Crash in [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind) ]

RESOLVED INCOMPLETE

Status

()

Core
JavaScript Engine
--
critical
RESOLVED INCOMPLETE
5 years ago
a year ago

People

(Reporter: Robert, Unassigned)

Tracking

({crash, steps-wanted})

24 Branch
x86_64
All
crash, steps-wanted
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

5 years ago
https://crash-stats.mozilla.com/report/index/5d07c446-1f6a-497d-ad0e-775d52130729

Crashing Thread
Frame 	Module 	Signature 	Source
0 	libxul.so 	js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind) 	js/src/jsgc.cpp
1 	libxul.so 	void* js::gc::ArenaLists::refillFreeList<(js::AllowGC)0>(js::ThreadSafeContext*, js::gc::AllocKind) 	js/src/jsgc.cpp
2 	libxul.so 	js::NewObjectWithClassProtoCommon(JSContext*, js::Class*, JSObject*, JSObject*, js::gc::AllocKind, js::NewObjectKind) 	js/src/jsgcinlines.h
3 	libxul.so 	js::StringObject::create(JSContext*, JS::Handle<JSString*>, js::NewObjectKind) 	js/src/jsobjinlines.h
4 	libxul.so 	js::ToObjectSlow(JSContext*, JS::Handle<JS::Value>, bool) 	js/src/jsobj.cpp
5 	libxul.so 	Interpret 	js/src/jsobj.h
6 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
7 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
8 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
9 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
10 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
11 	libxul.so 	js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
12 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
13 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
14 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
15 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
16 	libxul.so 	js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
17 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
18 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
19 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
20 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
21 	libxul.so 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) 	js/src/vm/Interpreter.cpp
22 	libxul.so 	JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) 	js/src/jsapi.cpp
23 	libxul.so 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/xpconnect/src/XPCWrappedJSClass.cpp
24 	libxul.so 	nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) 	js/xpconnect/src/XPCWrappedJS.cpp
25 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp
26 	libxul.so 	libxul.so@0x171d583 	
27 	libxul.so 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
28 	libxul.so 	nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
29 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) 	content/events/src/nsEventListenerManager.h
30 	libxul.so 	nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) 	content/events/src/nsEventDispatcher.cpp
31 	libxul.so 	nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) 	content/events/src/nsEventDispatcher.cpp
32 	libxul.so 	nsXMLHttpRequest::DispatchProgressEvent(nsDOMEventTargetHelper*, nsAString_internal const&, bool, unsigned long, unsigned long) 	content/base/src/nsXMLHttpRequest.cpp
33 	libxul.so 	nsXMLHttpRequest::ChangeStateToDone() 	content/base/src/nsXMLHttpRequest.cpp
34 	libxul.so 	nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) 	content/base/src/nsXMLHttpRequest.cpp
35 	libxul.so 	nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) 	netwerk/base/src/nsBaseChannel.cpp
36 	libxul.so 	nsInputStreamPump::OnStateStop() 	netwerk/base/src/nsInputStreamPump.cpp
37 	libxul.so 	nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) 	netwerk/base/src/nsInputStreamPump.cpp
38 	libxul.so 	nsInputStreamReadyEvent::Run() 	xpcom/io/nsStreamUtils.cpp
39 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
40 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	obj-firefox/xpcom/build/nsThreadUtils.cpp
41 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
42 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
43 	libxul.so 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
44 	libxul.so 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
45 	libxul.so 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
46 	libxul.so 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
47 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp
48 	firefox 	do_main 	browser/app/nsBrowserApp.cpp
49 	firefox 	main 	browser/app/nsBrowserApp.cpp
50 	libc-2.16.so 	libc-2.16.so@0x21a05 	
51 	firefox 	firefox@0x3c80 	

Show/hide other threads
(Reporter)

Updated

5 years ago
Keywords: crash, crashreportid
(Reporter)

Updated

5 years ago
Keywords: crashreportid

Comment 1

5 years ago
Does it happen in Safe Mode (see https://support.mozilla.org/kb/troubleshoot-firefox-issues-using-safe-mode)?
Does it happen in Nightly (http://nightly.mozilla.org/)?
Flags: needinfo?(robert.messer1)
Hardware: All → x86_64
Version: Trunk → 24 Branch

Updated

5 years ago
Crash Signature: [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind) ] → [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind)]
I've experienced this in two consecutive Aurora versions (26 and 27), within days of each other:

bp-9792810c-50c6-4428-ab0b-520612131028
bp-e4a95faf-3891-4532-8af9-6a3f72131103

I'm not really sure what's triggering it, or whether it's reliably reproducible.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(robert.messer1)
(Assignee)

Updated

4 years ago
Assignee: general → nobody

Updated

2 years ago
Crash Signature: [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind)] → [@ js::gc::Chunk::allocateArena(JS::Zone*, js::gc::AllocKind)] [@ js::gc::Chunk::allocateArena]
There is an interesting recent uptick for version 50, but otherwise most crashes are old versions https://crash-stats.mozilla.com/signature/?signature=js%3A%3Agc%3A%3AChunk%3A%3AallocateArena with stacks that do not match comment 0.

Robert had other crashes - bug 898603, and other duped to bug 787879 - but he's gone, so I'm closing bug 898603 and this one. Steps needed
Status: NEW → RESOLVED
Last Resolved: a year ago
Keywords: steps-wanted
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.