:
https://crash-stats.mozilla.org/report/index/bp-efd629ee-b011-4fa3-b746-80ad90211112
https://crash-stats.mozilla.org/report/index/bp-e136b5d9-8cbc-41a7-bd3f-1410e0211112
https://crash-stats.mozilla.org/report/index/bp-6bdf500b-235c-4d53-af30-e87ee0211112
https://crash-stats.mozilla.org/report/index/bp-d26119c3-638d-4289-8469-62e980211112
https://crash-stats.mozilla.org/report/index/bp-05c3a727-ecf2-4bc7-a754-a74410211112
https://crash-stats.mozilla.org/report/index/bp-7efa73f2-e6d1-45fd-83c5-b39ca0211112
https://crash-stats.mozilla.org/report/index/bp-cc762fe2-2ce3-4343-9800-0dd600211112
https://crash-stats.mozilla.org/report/index/bp-c75231e6-a67b-4cea-857b-830bd0211112
Updated•3 years ago
|
Comment 3•3 years ago
|
||
Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information
Comment 4•3 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #1)
This is probably a signature change.
Based on the timing this is due to moving to clang 13 in bug 1731582.
Comment 5•3 years ago
|
||
(In reply to Alexandru Trif, QA [:atrif] from comment #2)
These OOM crashes belong in bug 1472062.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•