Closed
Bug 923299
Opened 12 years ago
Closed 4 years ago
Crashes in js::WeakMapBase::markCompartmentIteratively while in GCCycle
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
People
(Reporter: smichaud, Assigned: terrence)
References
(Blocks 1 open bug)
Details
(Keywords: crash, steps-wanted)
Crash Data
Judging by the signature that's most frequent, these seem to have started with the firefox-2013-09-13-03-02-01-mozilla-central nightlies. This implies the following regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a4e9c9c9dbf9&tochange=b9029b1de410
|
Reporter | |
Comment 1•12 years ago
|
||
The frequency of these crashes on Windows is quite low. But on OS X and Linux they're (platform) topcrashers.
tracking-firefox26:
--- → ?
tracking-firefox27:
--- → ?
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: , unsigned __int64> > >::markIteratively(JSTracer*) ] → , unsigned __int64> > >::markIteratively(JSTracer*) ]
[@ js::gc::MarkObject(JSTracer*, js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) ]
Summary: Crashes @ js::WeakMap<js::EncapsulatedPtr<JSObject, [integer type]>, js::RelocatablePtr<JSObject>, js::DefaultHasher<js::EncapsulatedPtr<JSObject, [integer type]> > >::markIteratively(JSTracer*) → Crashes marking objects while in GCCycle
|
|
Reporter | |
Comment 2•12 years ago
|
||
0 XUL js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned long>, js::RelocatablePtr<JSObject>, js::DefaultHasher<js::EncapsulatedPtr<JSObject, unsigned long> > >::markIteratively(JSTracer*) js/src/vm/ObjectImpl.h
1 XUL js::WeakMapBase::markCompartmentIteratively(JSCompartment*, JSTracer*) js/src/jsweakmap.cpp
2 XUL MarkWeakReferences<js::CompartmentsIterT<js::gc::GCZoneGroupIter> > js/src/jsgc.cpp
3 XUL EndMarkingZoneGroup js/src/jsgc.cpp
4 XUL IncrementalCollectSlice js/src/jsgc.cpp
5 XUL GCCycle js/src/jsgc.cpp
6 XUL Collect js/src/jsgc.cpp
7 XUL nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsCompartment, nsJSContext::IsShrinking, long long) dom/base/nsJSEnvironment.cpp
8 XUL nsTimerImpl::Fire() /builds/slave/m-cen-osx64-000000000000000000/build/obj-firefox/x86_64/xpcom/threads/../../../../xpcom/threads/nsTimerImpl.cpp
9 XUL nsTimerEvent::Run() /builds/slave/m-cen-osx64-000000000000000000/build/obj-firefox/x86_64/xpcom/threads/../../../../xpcom/threads/nsTimerImpl.cpp
10 XUL nsThread::ProcessNextEvent(bool, bool*) /builds/slave/b2g-in-osx64-00000000000000000/build/obj-firefox/x86_64/xpcom/threads/../../../../xpcom/threads/nsThread.cpp
11 XUL NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-osx64-000000000000000000/build/obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp
12 XUL mozilla::jsinspector::nsJSInspector::EnterNestedEventLoop(JS::Value const&, unsigned int*) /builds/slave/b2g-in-osx64-00000000000000000/build/obj-firefox/x86_64/toolkit/devtools/server/../../../../../toolkit/devtools/server/nsJSInspector.cpp
13 XUL NS_InvokeByIndex /builds/slave/b2g-in-osx64-00000000000000000/build/obj-firefox/x86_64/xpcom/reflect/xptcall/src/md/unix/../../../../../../../../xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp
14 XUL XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp
15 XUL XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp
16 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h
17 XUL Interpret js/src/vm/Interpreter.cpp
18 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
19 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp
20 XUL js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp
21 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h
22 XUL Interpret js/src/vm/Interpreter.cpp
23 XUL js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
24 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp
25 XUL js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp
26 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h
27 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp
28 XUL js::jit::DoCallFallback js/src/jit/BaselineIC.cpp
29 @0x1007f7e9a
|
|
Reporter | |
Updated•12 years ago
|
Summary: Crashes marking objects while in GCCycle → Crashes marking objects in WeakMaps while in GCCycle
|
|
Reporter | |
Comment 3•12 years ago
|
||
0 XUL js::gc::MarkObject(JSTracer*, js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/gc/Heap.h
1 XUL js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned long>, js::RelocatablePtr<JSObject>, js::DefaultHasher<js::EncapsulatedPtr<JSObject, unsigned long> > >::markIteratively(JSTracer*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/gc/Marking.h
2 XUL js::WeakMapBase::markCompartmentIteratively(JSCompartment*, JSTracer*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsweakmap.cpp
3 XUL MarkWeakReferences<js::CompartmentsIterT<js::gc::GCZoneGroupIter> > /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsgc.cpp
4 XUL EndMarkingZoneGroup /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsgc.cpp
5 XUL IncrementalCollectSlice /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsgc.cpp
6 XUL GCCycle /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsgc.cpp
7 XUL Collect /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsgc.cpp
8 XUL js_InvokeOperationCallback(JSContext*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxt.cpp
9 XUL js_HandleExecutionInterrupt(JSContext*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxt.cpp
10 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
11 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
12 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
13 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
14 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
15 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
16 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
17 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
18 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
19 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
20 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
21 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
22 XUL js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsfun.cpp
23 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
24 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
25 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
26 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
27 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
28 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
29 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
30 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
31 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
32 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
33 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
34 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
35 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
36 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
37 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
38 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
39 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
40 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
41 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
42 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
43 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
44 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
45 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
46 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
47 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
48 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
49 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
50 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
51 XUL js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsfun.cpp
52 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
53 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
54 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
55 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
56 XUL js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsfun.cpp
57 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
58 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
59 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
60 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
61 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
62 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
63 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
64 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
65 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
66 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
67 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
68 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
69 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
70 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
71 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
72 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
73 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
74 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
75 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
76 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
77 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
78 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
79 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
80 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
81 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
82 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
83 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
84 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
85 XUL js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsfun.cpp
86 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
87 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
88 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
89 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
90 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
91 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
92 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jscntxtinlines.h
93 XUL Interpret /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
94 XUL js::RunScript(JSContext*, js::RunState&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
95 XUL js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
96 XUL js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/vm/Interpreter.cpp
97 XUL js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
98 XUL js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jswrapper.cpp
99 XUL js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
100 XUL proxy_Call /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/js/src/../../../../js/src/jsproxy.cpp
130 CoreFoundation CoreFoundation@0x12b31
131 CoreFoundation CoreFoundation@0x12455
132 CoreFoundation CoreFoundation@0x357f5
133 firefox mozilla::SetAllocatedString(char const*&, char const*) /builds/slave/m-in-osx64-0000000000000000000/build/obj-firefox/x86_64/xpcom/glue/standalone/../../../../../xpcom/glue/AppData.cpp
134 CoreFoundation CoreFoundation@0x350e2
135 HIToolbox HIToolbox@0x5feb4
136 HIToolbox HIToolbox@0x5fb94
137 HIToolbox HIToolbox@0x5fae3
138 AppKit AppKit@0x155533
139 CoreFoundation CoreFoundation@0x35279
|
|
Reporter | |
Updated•12 years ago
|
Summary: Crashes marking objects in WeakMaps while in GCCycle → Crashes in js::WeakMapBase::markCompartmentIteratively while in GCCycle
|
||
Updated•12 years ago
|
|
||
Comment 4•12 years ago
|
||
1 http://e-services.touchngo.com.my/e-Statement/statementdetails.cfm?mfgno=1160176045&CFID=4971581&CFTOKEN=66823937
1 https://www.facebook.com/
1 http://globoesporte.globo.com/futebol/times/corinthians/
1 http://www.thevisionworld.com/
1 http://kickass.to/search/sas%209.2/
1 http://en.wikipedia.org/wiki/Pipeline_(Unix)
1 http://www.stuart-suits.com.au/index.php?option=com_content&view=article&id=17
1 https://mhtest1.blackboard.com/webapps/portal/frameset.jsp?tab_tab_group_id=_2_1&url=%2Fwebapps%2Fblackboard%2Fexecute%2Flauncher%3Ftype%3DCourse%26id%3D_461_1%26url%3D
1 http://www.webhost.uk.net/about.html
Keywords: needURLs
|
||
Comment 5•12 years ago
|
||
Passing this onto Naveed to help find an assignee here. The regression range is given in the description which seems to have a few JS related changes, but nothing stand out to me.
Flags: needinfo?(nihsanullah)
|
||
Updated•12 years ago
|
Assignee: nobody → terrence
Flags: needinfo?(nihsanullah)
|
Assignee | |
Comment 6•12 years ago
|
||
Do we have any STR here?
|
|
Reporter | |
Comment 7•12 years ago
|
||
> Do we have any STR here?
Nope. But we do have some URLs from comment #4.
|
|
Reporter | |
Comment 8•12 years ago
|
||
(Following up comment #0)
One thing I forgot to mention:
These crashes also appear on the 26 branch almost as soon as the appear on the 27 branch. For example bp-7a497500-247e-43e1-9ac7-2e77d2130919.
This suggests the trigger is a patch that was uplifted to the 26 branch shortly after it landed on the 27 branch.
|
|
Assignee | |
Comment 9•12 years ago
|
||
The urls above do not trigger a crash for me. I guess that's not really surprising as it's a top-crasher, not a catastrophe.
(In reply to Steven Michaud from comment #8)
> (Following up comment #0)
>
> One thing I forgot to mention:
>
> These crashes also appear on the 26 branch almost as soon as the appear on
> the 27 branch. For example bp-7a497500-247e-43e1-9ac7-2e77d2130919.
>
> This suggests the trigger is a patch that was uplifted to the 26 branch
> shortly after it landed on the 27 branch.
Do we have an automated way to find that set?
|
|
Reporter | |
Comment 10•12 years ago
|
||
> Do we have an automated way to find that set?
No.
|
|
Reporter | |
Comment 11•12 years ago
|
||
> These crashes also appear on the 26 branch almost as soon as the appear on
> the 27 branch. For example bp-7a497500-247e-43e1-9ac7-2e77d2130919.
>
> This suggests the trigger is a patch that was uplifted to the 26 branch
> shortly after it landed on the 27 branch.
I now think I was wrong about this. It's more likely that the trigger landed on mozilla-central sometime before 2013-09-13 (when it was still the 26 branch), then started happening on both the 26 and 27 branches when the 26 branch became the aurora branch on or about 2013-09-17.
|
|
Reporter | |
Comment 12•12 years ago
|
||
Here are some examples of crashes in 20130913030201 builds (on Mac and Linux):
bp-e11dc862-ba96-4dc8-9942-c58cb2130924
bp-40029074-4917-4138-9ef5-e0cee2130916
bp-d896d139-8dab-4d2b-8969-8ce802130914
bp-88e76ca0-d2c6-4ccb-9178-3b1772130913
bp-7e5fcbd7-84b3-483f-ba3b-2127a2130913
|
|
Assignee | |
Comment 13•12 years ago
|
||
Okay, so what can we infer without reproducing this?
1) The weak map we are looking at has type WeakMap<JSObject*, JSObject*>. There is one map with this type exact type: DebugScopes::proxiedScopes. There are also two DebuggerWeakMap<JSObject*, JSObject*>: Debugger::sources and Debugger::objects; these will get treated non-virtually as WeakMap, so would show up with the same signature here. This would seem to either implicate Debugger or something more fundamental with objects.
2) The crash is an NPE in ObjectImpl::getClass, which has been inlined into WeakMap::markIncremental. It's hard to tell where or why getClass might be getting called here in a --disable-debug build: it's obviously quite a ways under the hood, probably deep in marking code. The actual crashing line is |[this->]type_->clasp|, so either the object itself is NULL, or the type_ is NULL.
3) The crash takes place from numerous different stacks many of which /do not have JS on stack/ before we enter the GC. This probably indicates that either (1) the brokenness is not related to an intermediate incorrect state, but rather a modification that left the map or one of its objects in a broken state at some point in the past or (2) incorrect handling of the maps/objects by the GC itself.
With all that in mind, taking a look at the regression range again, there is one patch that touches ObjectImpl::type_ and makes it NULL where it was not NULL before:
http://hg.mozilla.org/mozilla-central/rev/9527d405ceea
Bug 871862 - Handle OOM properly in JSObject::makeLazyType. r=bhackett
Christian, when you switched makeLazyType from infallible to fallible, did you audit the callers to ensure that they all set an exception or otherwise cope correctly with the OOM?
Flags: needinfo?(choller)
|
||
Comment 14•12 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #13)
>
> http://hg.mozilla.org/mozilla-central/rev/9527d405ceea
> Bug 871862 - Handle OOM properly in JSObject::makeLazyType. r=bhackett
>
> Christian, when you switched makeLazyType from infallible to fallible, did
> you audit the callers to ensure that they all set an exception or otherwise
> cope correctly with the OOM?
Nope. At that time, I've asked jandem how to fix this, and he suggested just returning NULL instead of 0x1. At least the callers that I have seen did check for NULL but I cannot tell of course if they also did the right thing in that case. If this is a still a problem now, then someone more familiar with that code should take a look.
Flags: needinfo?(choller)
|
|
Assignee | |
Comment 15•12 years ago
|
||
Thanks for the background. I'll take a closer look Monday and try to figure out if the new NULL can feasibly flow into this crash.
|
|
Assignee | |
Comment 16•12 years ago
|
||
Okay, so makeLazyType() is called by getType() when hasLazyType(), whereas type() asserts !hasLazyType(). I expect that somewhere is assuming a previous getType() will have populated type_ with a valid TypeObject. There is a huge amount of code that makes use of getType(). The several sites I inspected manually appear to be handled correctly now that NULL is returned; however, even the simple sites have enough going on that I'd be wary of trusting manual inspection, even if that were practical.
I think this is as far as we are going to be able to get with this unless we can get some STR.
|
|
Assignee | |
Comment 17•12 years ago
|
||
Brian, I was not able to see any spots where the failed lazy type creation could actually flow into type_, but I'm not really familiar with any of this code. Do you know of any particularly tricky paths where this error might not be handled perfectly at the moment?
Flags: needinfo?(bhackett1024)
|
||
Comment 18•12 years ago
|
||
I don't think bug 871862 is at fault here, for a couple reasons.
- Bug 871862 doesn't directly change any assignments to |type_| and returning NULL instead of an object's existing |type_| shouldn't cause that NULL value to flow to any other object's |type_| field. This is because makeLazyType() is returning the type object for a singleton object in this case, and giving the type of a singleton object to another object would break all sorts of TI invariants.
- The path modified by bug 871862 is only triggered on OOM, and it doesn't seem plausible that an OOM path in an obscure corner of the JS engine would lead to a topcrash.
I think it's more likely that the JSObject* being marked is not a valid object pointer, either because it never was or because it has already been collected by the GC.
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 19•12 years ago
|
||
There is nothing more we can do here without STR.
Assignee: terrence → nobody
|
|
||
Comment 20•12 years ago
|
||
I just hit this in the JS Debugger (on closing it). I'm also receiving reports that the Debugger is causing some crashes that appear to be around GC.
https://crash-stats.mozilla.com/report/index/2d32f269-8815-44be-afb3-5aff72131029
|
|
Reporter | |
Comment 21•12 years ago
|
||
I looked again for correlations or any interesting comments, and couldn't find any.
But I did notice the following pattern among the Mac crashes (though not the Windows ones):
If the crash is in (say) js::gc::MarkObject(JSTracer*, js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) (on the main thread), there will be another call to the same method, on another thread, from AsmJSMachExceptionHandlerThread(void*).
I don't know if this is meaningful, but I thought I should mention it.
|
|
||
Comment 22•12 years ago
|
||
And again from the debugger, this time trying to prettify a file in the JS debugger. This team, the crash ended in WeakMap via markWeakReferences.
https://crash-stats.mozilla.com/report/index/dcfe9cda-5461-45ae-864d-a8df02131031
I'm getting vague reports from the field that we're seeing some crashes in the JS Debugger. I wonder if this is the culprit?
|
|
Assignee | |
Comment 23•12 years ago
|
||
(In reply to Steven Michaud from comment #21)
> I looked again for correlations or any interesting comments, and couldn't
> find any.
>
> But I did notice the following pattern among the Mac crashes (though not the
> Windows ones):
>
> If the crash is in (say) js::gc::MarkObject(JSTracer*,
> js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) (on the main
> thread), there will be another call to the same method, on another thread,
> from AsmJSMachExceptionHandlerThread(void*).
>
> I don't know if this is meaningful, but I thought I should mention it.
Luke, is this relevant?
Flags: needinfo?(luke)
|
|
||
Comment 24•12 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #23)
Well, if there is a fault, the AsmJSMachExceptionHandler (which is only on Mac) will get notified and, since it's not asm/Ion safe fault, it'll let the exception bubble up (ultimately reaching breakpad). So it should be unrelated.
Flags: needinfo?(luke)
|
|
Assignee | |
Comment 25•12 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #18)
> I don't think bug 871862 is at fault here, for a couple reasons.
In light of bug 932530, I think this may actually be the issue.
> - Bug 871862 doesn't directly change any assignments to |type_| and
> returning NULL instead of an object's existing |type_| shouldn't cause that
> NULL value to flow to any other object's |type_| field. This is because
> makeLazyType() is returning the type object for a singleton object in this
> case, and giving the type of a singleton object to another object would
> break all sorts of TI invariants.
Unless we forgot to check the return of getType before baking the pointer into code.
> - The path modified by bug 871862 is only triggered on OOM, and it doesn't
> seem plausible that an OOM path in an obscure corner of the JS engine would
> lead to a topcrash.
It might, however, if there were four obscure corners.
I'll land the second patch in bug 932530 today and we can see how the crash volume changes.
|
|
||
Comment 26•12 years ago
|
||
Assigning to Terrence based on comment 25 - please report back on the results post-landing of bug 932530
Assignee: nobody → terrence
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: , unsigned __int64> > >::markIteratively(JSTracer*) ]
[@ js::gc::MarkObject(JSTracer*, js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) ] → , unsigned __int64> > >::markIteratively(JSTracer*) ]
[@ js::gc::MarkObject(JSTracer*, js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) ]
[@ js::gc::MarkObject(JSTracer*, js::BarrieredPtr<JSObject, unsigned long>*, char const*) ]
|
|
Assignee | |
Comment 27•12 years ago
|
||
I have no idea how to check on crash volumes. Steven, could you check if they changed post bug 932530 landing?
status-firefox26:
affected → ---
status-firefox27:
affected → ---
status-firefox28:
affected → ---
Flags: needinfo?(smichaud)
|
|
Reporter | |
Comment 28•12 years ago
|
||
A quick look at the numbers for the two most common crash signatures on the 28a1 branch shows they haven't diminished at all since the patch for bug 932530 landed on the trunk :-(
js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned long>, js::RelocatablePtr<JSObject>, js::DefaultHasher<js::EncapsulatedPtr<JSObject, unsigned long> > >::markIteratively(JSTracer*)
js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned __int64>, js::RelocatablePtr<JSObject>, js::DefaultHasher<js::EncapsulatedPtr<JSObject, unsigned __int64> > >::markIteratively(JSTracer*)
https://crash-stats.mozilla.com/query/?product=Firefox&version=Firefox%3A28.0a1&range_value=1&range_unit=weeks&date=11%2F09%2F2013+21%3A00%3A00&query_search=signature&query_type=contains&query=EncapsulatedPtr&reason=&release_channels=&build_id=&process_type=any&hang_type=any
Flags: needinfo?(smichaud)
|
|
Reporter | |
Updated•12 years ago
|
|
|
||
Comment 29•12 years ago
|
||
We're past the time for speculative fixes on beta, so this is going to be a wontfix there but still tracking for potential forward fix if low-risk enough to take to FF27
|
||
Comment 30•12 years ago
|
||
Another related crash report: https://crash-stats.mozilla.com/report/index/4737ceb5-1663-4ba3-b6ab-da6d22131215
|
|
||
Comment 31•12 years ago
|
||
Every since firefox 26 has come out, I've experienced crashes about every other day on OSX. I am a dev, and use the devtools regularly but I've not found a correlation with them. I've found more intense sites (like google docs) are more likely to trigger it than lightweight sites. But I assume that is just because more allocation and gc takes place on them.
I am happy to link to my crashes if that would help. They all match the signature in this ticket.
|
|
Reporter | |
Comment 32•12 years ago
|
||
(In reply to comment #31)
It'd be very helpful if you could provide repeatable steps-to-reproduce for these crashes. Without them we're probably stuck.
|
|
||
Updated•12 years ago
|
|
|
||
Comment 33•12 years ago
|
||
xwraithanx - if you can provide anything to help reproduce that would help greatly here, otherwise we're likely going to wontfix this again on FF28.
Flags: needinfo?(xwraithanx)
|
|
||
Comment 34•12 years ago
|
||
Since upgrading to FF27, I've stopped seeing the crashes. I never had a good reproducible case, just that it would crash sometimes when I opened google docs or other pretty heavy weight sites.
Flags: needinfo?(xwraithanx)
|
|
Reporter | |
Comment 35•12 years ago
|
||
I don't see any of these (over the last 4 weeks) on the 29 or 30 branches. Not quite sure what that means, though.
I see a few on the 26, 27 and 28 branches, but they are well out of the top 10 (over the last 4 weeks) on the Mac and Linux, and aren't even in the top 100 on Windows.
I suggest we just wonfix this on the 28 branch, and wait to see what happens on the 29 and 30 branches.
|
|
||
Comment 36•12 years ago
|
||
Wontfixing on 28 and we'll see what happens when 29/30 get more users if this comes back.
|
||
Comment 37•12 years ago
|
||
Though this is no longer a top crasher, there are still a few crashes for 29, 30, and 31, all on MacOS X
So I'm not sure if we should count it as fixed or whether there is something in particular missing for MacOS 10.9.
For the s::gc::MarkObject(JSTracer* signatures, 7 crash reports in the last 14 days,
https://crash-stats.mozilla.com/query/?product=Firefox&version=Firefox%3A31.0a1&version=Firefox%3A30.0a2&version=Firefox%3A29.0b&range_value=2&range_unit=weeks&date=04%2F12%2F2014+13%3A00%3A00&query_search=signature&query_type=contains&query=js%3A%3Agc%3A%3AMarkObject%28JSTracer*%2C&reason=&release_channels=&build_id=&process_type=any&hang_type=any
Here is the most recent crash, from 4/11/2014, using the 20140407135746 build,
https://crash-stats.mozilla.com/report/index/e454e554-be6a-4818-8888-6d8e12140411
stack:
0 XUL js::gc::MarkObject(JSTracer*, js::BarrieredPtr<JSFunction, unsigned long>*, char const*) js/src/gc/Heap.h
1 XUL js::LazyScript::markChildren(JSTracer*) js/src/jsscript.cpp
2 XUL void js::gc::MarkUnbarriered<js::LazyScript>(JSTracer*, js::LazyScript**, char const*) js/src/gc/Marking.cpp
3 XUL JSFunction::trace(JSTracer*) js/src/jsfun.cpp
4 XUL js::GCMarker::processMarkStackTop(js::SliceBudget&) js/src/gc/Marking.cpp
5 XUL js::GCMarker::drainMarkStack(js::SliceBudget&) js/src/gc/Marking.cpp
6 XUL IncrementalCollectSlice js/src/jsgc.cpp
7 XUL GCCycle js/src/jsgc.cpp
8 XUL Collect js/src/jsgc.cpp
9 XUL nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsCompartment, nsJSContext::IsShrinking, long long) dom/base/nsJSEnvironment.cpp
10 XUL nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp
11 XUL nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp
12 XUL nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
13 XUL NS_ProcessPendingEvents(nsIThread*, unsigned int) xpcom/glue/nsThreadUtils.cpp
14 XUL nsBaseAppShell::NativeEventCallback() widget/xpwidgets/nsBaseAppShell.cpp
15 XUL nsAppShell::ProcessGeckoEvents(void*) widget/cocoa/nsAppShell.mm
16 CoreFoundation CoreFoundation@0x7f731
17 CoreFoundation CoreFoundation@0x70ea2
18 CoreFoundation CoreFoundation@0x7062f
Flags: needinfo?(anthony.s.hughes)
|
||
Comment 38•12 years ago
|
||
There's nothing about weak maps in there, so I think that's some other problem, maybe just the generic GC crashes we've always had.
|
|
||
Comment 39•12 years ago
|
||
I'm inclined to agree with Andrew's expertise here. The volume I'm seeing here is largely insignificant, even for Mac and Linux.
Flags: needinfo?(anthony.s.hughes)
|
|
Assignee | |
Updated•11 years ago
|
Blocks: GC.stability
tracking-firefox28:
+ → ---
|
||
Updated•10 years ago
|
Crash Signature: , unsigned __int64> > >::markIteratively(JSTracer*) ]
[@ js::gc::MarkObject(JSTracer*, js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) ]
[@ js::gc::MarkObject(JSTracer*, js::BarrieredPtr<JSObject, unsigned long>*, char const*) ] → , unsigned __int64> > >::markIteratively(JSTracer*) ]
[@ js::gc::MarkObject(JSTracer*, js::EncapsulatedPtr<JSObject, unsigned long>*, char const*) ]
[@ js::gc::MarkObject(JSTracer*, js::BarrieredPtr<JSObject, unsigned long>*, char const*) ]
[@ js::Weak…
|
||
Comment 40•10 years ago
|
||
js::gc::MarkObject - last crash is version 39 - appears to have been quite common there.
shutdownhang | js::WeakMap<T>::markIteratively has almost none - only a couple one per month.
bp-b46e399c-538a-4522-aa42-c59ba2160131 eg version 42
js::WeakMap<T>::keyNeedsMark is the most common of the last 4 signatures. But still, only 20 crashes in a one month period for "current" release and beta versions
bp-321df7e6-98bd-4b82-8c77-ecad32160120
bp-15578275-18bf-4052-9c5a-636882160125
bp-682666a4-2256-4bd5-8f46-a4f572160129
Severity: normal → critical
Keywords: crash
|
||
Comment 41•4 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•