Crash [@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)]
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox40 | --- | affected |
firefox41 | --- | affected |
firefox42 | --- | affected |
firefox43 | --- | affected |
firefox47 | --- | affected |
firefox48 | --- | affected |
firefox49 | --- | affected |
firefox-esr45 | --- | affected |
firefox50 | --- | affected |
firefox51 | --- | affected |
firefox52 | --- | wontfix |
firefox53 | --- | affected |
firefox61 | --- | affected |
People
(Reporter: ehoogeveen, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: crash)
Crash Data
Reporter | ||
Comment 1•9 years ago
|
||
Comment 4•9 years ago
|
||
Comment 5•9 years ago
|
||
Comment 6•9 years ago
|
||
Updated•9 years ago
|
Comment 7•9 years ago
|
||
Comment 8•9 years ago
|
||
Comment 11•9 years ago
|
||
Comment 13•8 years ago
|
||
Comment 14•8 years ago
|
||
Comment 15•8 years ago
|
||
Comment 16•8 years ago
|
||
Comment 17•8 years ago
|
||
Comment 18•8 years ago
|
||
Comment 19•7 years ago
|
||
Comment 20•7 years ago
|
||
Updated•7 years ago
|
Updated•7 years ago
|
Comment 22•7 years ago
|
||
Comment 23•6 years ago
|
||
Since December crash rate is 20-30% less for Firefox perhaps because the crash rate appears to be much lower in v60 - https://crash-stats.mozilla.com/signature/?product=Firefox&signature=DispatchToTracer%3CT%3E&date=%3E%3D2018-10-29T14%3A20%3A00.000Z&date=%3C2019-04-29T14%3A20%3A00.000Z#graphs
None of the few crashes I sampled have (js::Shape) on the stack, including Mac crashes.
And currently not Mac-only as noted in comment 22.
I suggest the current signatures are unrelated to the original report and so perhaps this bug should be closed
Comment 24•6 years ago
|
||
This function has been replaced so I'll dupe this to bug 1474623.
Comment 25•5 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #24)
This function has been replaced so I'll dupe this to bug 1474623.
*** This bug has been marked as a duplicate of bug 1474623 ***
We use Spidermonkey 45 embedded in a server process. We can easily trigger a crash in DispatchToTracer<JSString*> and a stack:
#0 0x00007f18c6d979d8 in DispatchToTracer<JSObject*> (trc=0x7f188c4c9390, thingp=0x0, name=0x7f18c6fb5f30 "parser.object") at ../../dist/include/js/TracingAPI.h:281
#1 0x00007f18c6d98cc5 in js::TraceRoot<JSObject*> (trc=<optimized out>, thingp=<optimized out>, name=<optimized out>)
#2 0x00007f18c6d7220c in js::frontend::ObjectBox::trace (this=<optimized out>, trc=trc@entry=0x7f188c4c9390)
#3 0x00007f18c685a19c in js::frontend::Parser<js::frontend::FullParseHandler>::trace (this=this@entry=0x7f18a5ff92e8, trc=trc@entry=0x7f188c4c9390)
#4 0x00007f18c684d879 in js::frontend::MarkParser (trc=trc@entry=0x7f188c4c9390, parser=parser@entry=0x7f18a5ff92f0)
#5 0x00007f18c6d8bfbb in trace (trc=0x7f188c4c9390, this=0x7f18a5ff92f0)
#6 traceAllInContext<JSContext> (cx=0x7f188db2c930, trc=0x7f188c4c9390)
#7 JS::AutoGCRooter::traceAll (trc=trc@entry=0x7f188c4c9390)
#8 0x00007f18c6d8dd26 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7f188c4c7548, trc=trc@entry=0x7f188c4c9390, traceOrMark=traceO
#9 0x00007f18c6b7d0d0 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7f188c4c7548, reason=reason@entry=JS::gcreason::LAST_DITCH)
#10 0x00007f18c6b83ab7 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7f188c4c7548, budget=..., reason=reason@entry=JS::
#11 0x00007f18c6b84a61 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7f188c4c7548, nonincrementalByAPI=nonincrementalByAPI@entry=true,
#12 0x00007f18c6b84e57 in js::gc::GCRuntime::collect (this=this@entry=0x7f188c4c7548, nonincrementalByAPI=nonincrementalByAPI@entry=true,
#13 0x00007f18c6b85148 in js::gc::GCRuntime::gc (this=this@entry=0x7f188c4c7548, gckind=gckind@entry=GC_SHRINK, reason=reason@entry=JS::gc
#14 0x00007f18c6d7c89e in tryNewTenuredThing<js::LazyScript, (js::AllowGC)1> (kind=js::gc::LAZY_SCRIPT, thingSize=64, cx=0x7f188db2c930)
#15 js::Allocate<js::LazyScript, (js::AllowGC)1> (cx=cx@entry=0x7f188db2c930)
#16 0x00007f18c6bd4887 in js::LazyScript::CreateRaw (cx=0x7f188db2c930, fun=..., packedFields=<optimized out>, begin=21, end=51, lineno=li
#17 0x00007f18c6bd4ba3 in js::LazyScript::CreateRaw (cx=<optimized out>, fun=..., fun@entry=..., numFreeVariables=<optimized out>, numInne
#18 0x00007f18c68528be in js::frontend::Parser<js::frontend::SyntaxParseHandler>::finishFunctionDefinition (this=this@entry=0x7f18a5ff92e8
#19 0x00007f18c686ee4b in finishFunctionDefinition (body=<optimized out>, funbox=0x7f188c402840, pn=js::frontend::SyntaxParseHandler::Node
#20 js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7f18a5ff92e8, inHandling=inHandl
#21 0x00007f18c68542c4 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7f18a5ff97d8, inHan
Is that something described in bug: 1474623? (I don't have permissions to open it.)
When we disabled compiler optimization the problem went away. Our compiler is gcc version 8.3.1 20190311 (Red Hat 8.3.1-3).
Comment 26•5 years ago
|
||
That bug is a general signature so I don't think there's anything related to this there.
The thing that sticks out is thingp=0x0 in the first line. This shouldn't be a null pointer. Can you catch the crash in rr (https://rr-project.org/)? That might help see where this is coming from.
Also that code has changed quite a bit since the version you're using, and although I couldn't find any specific bugs we've fixed that might cause this it's possible that using a more recent version might help.
Description
•