Closed Bug 779958 Opened 12 years ago Closed 6 years ago

crash in js::LifoAlloc::getOrCreateChunk

Categories

(Core :: JavaScript Engine, defect)

16 Branch
x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED WONTFIX

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [js:inv:p1])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-30a9b4be-1456-42f7-9a5d-808032120802 .
============================================================= 

Seen while looking at trunk crash stats. Signature started showing up on trunk using the 2012072203 build but is present on Aurora as well. https://crash-stats.mozilla.com/report/list?signature=moz_abort%20|%20arena_run_split

Possible regression range based on crash stats: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=446b788ab99d&tochange=462106f027af

Frame 	Module 	Signature 	Source
0 	mozglue.dll 	moz_abort 	memory/build/extraMallocFuncs.c:114
1 	mozglue.dll 	arena_run_split 	memory/mozjemalloc/jemalloc.c:3372
2 	mozglue.dll 	arena_malloc_large 	memory/mozjemalloc/jemalloc.c:4161
3 	mozglue.dll 	je_malloc 	memory/mozjemalloc/jemalloc.c:6289
4 	mozjs.dll 	js::LifoAlloc::getOrCreateChunk 	js/src/ds/LifoAlloc.cpp:96
5 	mozjs.dll 	js::types::TypeObject::sweep 	js/src/jsinfer.cpp:5517
6 	mozjs.dll 	js::types::TypeCompartment::sweep 	js/src/jsinfer.cpp:5586
7 	mozjs.dll 	JSCompartment::sweep 	js/src/jscompartment.cpp:558
8 	mozjs.dll 	BeginSweepPhase 	js/src/jsgc.cpp:3528
9 	mozjs.dll 	IncrementalCollectSlice 	js/src/jsgc.cpp:3950
10 	mozjs.dll 	GCCycle 	js/src/jsgc.cpp:4118
11 	mozjs.dll 	Collect 	js/src/jsgc.cpp:4226
12 	mozjs.dll 	js::GC 	js/src/jsgc.cpp:4250
13 	mozjs.dll 	js::GCForReason 	js/src/jsfriendapi.cpp:155
14 	xul.dll 	nsJSContext::GarbageCollectNow 	dom/base/nsJSEnvironment.cpp:2972
15 	xul.dll 	nsMemoryPressureObserver::Observe 	dom/base/nsJSEnvironment.cpp:215
16 	xul.dll 	nsObserverList::NotifyObservers 	xpcom/ds/nsObserverList.cpp:99
17 	xul.dll 	nsObserverService::NotifyObservers 	xpcom/ds/nsObserverService.cpp:149
18 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:576
19 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
20 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
21 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
22 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
23 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:232
24 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:271
25 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3798
26 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3875
27 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3951
28 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:100
29 	firefox.exe 	__tmainCRTStartup 	crtexe.c:552
30 	kernel32.dll 	BaseThreadInitThunk 	
31 	ntdll.dll 	__RtlUserThreadStart 	
32 	ntdll.dll 	_RtlUserThreadStart
Justin, do you know what this assertion is?  It looks like the JS engine is doing an allocation and hitting some assertion in jemalloc.  If you could interpret what the assertion was that might be useful.
If it's aborting here on Windows

http://hg.mozilla.org/releases/mozilla-aurora/annotate/e670dfc55dc8/memory/mozjemalloc/jemalloc.c#l3374

Then that's presumably due to 

  static inline void
  pages_commit(void *addr, size_t size)
  {
  #  ifdef MOZ_MEMORY_WINDOWS
  	if (!VirtualAlloc(addr, size, MEM_COMMIT, PAGE_READWRITE))
  		abort();

which is an OOM condition.  (Specifically, we've run out of commit space, called "available page file" in the crash reports.  This may or may not correlate with out of physical memory.)

Many of the crash reports have low available page file, as expected, although I see some [1] with as much as 600mb of available page file.  I dunno what to make of that.  Maybe the reporting is wrong on occasion.

[1] https://crash-stats.mozilla.com/report/index/0c0b3e3f-199e-4d03-ae5b-d59dc2120802
This signature is a concatenation of unrelated crashes. See bug 778404 (skip list bugs are let open very long).
Crash Signature: [@ moz_abort | arena_run_split] → [@ moz_abort | arena_run_split] [@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk]
Depends on: 778404
Summary: crash in moz_abort | arena_run_split → crash in js::LifoAlloc::getOrCreateChunk
Version: 17 Branch → 16 Branch
Whiteboard: [js:inv:p1]
Crash Signature: [@ moz_abort | arena_run_split] [@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk] → [@ moz_abort | arena_run_split] [@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk ]
Crash Signature: [@ moz_abort | arena_run_split] [@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk ] → [@ moz_abort | arena_run_split] [@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk ] [@ moz_abort | arena_run_split | arena_malloc_large | je_malloc | js::LifoAlloc::getOrCreateChunk(unsigned int)]
https://crash-stats.mozilla.com/report/index/565665e7-a9cd-40d6-a640-fcda52140219
[@ moz_abort | arena_run_split | arena_run_alloc | arena_malloc | je_malloc | js::LifoAlloc::getOrCreateChunk(unsigned int)]

Is this same crash? If the failure reason is unknown since the OOM possibility is low, how about appending the argument information and/or something to the crash report's note before calling abort() in pages_commit()?
Assignee: general → nobody
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.