Closed Bug 1731127 Opened 3 years ago Closed 3 years ago

Crash in [@ js::Nursery::collectToObjectFixedPoint]

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1639157
Tracking Flags:
Tracking Status
firefox94 --- affected
firefox95 --- affected
firefox96 --- affected

People

(Reporter: aryx, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

crash.gif
4.42 MB, image/gif
Details

9 crashes from 5+ installations, oldest affected build is Firefox 94.0a1 20210912090527.

Bug 1601228 sounds like there shouldn't have been changes to crash signatures but a search for collectToObjectFixedPoint didn't yield any existing bugs.

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/d16149e7-23a3-4b66-9857-c3e420210913

Reason: SIGSEGV /0x00000080

Top 9 frames of crashing thread:

0 libxul.so js::Nursery::collectToObjectFixedPoint js/src/gc/Tenuring.cpp:864
1 libxul.so js::Nursery::collect js/src/gc/Nursery.cpp:1099
2 libxul.so js::gc::GCRuntime::collectNursery js/src/gc/GC.cpp:7187
3 libxul.so js::gc::GCRuntime::minorGC js/src/gc/GC.cpp:7153
4 libxul.so JSObject* js::AllocateObject< js/src/gc/Allocator.cpp:78
5 libxul.so js::ArrayConstructorOneArg js/src/builtin/Array.cpp:3720
6  @0x8a634c9efbd 
7 libxul.so _fini 
8 libxul.so _fini
Flags: needinfo?(jcoppeard)

(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #0)
This is probably a signature change. This could be due to inlining changes now Nursery::collectToObjectFixedPoint and Nursery::collect are no longer in the same source file. There have been no functional changes to nursery collection recently.

Blocks: GCCrashes
Flags: needinfo?(jcoppeard)
Priority: -- → P3
Crash Signature: [@ js::Nursery::collectToObjectFixedPoint] → [@ js::Nursery::collectToObjectFixedPoint] [@ js::TenuringTracer::collectToObjectFixedPoint] [@ OOM | large | js::AutoEnterOOMUnsafeRegion::crash | js::AutoEnterOOMUnsafeRegion::crash | js::Nursery::collectToObjectFixedPoint] [@ OOM | large | js::AutoE…

Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information

Priority: P3 → P1

(In reply to Jon Coppeard (:jonco) from comment #1)

This is probably a signature change.

Based on the timing this is due to moving to clang 13 in bug 1731582.

(In reply to Alexandru Trif, QA [:atrif] from comment #2)
These OOM crashes belong in bug 1472062.

Crash Signature: [@ js::Nursery::collectToObjectFixedPoint] [@ js::TenuringTracer::collectToObjectFixedPoint] [@ OOM | large | js::AutoEnterOOMUnsafeRegion::crash | js::AutoEnterOOMUnsafeRegion::crash | js::Nursery::collectToObjectFixedPoint] [@ OOM | large | js::AutoE… → [@ js::Nursery::collectToObjectFixedPoint] [@ js::TenuringTracer::collectToObjectFixedPoint]
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Severity: S2 → S4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: