Closed Bug 707091 Opened 13 years ago Closed 12 years ago

Crash in js::types::TypeSet::sweep (including in 431086-1.xhtml, 428489-1.html, 708405-1.html, Talos tpr_responsiveness/tp5r)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
9 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, intermittent-failure, regression)

Crash Data

It's #62 top crasher in 9.0b3, #71 in 10.0a2 and #180 in 11.0a1.

It first appeared in 9.0a1/20110830. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ca5a3569462d&tochange=e6591ea9b27b

There are two kinds of stack trace:
Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::types::TypeSet::sweep 	js/src/jsinfer.cpp:5774
1 	mozjs.dll 	js::types::TypeScript::Sweep 	js/src/jsinfer.cpp:6044
2 	mozjs.dll 	JSCompartment::sweep 	js/src/jscompartment.cpp:637
3 	mozjs.dll 	SweepPhase 	js/src/jsgc.cpp:2313
4 	mozjs.dll 	MarkAndSweep 	js/src/jsgc.cpp:2406
5 	mozjs.dll 	GCCycle 	js/src/jsgc.cpp:2649
6 	mozjs.dll 	js::MaybeGC 	js/src/jsgc.cpp:1986
7 	mozjs.dll 	JS_MaybeGC 	js/src/jsapi.cpp:2635
8 	xul.dll 	nsJSContext::ScriptEvaluated 	dom/base/nsJSEnvironment.cpp:3094
9 	xul.dll 	nsCxPusher::Pop 	content/base/src/nsContentUtils.cpp:2682
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1955
11 	xul.dll 	nsGlobalWindow::QueryInterface 	dom/base/nsGlobalWindow.cpp:1369
12 	xul.dll 	nsJSArgArray::Release 	dom/base/nsJSEnvironment.cpp:3935
13 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/xpcom/build/nsCOMPtr.cpp:81
14 	xul.dll 	nsJSScriptTimeoutHandler::SetLateness 	dom/base/nsJSTimeoutHandler.cpp:368
...

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::types::TypeSet::sweep 	js/src/jsinfer.cpp:5761
1 	mozjs.dll 	js::types::TypeObject::sweep 	js/src/jsinfer.cpp:5895
2 	mozjs.dll 	js::gc::ForEachArenaAndCell<void 	js/src/jsgcinlines.h:202
3 	mozjs.dll 	js::types::TypeCompartment::sweep 	js/src/jsinfer.cpp:5944
4 	mozjs.dll 	JSCompartment::sweep 	js/src/jscompartment.cpp:653
5 	mozjs.dll 	SweepPhase 	js/src/jsgc.cpp:2313
6 	mozjs.dll 	MarkAndSweep 	js/src/jsgc.cpp:2406
7 	mozjs.dll 	GCCycle 	js/src/jsgc.cpp:2649
8 	mozjs.dll 	js_GC 	js/src/jsgc.cpp:2735
9 	mozjs.dll 	JS_CompartmentGC 	js/src/jsapi.cpp:2616
10 	mozjs.dll 	JS_GC 	js/src/jsapi.cpp:2623
11 	xul.dll 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:415
12 	xul.dll 	nsXPConnect::GarbageCollect 	js/src/xpconnect/src/nsXPConnect.cpp:423
13 	xul.dll 	nsJSContext::GarbageCollectNow 	dom/base/nsJSEnvironment.cpp:3189
14 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
15 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
16 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
17 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:134
...

More crash reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Atypes%3A%3ATypeSet%3A%3Asweep%28JSContext*%2C%20JSCompartment*%29
Apparently one way to reproduce it is to run editor/libeditor/html/crashtests/456727-1.html enough hundreds of times to eventually see https://tbpl.mozilla.org/php/getParsedLog.php?id=8050576&tree=Mozilla-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=8087782&tree=Mozilla-Inbound - editor/libeditor/html/crashtests/428489-1.html instead.
Blocks: 713368
https://tbpl.mozilla.org/php/getParsedLog.php?id=8395521&tree=Firefox - editor/libeditor/html/crashtests/431086-1.xhtml
Blocks: 438871
Summary: Crash in js::types::TypeSet::sweep → Crash in js::types::TypeSet::sweep (including in 431086-1.xhtml, 428489-1.html, 708405-1.html)
Whiteboard: [orange]
https://tbpl.mozilla.org/php/getParsedLog.php?id=10598601&tree=Firefox
Rev3 WINNT 6.1 mozilla-central pgo talos tpr_responsiveness on 2012-04-03 06:50:50 PDT for push 95df15895e02
Summary: Crash in js::types::TypeSet::sweep (including in 431086-1.xhtml, 428489-1.html, 708405-1.html) → Crash in js::types::TypeSet::sweep (including in 431086-1.xhtml, 428489-1.html, 708405-1.html, Talos tpr_responsiveness/tp5r)
I added the new crash signature introduced in 14.0a1/20120406.
Crash Signature: [@ js::types::TypeSet::sweep(JSContext*, JSCompartment*) ] → [@ js::types::TypeSet::sweep(JSContext*, JSCompartment*)] [@ js::types::TypeSet::sweep(JSCompartment*)]
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.