Closed Bug 999158 Opened 6 years ago Closed 5 years ago

crash in js::CrashAtUnhandlableOOM(char const*) | js::Nursery::MinorGCCallback(JSTracer*, void**, JSGCTraceKind)

Categories

(Core :: JavaScript: GC, defect, critical)

31 Branch
x86
Windows NT
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla33
Tracking Status
firefox31 + verified disabled
firefox32 + fixed
firefox33 + verified
firefox34 --- unaffected

People

(Reporter: lizzard, Assigned: jonco)

References

Details

(Keywords: crash, topcrash-win, Whiteboard: [GGC] )

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is 
report bp-13a18be7-b5f0-4b27-8ac0-4fbca2140421.
=============================================================

This bug first started appearing in the 2014032903 build for Firefox 31.0a1. 

More reports: 
https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=28&signature=js%3A%3ACrashAtUnhandlableOOM%28char+const*%29+|+js%3A%3ANursery%3A%3AMinorGCCallback%28JSTracer*%2C+void**%2C+JSGCTraceKind%29#tab-sigsummary

URLs:
http://worldofwarplanes.eu/
http://airmozilla-ops2.corpdmz.scl3.mozilla.com/
https://www.facebook.com/

stack:

0 	mozjs.dll 	js::CrashAtUnhandlableOOM(char const *) 	js/src/jscntxt.cpp
1 	mozjs.dll 	js::Nursery::MinorGCCallback(JSTracer *,void * *,JSGCTraceKind) 	js/src/gc/Nursery.cpp
2 	mozjs.dll 	js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::CellPtrEdge>::mark(js::gc::StoreBuffer *,JSTracer *) 	js/src/gc/StoreBuffer.cpp
3 	mozjs.dll 	js::Nursery::collect(JSRuntime *,JS::gcreason::Reason,js::Vector<js::types::TypeObject *,0,js::SystemAllocPolicy> *) 	js/src/gc/Nursery.cpp
4 	mozjs.dll 	Collect 	js/src/jsgc.cpp
5 	mozjs.dll 	js::GC(JSRuntime *,js::JSGCInvocationKind,JS::gcreason::Reason) 	js/src/jsgc.cpp
6 	mozjs.dll 	RunLastDitchGC 	js/src/jsgc.cpp
7 	mozjs.dll 	js::gc::ArenaLists::refillFreeList<1>(js::ThreadSafeContext *,js::gc::AllocKind) 	js/src/jsgc.cpp
8 	mozjs.dll 	NewObject 	js/src/jsobj.cpp
9 	mozjs.dll 	js::NewObjectWithClassProtoCommon(js::ExclusiveContext *,js::Class const *,JSObject *,JSObject *,js::gc::AllocKind,js::NewObjectKind) 	js/src/jsobj.cpp
10 	mozjs.dll 	js::NewFunctionByIdWithReserved(JSContext *,bool (*)(JSContext *,unsigned int,JS::Value *),unsigned int,unsigned int,JSObject *,jsid) 	js/src/jsfriendapi.cpp
11 	xul.dll 	XPCNativeMember::Resolve(XPCCallContext &,XPCNativeInterface *,JS::Handle<JSObject *>,JS::Value *) 	js/xpconnect/src/XPCWrappedNativeInfo.cpp
12 	xul.dll 	DefinePropertyIfFound 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
13 	xul.dll 	XPC_WN_ModsAllowed_Proto_Resolve 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
14 	mozjs.dll 	js::DefineNativeProperty(js::ExclusiveContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::Handle<JS::Value>,bool (*)(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>),bool (*)(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,bool,JS::MutableHandle<JS::Value>),unsigned int,unsigned int,unsigned int) 	js/src/jsobj.cpp
15 	mozjs.dll 	JSObject::defineGeneric(js::ExclusiveContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::Handle<JS::Value>,bool (*)(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>),bool (*)(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,bool,JS::MutableHandle<JS::Value>),unsigned int) 	js/src/jsobj.cpp
16 	mozjs.dll 	DefinePropertyById 	js/src/jsapi.cpp
17 	mozjs.dll 	JS_DefineProperties(JSContext *,JS::Handle<JSObject *>,JSPropertySpec const *) 	js/src/jsapi.cpp
18 	xul.dll 	mozilla::dom::DefinePrefable<JSPropertySpec const >(JSContext *,JS::Handle<JSObject *>,mozilla::dom::Prefable<JSPropertySpec const > const *) 	dom/bindings/BindingUtils.cpp
19 	xul.dll 	mozilla::dom::DefineWebIDLBindingPropertiesOnXPCObject(JSContext *,JS::Handle<JSObject *>,mozilla::dom::NativeProperties const *,bool) 	dom/bindings/BindingUtils.cpp
20 	xul.dll 	xpc_qsDefineQuickStubs(JSContext *,JSObject *,unsigned int,unsigned int,nsID const * *,unsigned int,xpc_qsHashEntry const *,xpc_qsPropertySpec const *,xpc_qsFunctionSpec const *,char const *) 	js/xpconnect/src/XPCQuickStubs.cpp
21 	xul.dll 	nsDOMClassInfo::PostCreatePrototype(JSContext *,JSObject *) 	dom/base/nsDOMClassInfo.cpp
22 	xul.dll 	nsWindowSH::PostCreatePrototype(JSContext *,JSObject *) 	dom/base/nsDOMClassInfo.cpp
23 	xul.dll 	XPCWrappedNativeProto::CallPostCreatePrototype() 	js/xpconnect/src/XPCWrappedNativeProto.cpp
24 	xul.dll 	XPCWrappedNativeProto::Init(XPCNativeScriptableCreateInfo const *,bool) 	js/xpconnect/src/XPCWrappedNativeProto.cpp
25 	xul.dll 	XPCWrappedNativeProto::GetNewOrUsed(XPCWrappedNativeScope *,nsIClassInfo *,XPCNativeScriptableCreateInfo const *,bool) 	js/xpconnect/src/XPCWrappedNativeProto.cpp
26 	xul.dll 	nsXPConnect::GetWrappedNativePrototype(JSContext *,JSObject *,nsIClassInfo *,nsIXPConnectJSObjectHolder * *) 	js/xpconnect/src/nsXPConnect.cpp
27 	xul.dll 	GetXPCProto 	dom/base/nsDOMClassInfo.cpp
28 	xul.dll 	nsWindowSH::GlobalResolve(nsGlobalWindow *,JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JSPropertyDescriptor>) 	dom/base/nsDOMClassInfo.cpp
29 	xul.dll 	nsWindowSH::NewResolve(nsIXPConnectWrappedNative *,JSContext *,JSObject *,jsid,unsigned int,JSObject * *,bool *) 	dom/base/nsDOMClassInfo.cpp
30 	xul.dll 	XPC_WN_Helper_NewResolve 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
31 	mozjs.dll 	JSObject::lookupGeneric(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JSObject *>,JS::MutableHandle<js::Shape *>) 	js/src/jsobj.cpp
32 	mozjs.dll 	LookupPropertyById 	js/src/jsapi.cpp
33 	mozjs.dll 	JS_LookupPropertyById(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
34 	mozjs.dll 	JS_LookupProperty(JSContext *,JS::Handle<JSObject *>,char const *,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
35 	xul.dll 	ResolvePrototype 	dom/base/nsDOMClassInfo.cpp
36 	xul.dll 	nsDOMClassInfo::PostCreatePrototype(JSContext *,JSObject *) 	dom/base/nsDOMClassInfo.cpp
37 	xul.dll 	nsWindowSH::PostCreatePrototype(JSContext *,JSObject *) 	dom/base/nsDOMClassInfo.cpp
38 	xul.dll 	XPCWrappedNativeProto::CallPostCreatePrototype() 	js/xpconnect/src/XPCWrappedNativeProto.cpp
39 	xul.dll 	XPCWrappedNative::FinishInitForWrappedGlobal() 	js/xpconnect/src/XPCWrappedNative.cpp
40 	xul.dll 	nsGlobalWindow::SetNewDocument(nsIDocument *,nsISupports *,bool) 	dom/base/nsGlobalWindow.cpp
41 	xul.dll 	nsDocumentViewer::InitInternal(nsIWidget *,nsISupports *,nsIntRect const &,bool,bool,bool) 	layout/base/nsDocumentViewer.cpp
42 	xul.dll 	nsDocumentViewer::Init(nsIWidget *,nsIntRect const &) 	layout/base/nsDocumentViewer.cpp
43 	xul.dll 	nsDocShell::SetupNewViewer(nsIContentViewer *) 	docshell/base/nsDocShell.cpp
44 	xul.dll 	nsDocShell::Embed(nsIContentViewer *,char const *,nsISupports *) 	docshell/base/nsDocShell.cpp
45 	xul.dll 	nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal *,nsIURI *,bool) 	docshell/base/nsDocShell.cpp
46 	xul.dll 	nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal *) 	docshell/base/nsDocShell.cpp
47 	xul.dll 	nsWebShellWindow::Initialize(nsIXULWindow *,nsIXULWindow *,nsIURI *,int,int,bool,nsWidgetInitData &) 	xpfe/appshell/src/nsWebShellWindow.cpp
48 	xul.dll 	nsAppShellService::JustCreateTopWindow(nsIXULWindow *,nsIURI *,unsigned int,int,int,bool,nsWebShellWindow * *) 	xpfe/appshell/src/nsAppShellService.cpp
49 	xul.dll 	nsAppShellService::CreateTopLevelWindow(nsIXULWindow *,nsIURI *,unsigned int,int,int,nsIXULWindow * *) 	xpfe/appshell/src/nsAppShellService.cpp
50 	xul.dll 	nsXULWindow::CreateNewContentWindow(int,nsIXULWindow * *) 	xpfe/appshell/src/nsXULWindow.cpp
51 	xul.dll 	nsXULWindow::CreateNewWindow(int,nsIXULWindow * *) 	xpfe/appshell/src/nsXULWindow.cpp
52 	xul.dll 	nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome *,unsigned int,unsigned int,nsIURI *,bool *,nsIWebBrowserChrome * *) 	toolkit/components/startup/nsAppStartup.cpp
53 	xul.dll 	nsWindowWatcher::OpenWindowInternal(nsIDOMWindow *,char const *,char const *,char const *,bool,bool,bool,nsIArray *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
54 	xul.dll 	nsWindowWatcher::OpenWindow2(nsIDOMWindow *,char const *,char const *,char const *,bool,bool,bool,nsISupports *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
55 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
56 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
57 	xul.dll 	nsGlobalWindow::OpenJS(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
58 	xul.dll 	nsGlobalWindow::Open(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,mozilla::ErrorResult &) 	dom/base/nsGlobalWindow.cpp
59 	xul.dll 	mozilla::dom::WindowBinding::open 	obj-firefox/dom/bindings/WindowBinding.cpp
60 	xul.dll 	mozilla::dom::WindowBinding::genericMethod 	obj-firefox/dom/bindings/WindowBinding.cpp
61 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
62 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
63 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
64 	mozjs.dll 	js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) 	js/src/vm/Interpreter.cpp
65 	mozjs.dll 	js::Execute(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value *) 	js/src/vm/Interpreter.cpp
66 	mozjs.dll 	Evaluate 	js/src/jsapi.cpp
67 	mozjs.dll 	JS::Evaluate(JSContext *,JS::Handle<JSObject *>,JS::ReadOnlyCompileOptions const &,wchar_t const *,unsigned int) 	js/src/jsapi.cpp
68 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,nsJSUtils::EvaluateOptions const &,JS::MutableHandle<JS::Value>,void * *) 	dom/base/nsJSUtils.cpp
69 	xul.dll 	nsJSUtils::EvaluateString(JSContext *,nsAString_internal const &,JS::Handle<JSObject *>,JS::CompileOptions &,void * *) 	dom/base/nsJSUtils.cpp
70 	xul.dll 	nsScriptLoader::EvaluateScript(nsScriptLoadRequest *,nsString const &,void * *) 	content/base/src/nsScriptLoader.cpp
71 	xul.dll 	nsScriptLoader::ProcessRequest(nsScriptLoadRequest *,void * *) 	content/base/src/nsScriptLoader.cpp
72 	xul.dll 	nsScriptLoader::ProcessScriptElement(nsIScriptElement *) 	content/base/src/nsScriptLoader.cpp
73 	xul.dll 	nsScriptElement::MaybeProcessScript() 	content/base/src/nsScriptElement.cpp
74 	xul.dll 	nsIScriptElement::AttemptToExecute() 	obj-firefox/dist/include/nsIScriptElement.h
75 	xul.dll 	nsHtml5TreeOpExecutor::RunScript(nsIContent *) 	parser/html/nsHtml5TreeOpExecutor.cpp
76 	xul.dll 	nsHtml5TreeOpExecutor::RunFlushLoop() 	parser/html/nsHtml5TreeOpExecutor.cpp
77 	xul.dll 	nsHtml5ExecutorReflusher::Run() 	parser/html/nsHtml5TreeOpExecutor.cpp
78 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
79 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
80 	xul.dll 	nsXULWindow::CreateNewContentWindow(int,nsIXULWindow * *) 	xpfe/appshell/src/nsXULWindow.cpp
81 	xul.dll 	nsXULWindow::CreateNewWindow(int,nsIXULWindow * *) 	xpfe/appshell/src/nsXULWindow.cpp
82 	xul.dll 	nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome *,unsigned int,unsigned int,nsIURI *,bool *,nsIWebBrowserChrome * *) 	toolkit/components/startup/nsAppStartup.cpp
83 	xul.dll 	nsWindowWatcher::OpenWindowInternal(nsIDOMWindow *,char const *,char const *,char const *,bool,bool,bool,nsIArray *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
84 	xul.dll 	nsWindowWatcher::OpenWindow2(nsIDOMWindow *,char const *,char const *,char const *,bool,bool,bool,nsISupports *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
85 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
86 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
87 	xul.dll 	nsGlobalWindow::OpenJS(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
88 	xul.dll 	nsGlobalWindow::Open(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,mozilla::ErrorResult &) 	dom/base/nsGlobalWindow.cpp
89 	xul.dll 	mozilla::dom::WindowBinding::open 	obj-firefox/dom/bindings/WindowBinding.cpp
1015 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
1016 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
1017 	xul.dll 	nsGlobalWindow::OpenJS(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
1018 	xul.dll 	nsGlobalWindow::Open(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,mozilla::ErrorResult &) 	dom/base/nsGlobalWindow.cpp
1019 	xul.dll 	mozilla::dom::WindowBinding::open 	obj-firefox/dom/bindings/WindowBinding.cpp
1020 	xul.dll 	mozilla::dom::WindowBinding::genericMethod 	obj-firefox/dom/bindings/WindowBinding.cpp
1021 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
1022 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
1023 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
1024 	mozjs.dll 	js::ExecuteKernel(JSContext *,JS::Handle<JSScript *>,JSObject &,JS::Value const &,js::ExecuteType,js::AbstractFramePtr,JS::Value *) 	js/src/vm/Interpreter.cpp
Note that this starting to appear on 2014-04-18 in crash data probably does not point out that it regressed there, as the signature changed from just "js::CrashAtUnhandlableOOM(char const*)" to the current one due to bug 994913 being shipped to production late on the 17th (possibly early 18th UTC).
Blocks: 994589
There are 132 crash reports for this signature in the last 7 days, and it's #10 topcrasher for Firefox 31.0a1.
Keywords: topcrash-win
Duplicate of this bug: 1011281
This is now a top crasher on nightly 32a1.
Ignore comment #4. I was looking at the wrong set of data in crash stats, thinking this was on 32a1. Removing tracking flags.
Terrence, do we have anything we can do there? This is showing up as a topcrash in Aurora 31.
Flags: needinfo?(terrence)
Sadly, we don't really have anything to do here in the short term. In general, these crashes would likely have OOMed elsewhere a bit before this point previously: the nursery acts like ballast in that respect. I'll be continuing to think about ways we can improve the situation, however.
Flags: needinfo?(terrence)
Topcrash, tracking.
Hrm, this is the #3 crash on Aurora 31 now. Not that OOM being a major issue is news to us...
This is the #2 topcrash on 31, with 332/3819 crashes. 

It has a few crashes showing up on 32 as well, so I'm marking it as affected.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #9)
> Hrm, this is the #3 crash on Aurora 31 now. Not that OOM being a major issue
> is news to us...

This may need to be considered as a blocker to allowing this to ride to Beta. I know OOM isn't anything new to us but we shouldn't knowingly introduce anything which makes that situation any more worse.
Is there a change in the overall number of OOM crashes?  If all other OOM crashes are just turning into this, it may not be any worse.  Of course, it may be an overall increase.
If there isn't a spike in the overall number of OOMs, bug 1005849 may help by making the allocator much more resistant to unaligned chunks (if these are OOMs from address space fragmentation rather than simply running out). It may also 'help' by making eventual OOMs more likely to happen in another allocator (namely jemalloc, which doesn't have the same logic yet). Bug 1005849 is in Nightlies from 2014-05-28 and on, so not a lot of time for statistics yet (looks like 8 crashes so far on 32.0a1 from builds containing the fix).
I can't speak to whether there's been an overall spike in OOM crashes, perhaps KaiRo can help with that?

We did discuss this in the Crashkill meeting today and decided that this would not block GGC from riding to Beta. However, if we see a notable change in stability within the first couple of Betas we may need to back out or pref off GGC.
(In reply to Andrew McCreight [:mccr8] from comment #12)
> Is there a change in the overall number of OOM crashes?

We do not have a good metric for that at this time, but we're working on that for the future. With the current state, I think it's overall best to let ride ride into beta and see if the overall crash rate there gets worse, only reacting when that is the case. As Anthony mentions, we discussed that at the CrashKill meeting and bsmedberg agrees with what I said here as well.

(I'm looking forward to seeing how bug 1005849 and its jemalloc "sister" might help us overall around OOM, though!)
This is the #2 topcrash for Firefox 31 with 391/4251 crashes in the last 7 days.
This is the #3 topcrash for Firefox 31.0b1, with 2342/29222 crashes in the last week.

It's also showing up on the explosiveness report with an index of 3.6: https://crash-analysis.mozilla.com/rkaiser/2014-06-15/2014-06-15.firefox.31.explosiveness.html.
Crash Signature: [@ js::CrashAtUnhandlableOOM(char const*) | js::Nursery::MinorGCCallback(JSTracer*, void**, JSGCTraceKind)] → [@ js::CrashAtUnhandlableOOM(char const*) | js::Nursery::MinorGCCallback(JSTracer*, void**, JSGCTraceKind)] [@ OOM | unknown | js::CrashAtUnhandlableOOM(char const*) | js::Nursery::MinorGCCallback(JSTracer*, void**, JSGCTraceKind)]
Given that ends up with an "OOM | unknown | ..." signature, we should at least see to those crashes ending up with an OOMAllocationSize annotation.
Terrence, can this be done?
Flags: needinfo?(terrence)
Depends on: 1026545
> can this be done?
It will require a bit of plumbing work, but it should be pretty easy.  I filed bug 1026545 for the requisite work.  Then it will be easy to hook up this particular call site to the OOM reporting mechanism.
Well, I'm not sure how useful bug 1026545 will end up being.

It seems like the size you'd want to pass in here would be something like Arena::thingSize(thingKind), but in reality, the GC thing can't be allocated because we couldn't allocate an arena or a chunk or something.  The thing that knows the size of the failed allocation is going to be deeper up the stack, which complicates things because it will need to deal with both fallible and infallible allocation.  Maybe something could set a value on the runtime when an allocation fails, and when later we decide that we're infallible, the flag could be checked.  (This is also a problem in bug 1016388.)

Though I'm not entirely sure how useful it would be just to have these reports saying that we failed to allocate a 1MB chunk, as that's probably what this ends up being, way up the stack.
I second what Andrew said, with one caveat. There is one hash-tables we're using where failure to resize results in this crash. In that one case, such an annotation would be helpful, but from what I can tell looking at crash reports this case is incredibly rare.
Flags: needinfo?(terrence)
It sounds like we need to trigger GCs sooner so that we don't hit this situation where we are trying to collect to free memory, but we can't because we don't have enough free memory to tenure the live nursery things.

There's a small possibility that bug 1032750 will help here.

Apart from that it sounds like we need some kind of memory pressure event to try and free up memory before we get to this point.
Per the relevant email thread, we have decided to disable on beta to stabilize things given that we don't know what the other source of new crashes is yet.

(In reply to Jon Coppeard (:jonco) from comment #22)
> It sounds like we need to trigger GCs sooner so that we don't hit this
> situation where we are trying to collect to free memory, but we can't
> because we don't have enough free memory to tenure the live nursery things.
> 
> There's a small possibility that bug 1032750 will help here.
> 
> Apart from that it sounds like we need some kind of memory pressure event to
> try and free up memory before we get to this point.

We could also mitigate it somewhat without fixing our triggers by adjusting the chunk pool too keep at least one decommitted chunk around in all cases.
Duplicate of this bug: 991694
This patch adds a minimum size for the free chunk pool and sets it to one if generational GC is enabled.
Attachment #8454465 - Flags: review?(terrence)
Comment on attachment 8454465 [details] [diff] [review]
keep-spare-chunk-for-ggc

Review of attachment 8454465 [details] [diff] [review]:
-----------------------------------------------------------------

r=me Thanks for getting to this sooner than I could!
Attachment #8454465 - Flags: review?(terrence) → review+
sorry had to backout this change for test failures like https://tbpl.mozilla.org/php/getParsedLog.php?id=43733909&tree=Mozilla-Inbound
https://hg.mozilla.org/mozilla-central/rev/6d8732b0aeba
Assignee: nobody → jcoppeard
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Status: RESOLVED → REOPENED
Keywords: leave-open
Resolution: FIXED → ---
GGC has been disabled in 31. Untracking this bug for this release but tracking it for 32 & 33.
My SO's Firefox 31 has crashed like this:

bp-b9fe39a8-6a78-49f3-9d49-5b5a32140707	07/07/2014	01:06 p.m.

Commenting so we know when this bug is fixed.

Let us know if there's anything we can provide forma a crashing profile.
This is gone from Firefox 31.0b9 and above:
https://crash-stats.mozilla.com/topcrasher_ranks_bybug/?bug_number=999158

@alex_mayorga, if your SO still sees this, please make sure Firefox is updated. This should be gone in builds where we backed out GGC (Firefox 31.0b9 and above).
Actually, the fix here landed in 33. Crash-stats does not show this as a top-crasher in 33 or 34. I'll nominate the patch here for uplift to 32.
Comment on attachment 8454465 [details] [diff] [review]
keep-spare-chunk-for-ggc

Approval Request Comment
[Feature/regressing bug #]: GGC.
[User impact if declined]: Increased OOM probability on Windows.
[Describe test coverage new/current, TBPL]: On m-i for 1 release.
[Risks and why]: Extremely low. This patch simply increases the reserve chunk count from 0 to 1.
[String/UUID change made/needed]: None.
Attachment #8454465 - Flags: approval-mozilla-beta?
Comment on attachment 8454465 [details] [diff] [review]
keep-spare-chunk-for-ggc

beta+ - Let's get this into beta7.
Attachment #8454465 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
This needed a bit of rebasing for beta.
Attachment #8473078 - Flags: review+
Attachment #8454465 - Flags: checkin+
https://hg.mozilla.org/releases/mozilla-beta/rev/97fd0156fdc2
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
Flags: qe-verify+
Looking in Socorro [1] for crashes over the last week (since this landed in 32.0b8), I can still see many crashes for signature [@ OOM | unknown | js::CrashAtUnhandlableOOM(char const*) | js::Nursery::MinorGCCallback(JSTracer*, void**, JSGCTraceKind)]:
- 32.0b8 - 198 crashes
- 32.0b9 - 63 crashes

This does not look fixed as it still ranks ~50-60th ([2]), same as for beta 6 and 7. Can anyone review these results?

[1] - https://crash-stats.mozilla.com/report/list?product=Firefox&signature=OOM+%7C+unknown+%7C+js%3A%3ACrashAtUnhandlableOOM%28char+const%2A%29+%7C+js%3A%3ANursery%3A%3AMinorGCCallback%28JSTracer%2A%2C+void%2A%2A%2C+JSGCTraceKind%29
[2] - https://crash-stats.mozilla.com/topcrasher_ranks_bybug/?bug_number=999158
Well, the name of the crash site is CrashAt*Unhandlable*OOM. The mitigation here took us from #1-2 down to #50-60. That's success.
(In reply to Terrence Cole [:terrence] from comment #39)
> Well, the name of the crash site is CrashAt*Unhandlable*OOM. The mitigation
> here took us from #1-2 down to #50-60. That's success.

Yes, true. Florin, if this is roughly the same much-decresed volume across branches, let's consider it verified.
My problem here is that I do not see any improvement in Beta8 and Beta9 compared to previous versions. Since the fix landed in Beta8 I would expect to see some clear improvement in Beta 8 & 9 compared to previous versions.

Looking at [1] which represents the crashes over the past 4 weeks I see that the numbers for Beta8 are really close to those for Beta2 and Beta4, and rather close to Beta6, Beta5, and even Beta1:
- 32.0b8 - 4.40 % - 212 crashes
- 32.0b4 - 4.81 % - 232 crashes
- 32.0b2 - 4.92 % - 237 crashes
- 32.0b6 - 4.98 % - 240 crashes
- 32.0b5 - 5.18 % - 250 crashes
- 32.0b1 - 5.56 % - 268 crashes

Looking at [2] I see that the ranking in Beta8 and Beta9 is worse than in Beta1, 4, 5, and 6:
Rank Version
56 - 32.0b9
58 - 32.0b8
57 - 32.0b1
48 - 32.0b2
86 - 32.0b5
64 - 32.0b4
47 - 32.0b7
61 - 32.0b6

Given the proximity of numbers above I'm really not sure that we can call this verified when there is no visible improvement in versions prior to the fix in Beta... yes we may have went from #1-2 to #50-60 but this seems to have happened prior to the fix, and the fix itself seems to have not brought much of an improvement.

[1] - https://crash-stats.mozilla.com/report/list?product=Firefox&range_unit=days&range_value=28&signature=OOM+%7C+unknown+%7C+js%3A%3ACrashAtUnhandlableOOM%28char+const%2A%29+%7C+js%3A%3ANursery%3A%3AMinorGCCallback%28JSTracer%2A%2C+void%2A%2A%2C+JSGCTraceKind%29
[2] - https://crash-stats.mozilla.com/topcrasher_ranks_bybug/?bug_number=999158
Hmm, yes, it seems like this improved a lot between 31 (before deactivation of GGC) and 32, and it's unclear if this fix helped anything in 32.
Interesting! It's quite possible that one of the fixes we pushed before disabling actually did fix the issue -- that release was total chaos so I wouldn't be terribly surprised if nobody noticed at the time.
No crashes for Firefox 33 on Soccoro with this signature therefore marking this issue verified.

We still have 87 crashes over the last week for Firefox 32.0.3.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.