Closed
Bug 779958
Opened 12 years ago
Closed 6 years ago
crash in js::LifoAlloc::getOrCreateChunk
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: marcia, Unassigned)
References
Details
(Keywords: crash, regression, Whiteboard: [js:inv:p1])
Crash Data
This bug was filed from the Socorro interface and is report bp-30a9b4be-1456-42f7-9a5d-808032120802 . ============================================================= Seen while looking at trunk crash stats. Signature started showing up on trunk using the 2012072203 build but is present on Aurora as well. https://crash-stats.mozilla.com/report/list?signature=moz_abort%20|%20arena_run_split Possible regression range based on crash stats: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=446b788ab99d&tochange=462106f027af Frame Module Signature Source 0 mozglue.dll moz_abort memory/build/extraMallocFuncs.c:114 1 mozglue.dll arena_run_split memory/mozjemalloc/jemalloc.c:3372 2 mozglue.dll arena_malloc_large memory/mozjemalloc/jemalloc.c:4161 3 mozglue.dll je_malloc memory/mozjemalloc/jemalloc.c:6289 4 mozjs.dll js::LifoAlloc::getOrCreateChunk js/src/ds/LifoAlloc.cpp:96 5 mozjs.dll js::types::TypeObject::sweep js/src/jsinfer.cpp:5517 6 mozjs.dll js::types::TypeCompartment::sweep js/src/jsinfer.cpp:5586 7 mozjs.dll JSCompartment::sweep js/src/jscompartment.cpp:558 8 mozjs.dll BeginSweepPhase js/src/jsgc.cpp:3528 9 mozjs.dll IncrementalCollectSlice js/src/jsgc.cpp:3950 10 mozjs.dll GCCycle js/src/jsgc.cpp:4118 11 mozjs.dll Collect js/src/jsgc.cpp:4226 12 mozjs.dll js::GC js/src/jsgc.cpp:4250 13 mozjs.dll js::GCForReason js/src/jsfriendapi.cpp:155 14 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:2972 15 xul.dll nsMemoryPressureObserver::Observe dom/base/nsJSEnvironment.cpp:215 16 xul.dll nsObserverList::NotifyObservers xpcom/ds/nsObserverList.cpp:99 17 xul.dll nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:149 18 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:576 19 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 20 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 21 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175 22 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 23 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:232 24 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:271 25 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3798 26 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3875 27 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3951 28 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:100 29 firefox.exe __tmainCRTStartup crtexe.c:552 30 kernel32.dll BaseThreadInitThunk 31 ntdll.dll __RtlUserThreadStart 32 ntdll.dll _RtlUserThreadStart
Comment 1•12 years ago
|
||
Justin, do you know what this assertion is? It looks like the JS engine is doing an allocation and hitting some assertion in jemalloc. If you could interpret what the assertion was that might be useful.
Comment 2•12 years ago
|
||
If it's aborting here on Windows http://hg.mozilla.org/releases/mozilla-aurora/annotate/e670dfc55dc8/memory/mozjemalloc/jemalloc.c#l3374 Then that's presumably due to static inline void pages_commit(void *addr, size_t size) { # ifdef MOZ_MEMORY_WINDOWS if (!VirtualAlloc(addr, size, MEM_COMMIT, PAGE_READWRITE)) abort(); which is an OOM condition. (Specifically, we've run out of commit space, called "available page file" in the crash reports. This may or may not correlate with out of physical memory.) Many of the crash reports have low available page file, as expected, although I see some [1] with as much as 600mb of available page file. I dunno what to make of that. Maybe the reporting is wrong on occasion. [1] https://crash-stats.mozilla.com/report/index/0c0b3e3f-199e-4d03-ae5b-d59dc2120802
Reporter | ||
Comment 3•12 years ago
|
||
Some URLs: 6 http://www.facebook.com/ 4 https://www.facebook.com/ 2 https://twitter.com/ 2 about:blank 1 http://tieba.baidu.com/p/1735773515 1 http://vk.com/al_profile.php?__query=xfilm&_tstat=386%2C460%2C361%2C397%2Cgroups 1 http://www.facebook.com/ajax/pagelet/generic.php/PhotoViewerInitPagelet?ajaxpipe 1 https://www.facebook.com/ajax/pagelet/generic.php/PhotoViewerPagelet?ajaxpipe=1& 1 http://www.youtube.com/watch?v=dylqdZ0CewM&feature=results_video&playnext=1&list 1 http://www.wrenchcp.co/servers/minecraft/2678/ 1 http://www.polovniautomobili.com/ 1 http://www.mamba.ru/top/rating.phtml?rating_id=50002& 1 http://www.facebook.com/ajax/pagelet/generic.php/PhotoViewerPagelet?ajaxpipe=1&a 1 http://ddtankwind.us/Play.aspx#vn 1 http://g.live.com/1rewlive4-web/en/wlsetup-web.exe??WLI=1 1 https://www.facebook.com/login.php?login_attempt=1 1 https://www.facebook.com/photo.php?fbid=312530892175851&set=at.312520522176888.6 1 http://bigbooster.com/other/extractor.html
Comment 4•12 years ago
|
||
This signature is a concatenation of unrelated crashes. See bug 778404 (skip list bugs are let open very long).
Crash Signature: [@ moz_abort | arena_run_split] → [@ moz_abort | arena_run_split]
[@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk]
Depends on: 778404
Summary: crash in moz_abort | arena_run_split → crash in js::LifoAlloc::getOrCreateChunk
Version: 17 Branch → 16 Branch
Updated•12 years ago
|
Whiteboard: [js:inv:p1]
Updated•11 years ago
|
Crash Signature: [@ moz_abort | arena_run_split]
[@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk] → [@ moz_abort | arena_run_split]
[@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk ]
Updated•11 years ago
|
Crash Signature: [@ moz_abort | arena_run_split]
[@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk ] → [@ moz_abort | arena_run_split]
[@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk ]
[@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk(unsigned int)]
Comment 5•10 years ago
|
||
https://crash-stats.mozilla.com/report/index/565665e7-a9cd-40d6-a640-fcda52140219 [@ moz_abort | arena_run_split | arena_run_alloc | arena_malloc | je_malloc | js::LifoAlloc::getOrCreateChunk(unsigned int)] Is this same crash? If the failure reason is unknown since the OOM possibility is low, how about appending the argument information and/or something to the crash report's note before calling abort() in pages_commit()?
Comment 6•10 years ago
|
||
Some URLs: http://www.saz.hr/ http://www.imperialrab.com/ http://www.charter-providenca.com/ http://www.artdental.it/
Assignee | ||
Updated•10 years ago
|
Assignee: general → nobody
Comment 7•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Comment 8•6 years ago
|
||
Closing because no crash reported since 12 weeks.
You need to log in
before you can comment on or make changes to this bug.
Description
•