Closed
Bug 991755
Opened 11 years ago
Closed 11 years ago
crash in js::Nursery::moveToTenured(js::gc::MinorCollectionTracer*, JSObject*)
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
| Tracking | Status | |
|---|---|---|
| firefox31 | --- | verified |
People
(Reporter: lizzard, Assigned: jandem)
References
Details
(Keywords: crash, Whiteboard: [GGC])
Crash Data
This bug was filed from the Socorro interface and is
report bp-2e74b652-4fb8-4fe2-8a5b-b26672140402.
=============================================================
#11 topcrasher for Firefox 31.0a1 with 165 out of 5697 crashes.
Probably related to several other crash signatures that first appeared on 2014-03-29; this one on the 2014032903 build.
|
Reporter | |
Updated•11 years ago
|
Flags: needinfo?(terrence)
This is currently at #11 @ 1.43% in Firefox Nightly 31.0a1.
Stack:
0 mozjs.dll js::Nursery::moveToTenured(js::gc::MinorCollectionTracer *,JSObject *) js/src/gc/Nursery.cpp
1 mozjs.dll js::Nursery::MinorGCCallback(JSTracer *,void * *,JSGCTraceKind) js/src/gc/Nursery.cpp
2 mozjs.dll MarkInternal<js::ArrayBufferViewObject> js/src/gc/Marking.cpp
3 mozjs.dll js::gc::MarkObjectSlots(JSTracer *,JSObject *,unsigned int,unsigned int) js/src/gc/Marking.cpp
4 mozjs.dll js::gc::MarkValueRootRange(JSTracer *,unsigned __int64,JS::Value *,char const *) js/src/gc/Marking.cpp
5 mozjs.dll js::gc::StoreBuffer::SlotsEdge::mark(JSTracer *) js/src/gc/StoreBuffer.cpp
6 mozjs.dll js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::SlotsEdge>::mark(js::gc::StoreBuffer *,JSTracer *) js/src/gc/StoreBuffer.cpp
7 mozjs.dll js::Nursery::collect(JSRuntime *,JS::gcreason::Reason,js::Vector<js::types::TypeObject *,0,js::SystemAllocPolicy> *) js/src/gc/Nursery.cpp
8 mozjs.dll mozjs.dll@0xcbbc0
9 xul.dll mozilla::EventStateManager::GetEventTarget() dom/events/EventStateManager.cpp
10 xul.dll NS_CycleCollectorSuspect3 xpcom/base/nsCycleCollector.cpp
11 mozglue.dll arena_dalloc_small memory/mozjemalloc/jemalloc.c
12 mozglue.dll arena_dalloc memory/mozjemalloc/jemalloc.c
13 nss3.dll MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c
14 xul.dll nsTArray_base<nsTArrayInfallibleAllocator,nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned int,unsigned __int64) xpcom/glue/nsTArray-inl.h
15 mozjs.dll js::CurrentThreadCanAccessRuntime(JSRuntime *) js/src/vm/Runtime.cpp
16 mozjs.dll Collect js/src/jsgc.cpp
17 xul.dll nsContentUtils::RemoveScriptBlocker() content/base/src/nsContentUtils.cpp
18 mozjs.dll JS::NotifyDidPaint(JSRuntime *) js/src/jsfriendapi.cpp
19 xul.dll nsXPConnect::NotifyDidPaint() js/xpconnect/src/nsXPConnect.cpp
20 xul.dll nsViewManager::PaintWindow(nsIWidget *,nsIntRegion) view/src/nsViewManager.cpp
21 xul.dll PresShell::DidPaintWindow() layout/base/nsPresShell.cpp
22 xul.dll nsViewManager::DidPaintWindow() view/src/nsViewManager.cpp
23 xul.dll mozilla::TimeStamp::Now(bool) xpcom/ds/TimeStamp_windows.cpp
24 xul.dll nsView::DidPaintWindow() view/src/nsView.cpp
25 xul.dll nsWindow::OnPaint(HDC__ *,unsigned int) widget/windows/nsWindowGfx.cpp
26 KERNELBASE.dll GetVersionExA
27 xul.dll nsPresContext::IsDOMPaintEventPending() layout/base/nsPresContext.cpp
28 xul.dll nsTArray_Impl<nsInvalidateRequestList::Request,nsTArrayInfallibleAllocator>::MoveElementsFrom<nsInvalidateRequestList::Request,nsTArrayInfallibleAllocator>(nsTArray_Impl<nsInvalidateRequestList::Request,nsTArrayInfallibleAllocator> &) obj-firefox/dist/include/nsTArray.h
29 xul.dll NotifyDidPaintSubdocumentCallback layout/base/nsPresContext.cpp
30 ntdll.dll NtCallbackReturn
31 xul.dll nsWindow::ExternalHandlerProcessMessage(unsigned int,unsigned __int64 &,__int64 &,mozilla::widget::MSGResult &) widget/windows/nsWindow.cpp
32 ntdll.dll NtCallbackReturn
33 gkmedias.dll cairo_win32_get_system_text_quality gfx/cairo/cairo/src/cairo-win32-font.c
34 xul.dll nsWindow::ProcessMessage(unsigned int,unsigned __int64 &,__int64 &,__int64 *) widget/windows/nsWindow.cpp
35 user32.dll ValidateHwnd
36 user32.dll ClientToScreen
37 user32.dll ValidateHwnd
38 xul.dll nsWindow::WidgetToScreenOffset() widget/windows/nsWindow.cpp
39 user32.dll GetPropW
40 xul.dll nsRect::ScaleToOutsidePixels(float,float,int) gfx/src/nsRect.h
41 user32.dll GetParent
42 xul.dll nsWindow::GetParentWindowBase(bool) widget/windows/nsWindow.cpp
43 xul.dll nsBaseWidget::GetWindowClipRegion(nsTArray<nsIntRect> *) widget/xpwidgets/nsBaseWidget.cpp
44 xul.dll nsViewManager::InvalidateWidgetArea(nsView *,nsRegion const &) view/src/nsViewManager.cpp
45 xul.dll xul.dll@0xc2f574
46 kernel32.dll InternalFindAtom
47 user32.dll IsWindowVisible
48 xul.dll nsBaseWidget::GetActiveRollupListener() widget/xpwidgets/nsBaseWidget.cpp
49 xul.dll nsWindow::DealWithPopups(HWND__ *,unsigned int,unsigned __int64,__int64,__int64 *) widget/windows/nsWindow.cpp
50 xul.dll nsWindow::IPCWindowProcHandler(unsigned int &,unsigned __int64 &,__int64 &) widget/windows/nsWindow.cpp
51 xul.dll nsCOMPtr_base::assign_from_qi(nsQueryInterface,nsID const &) xpcom/glue/nsCOMPtr.cpp
52 xul.dll nsWindow::WindowProcInternal(HWND__ *,unsigned int,unsigned __int64,__int64) widget/windows/nsWindow.cpp
53 xul.dll mozilla::HangMonitor::NotifyActivity(mozilla::HangMonitor::ActivityType) xpcom/threads/HangMonitor.cpp
54 xul.dll CallWindowProcCrashProtected xpcom/base/nsCrashOnException.cpp
55 xul.dll nsWindow::DealWithPopups(HWND__ *,unsigned int,unsigned __int64,__int64,__int64 *) widget/windows/nsWindow.cpp
56 xul.dll nsWindow::WindowProc(HWND__ *,unsigned int,unsigned __int64,__int64) widget/windows/nsWindow.cpp
57 user32.dll GetRealWindowOwner
58 user32.dll UserCallWinProcCheckWow
59 user32.dll CallHookWithSEH
60 user32.dll DispatchClientMessage
61 xul.dll xul.dll@0x9a86b0
62 user32.dll _fnDWORD
63 xul.dll xul.dll@0x9a86b0
64 user32.dll UserCallWinProcCheckWow
65 ntdll.dll KiUserCallbackDispatcher
66 nss3.dll PR_IntervalToMilliseconds nsprpub/pr/src/misc/prinrval.c
67 user32.dll ZwUserDispatchMessage
68 xul.dll mozilla::Telemetry::TimeHistogram::Add(unsigned int) toolkit/components/telemetry/Telemetry.cpp
69 xul.dll xul.dll@0x9a86b0
70 ntdll.dll RtlSetHeapInformation
71 user32.dll ZwUserDispatchMessage
72 xul.dll mozilla::HangMonitor::NotifyActivity(mozilla::HangMonitor::ActivityType) xpcom/threads/HangMonitor.cpp
73 user32.dll TranslateMessage
74 xul.dll nsAppShell::ProcessNextNativeEvent(bool) widget/windows/nsAppShell.cpp
75 xul.dll xul.dll@0x9a86b0
76 xul.dll nsTArray_Impl<XPCJSContextInfo,nsTArrayInfallibleAllocator>::AppendElements<JSContext *>(JSContext * const *,unsigned int) obj-firefox/dist/include/nsTArray.h
77 xul.dll nsBaseAppShell::DoProcessNextNativeEvent(bool,unsigned int) widget/xpwidgets/nsBaseAppShell.cpp
78 xul.dll nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal *,bool,unsigned int) widget/xpwidgets/nsBaseAppShell.cpp
79 xul.dll nsXPConnect::OnProcessNextEvent(nsIThreadInternal *,bool,unsigned int) js/xpconnect/src/nsXPConnect.cpp
80 xul.dll nsThread::ProcessNextEvent(bool,bool *) xpcom/threads/nsThread.cpp
81 nss3.dll MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c
82 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c
83 xul.dll NS_ProcessNextEvent(nsIThread *,bool) xpcom/glue/nsThreadUtils.cpp
84 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) ipc/glue/MessagePump.cpp
85 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc
86 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc
87 xul.dll nsTArray_Impl<nsRefPtr<nsGeolocationRequest>,nsTArrayInfallibleAllocator>::AppendElements<nsRefPtr<nsGeolocationRequest> >(nsRefPtr<nsGeolocationRequest> const *,unsigned int) obj-firefox/dist/include/nsTArray.h
88 xul.dll nsThreadManager::GetCurrentThread() xpcom/threads/nsThreadManager.cpp
89 xul.dll nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp
91 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp
92 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp
93 xul.dll NS_TableDrivenQI(void *,nsID const &,void * *,QITableEntry const *) xpcom/glue/nsISupportsImpl.cpp
94 xul.dll XREMain::XRE_main(int,char * * const,nsXREAppData const *) toolkit/xre/nsAppRunner.cpp
95 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp
96 mozglue.dll arena_malloc memory/mozjemalloc/jemalloc.c
97 xul.dll nsAString_internal::Assign(nsAString_internal const &) xpcom/string/src/nsTSubstring.cpp
98 xul.dll nsLocalFile::Append(nsAString_internal const &) xpcom/io/nsLocalFileWin.cpp
99 firefox.exe mozilla::SetStrongPtr<nsIFile>(nsIFile * &,nsIFile *) obj-firefox/dist/include/mozilla/AppData.h
100 firefox.exe do_main browser/app/nsBrowserApp.cpp
More Reports:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3ANursery%3A%3AmoveToTenured%28js%3A%3Agc%3A%3AMinorCollectionTracer%2A%2C+JSObject%2A%29
I started getting this crash as well as https://crash-stats.mozilla.com/report/index/ece40851-974e-412f-8c82-e8dcb2140403 after a recent upgrade of Nightly. The crashes were happens shortly after restarting (eg. after a previous crash), but went away once I disabled the Flash plugin. I haven't yet been able to narrow this down to a reliable reproduction case, though (I have a ton of tabs open in my browser, will attempt to narrow it down to a specific one, presumably one with a Flash applet). It does seem odd that I don't see anything in the stack trace relating to Flash or NPAPI, so perhaps that's a red herring, but perhaps it's just my complete ignorance of Firefox internals showing.
If there's any other debugging steps I can take that would help, let me know.
(In reply to mithrandi from comment #2)
> If there's any other debugging steps I can take that would help, let me know.
The crash reporters isn't always accurate in reporting loaded URLs. Could you report which websites you had loaded at the time of these crashes? (even those loaded in background tabs)
Here's a list of tabs from my most recent crash (UUID 280329b3-4eb5-4016-b7d2-ace242140403):
Pinned tabs:
https://mail.google.com/mail/u/0/?ui=2&shva=1#inbox
https://mail.google.com/mail/u/1/?ui=2&shva=1#inbox
https://trello.com/[SNIP, private board]
https://www.facebook.com/?ref=logo
https://alpha.app.net/
http://www.beyondthefarhorizon.net/phpBB2/show_recent.php
https://www.newsblur.com/
http://www.twitch.tv/directory/following
https://soundcloud.com/stream
http://qa.debian.org/developer.php?login=mithrandi%40debian.org&set=yes&comaint=yes&description=0&bugs=3&version=1&ubuntu=1&excuses=1&bin=0&buildd=1&problems=1&lintian=1&popc=1&watch=1§ion=0&ordering=0&uploads=1&packages=bitcoin+electrum+python-ecdsa+testrepository&uploader=&mirror=http%3A%2F%2Fcdn.debian.net%2Fdebian
http://udd.debian.org/dmd/?email1=mithrandi%40mithrandi.net&email2=mithrandi%40debian.org&email3=&packages=bitcoin+electrum+testrepository&ignpackages=zsi
https://www.irccloud.com/#!/ircs://irc.freenode.net:6697/%23twisted
https://bitcointalk.org/index.php?action=watchlist
https://www.scryptguild.com/index.php
Other tabs:
https://fbcdn-sphotos-c-a.akamaihd.net/hphotos-ak-ash3/t1.0-9/942402_10151622833670380_1265654868_n.jpg
https://pay.reddit.com/r/Diablo3Wizards/comments/21hxbn/wand_of_woh_or_should_i_say_whoa/
http://arcenmusic.bandcamp.com/album/the-last-federation
http://jessevalentinemusic.bandcamp.com/album/chinese-dance-machine
https://bitx.co.za/api
https://github.com/begriffs/heroku-buildpack-ghc/issues/16#issuecomment-34031478
https://github.com/python-parsley/parsley/issues
http://ihearthu.com/
https://lastpass.com/misc_download2.php
about:newtab
I do have "Don't load tabs until selected" enabled, so the non-pinned tabs shouldn't be loading on startup... however, while the crash is not always reproducible with this set of tabs, when I remove the non-app tabs from the session, I have not been able to reproduce it at all. Unfortunately my attempts to minimize the reproduction case have not been very successful so far, and a lot of my pinned tabs point at private / user-specific content (eg. Facebook) so I'm not sure how helpful this list will be for anyone else trying to reproduce the crash.
(Given that I haven't found any 100%-reliable way to reproduce the crash, my comments about what reproduces it and what doesn't should probably all be taken with a grain of salt, if that wasn't already clear)
|
||
Comment 6•11 years ago
|
||
I also get this on Mac during startup with about ~60 tabs open, a dozen of which are app tabs. The stacks are slightly different, but pretty similar:
bp-7eba331d-2cb8-43bd-bd50-78a1b2140404
bp-919556ba-7b18-4b32-b6d3-241dc2140404
bp-9a5cec79-d25e-4382-a3f7-242172140404
bp-9065dd29-ed97-453e-85d9-fea0f2140403
bp-45b94f66-634e-4ef5-96f1-9475f2140403
bp-5763f8bc-aa7e-4d76-ac6e-da5ea2140403
The common ones with comment 4 are GMail (selected tab), SoundCloud, IRCCloud & Facebook.
|
|
||
Comment 7•11 years ago
|
||
You might notice that my crashes come in pairs. Here are 2 more:
bp-9b47f3aa-3093-4d64-b637-bd0792140404
bp-d4085bbf-c639-4885-a61c-536342140404
What I do in order to avoid reverting back to an older version, is to do the crash/restart dance a couple of times until the restore session window kicks in. At that point I'll wait a couple of minutes, say writing a bug comment like this one, and then restore all my tabs again. No more crashing until browser restart.
|
||
Comment 8•11 years ago
|
||
(In reply to Panos Astithas [:past] from comment #6)
> The common ones with comment 4 are GMail (selected tab), SoundCloud,
> IRCCloud & Facebook.
Couldn't crash with any of the above or the links in comment 4, 31.0a1 (2014-04-03), win 7 x64
|
||
Comment 9•11 years ago
|
||
(In reply to Panos Astithas [:past] from comment #7)
> You might notice that my crashes come in pairs. Here are 2 more:
>
> bp-9b47f3aa-3093-4d64-b637-bd0792140404
> bp-d4085bbf-c639-4885-a61c-536342140404
Whoa, those crashes look like they may have different (maybe related) causes.
> What I do in order to avoid reverting back to an older version, is to do the
> crash/restart dance a couple of times until the restore session window kicks
> in. At that point I'll wait a couple of minutes, say writing a bug comment
> like this one, and then restore all my tabs again. No more crashing until
> browser restart.
Bug 992535 addressed an issue present in SoundCloud; the fix should be present in the 08-April-2014 nightly. I believe this will likely fix at least the second crash and hopefully the first as well.
Flags: needinfo?(terrence)
|
||
Comment 10•11 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #9)
> Bug 992535 addressed an issue present in SoundCloud; the fix should be
> present in the 08-April-2014 nightly.
(Make that the 09-April-2014 nightly; it was merged to m-c a few hours the cutoff for the nightly that went out today.)
|
|
||
Comment 11•11 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #10)
> (In reply to Terrence Cole [:terrence] from comment #9)
> > Bug 992535 addressed an issue present in SoundCloud; the fix should be
> > present in the 08-April-2014 nightly.
>
> (Make that the 09-April-2014 nightly; it was merged to m-c a few hours the
> cutoff for the nightly that went out today.)
I haven't got any more crashes with the 4/9 and 4/10 nightlies, so it looks like that was it.
|
|
||
Comment 12•11 years ago
|
||
Agreed. There are a couple more recent crashes with this signature, but it's down to a trickle from where it was last week. So there's still a bug out there somewhere, but a very hard one to trigger, apparently.
|
|
||
Comment 13•11 years ago
|
||
:johns happened to catch a crash here today and let me investigate. The object being marked is an interpreted arrow JSFunction. It is crashing when marking the extended slots. They are both ObjectValue. The first looks sane (the arrow's |this|), but the second is totally busted: it has a nullptr in shape_.
|
|
||
Comment 14•11 years ago
|
||
Jan, you cleaned up the jit implementation of arrow recently; can you think of any place we could be going off the rails with the symptoms in comment 13?
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 15•11 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #14)
> Jan, you cleaned up the jit implementation of arrow recently; can you think
> of any place we could be going off the rails with the symptoms in comment 13?
Yes, filed bug 999358. Good catch!
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(jdemooij)
|
|
Reporter | |
Comment 16•11 years ago
|
||
There aren't any crashes for this reported for any build after the 20140408030205 one, so I'm removing the topcrasher keywords. It wasn't ever nominated for tracking and I don't think it needs to be.
Terrence, should it be marked fixed?
|
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(terrence)
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 20•9 years ago
|
||
(In reply to Computer Using Network Transmission from comment #19)
> NOT FIXED AT ALL!
Are you using Firefox 40.0.3? I've taken a fresh look at the stats and this is not showing up at all in Firefox 40 or beyond. If you are using Firefox 40.0.3 and still experience a crash with this signature, please file a new bug report. Thank you.
You need to log in
before you can comment on or make changes to this bug.
Description
•