Closed Bug 1192448 Opened 9 years ago Closed 9 years ago

Crash in JSCompartment destructor

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox42 --- affected

People

(Reporter: dhylands, Unassigned)

References

Details

Every time I launch B2G-desktop it immediately crashes with the following backtrace: > (gdb) bt > #0 0x00007f6600c89f3d in nanosleep () at ../sysdeps/unix/syscall-template.S:81 > #1 0x00007f6600c89dd4 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:137 > #2 0x00007f65f54ed2ae in ah_crap_handler (signum=11) at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsSigHandlers.cpp:103 > #3 0x00007f65f54e02c0 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7ffc51adcd30, context=0x7ffc51adcc00) at /home/work/B2G-desktop/mozilla-central/toolkit/profile/nsProfileLock.cpp:195 > #4 0x00007f65f5b14351 in AsmJSFaultHandler (signum=<optimized out>, info=0x7ffc51adcd30, context=0x7ffc51adcc00) at /home/work/B2G-desktop/mozilla-central/js/src/asmjs/AsmJSSignalHandlers.cpp:1135 > #5 <signal handler called> > #6 0x00007f65f60b33c2 in ~LinkedList (this=0x7f65d75efba8, __in_chrg=<optimized out>) at ../../dist/include/mozilla/LinkedList.h:308 > #7 JSCompartment::~JSCompartment (this=0x7f65d75ef800, __in_chrg=<optimized out>) at /home/work/B2G-desktop/mozilla-central/js/src/jscompartment.cpp:90 > #8 0x00007f65f61320b7 in js_delete<JSCompartment> (p=0x7f65d75ef800) at ../../dist/include/js/Utility.h:254 > #9 sweepCompartments (keepAtleastOne=false, destroyingRuntime=false, fop=0x7ffc51add3f0, this=0x7f65d75ea000) at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:3604 > #10 js::gc::GCRuntime::sweepZones (this=0x7f65ee3d43d8, fop=0x7ffc51add3f0, destroyingRuntime=false) at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:3645 > #11 0x00007f65f614feee in js::gc::GCRuntime::endSweepPhase (this=this@entry=0x7f65ee3d43d8, destroyingRuntime=destroyingRuntime@entry=false) > at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:5369 > #12 0x00007f65f616d249 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7f65ee3d43d8, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC) > at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:5883 > #13 0x00007f65f616e202 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7f65ee3d43d8, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC) > at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:6063 > #14 0x00007f65f616e65a in js::gc::GCRuntime::collect (this=0x7f65ee3d43d8, incremental=incremental@entry=true, budget=..., reason=reason@entry=JS::gcreason::INTER_SLICE_GC) > at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:6177 > #15 0x00007f65f616eca4 in js::gc::GCRuntime::gcSlice (this=<optimized out>, reason=JS::gcreason::INTER_SLICE_GC, millis=<optimized out>) at /home/work/B2G-desktop/mozilla-central/js/src/jsgc.cpp:6253 > #16 0x00007f65f407af74 in nsJSContext::GarbageCollectNow (aReason=JS::gcreason::INTER_SLICE_GC, aIncremental=nsJSContext::IncrementalGC, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=40) > at /home/work/B2G-desktop/mozilla-central/dom/base/nsJSEnvironment.cpp:1325 > #17 0x00007f65f35e04c0 in nsTimerImpl::Fire (this=0x7f65cac23800) at /home/work/B2G-desktop/mozilla-central/xpcom/threads/nsTimerImpl.cpp:437 > #18 0x00007f65f35e065c in nsTimerEvent::Run (this=0x7f65dd1422c0) at /home/work/B2G-desktop/mozilla-central/xpcom/threads/TimerThread.cpp:268 > #19 0x00007f65f35dd5a7 in nsThread::ProcessNextEvent (this=0x7f660096ec70, aMayWait=<optimized out>, aResult=0x7ffc51add95f) at /home/work/B2G-desktop/mozilla-central/xpcom/threads/nsThread.cpp:867 > #20 0x00007f65f3606f4f in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=<optimized out>) at /home/work/B2G-desktop/mozilla-central/xpcom/glue/nsThreadUtils.cpp:277 > #21 0x00007f65f384bfc7 in mozilla::ipc::MessagePump::Run (this=0x7f65f0986f00, aDelegate=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/glue/MessagePump.cpp:127 > #22 0x00007f65f38239a9 in MessageLoop::RunInternal (this=this@entry=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/chromium/src/base/message_loop.cc:234 > #23 0x00007f65f38239da in RunHandler (this=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/chromium/src/base/message_loop.cc:227 > #24 MessageLoop::Run (this=0x7f6600973200) at /home/work/B2G-desktop/mozilla-central/ipc/chromium/src/base/message_loop.cc:201 > #25 0x00007f65f4e61f83 in nsBaseAppShell::Run (this=0x7f65ec4cfa80) at /home/work/B2G-desktop/mozilla-central/widget/nsBaseAppShell.cpp:165 > #26 0x00007f65f5495196 in nsAppStartup::Run (this=0x7f65eb832150) at /home/work/B2G-desktop/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:280 > #27 0x00007f65f54ea8fe in XREMain::XRE_mainRun (this=this@entry=0x7ffc51addcb0) at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsAppRunner.cpp:4288 > #28 0x00007f65f54eae0a in XREMain::XRE_main (this=this@entry=0x7ffc51addcb0, argc=argc@entry=4, argv=argv@entry=0x7f66009b4fa0, aAppData=aAppData@entry=0x4369d0 <sAppData>) > at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsAppRunner.cpp:4385 > #29 0x00007f65f54eb0be in XRE_main (argc=4, argv=0x7f66009b4fa0, aAppData=0x4369d0 <sAppData>, aFlags=<optimized out>) at /home/work/B2G-desktop/mozilla-central/toolkit/xre/nsAppRunner.cpp:4474 > #30 0x00000000004051a7 in do_main (argv=0x7f66009b4fa0, argc=4) at /home/work/B2G-desktop/mozilla-central/b2g/app/nsBrowserApp.cpp:167 > #31 main (argc=4, argv=<optimized out>) at /home/work/B2G-desktop/mozilla-central/b2g/app/nsBrowserApp.cpp:299
OS: Unspecified → Linux
Hardware: Unspecified → x86_64
It seems to be hitting: Assertion failure: isEmpty(), at ../../dist/include/mozilla/LinkedList.h:308
That assertion generally indicates misuse: someone's trying to destroy a LinkedList without emptying it first. The only LinkedList in JSCompartment appears to be for UnboxedLayouts: paging bhackett. Knowing when this arose might also be helpful to know -- any regression range, even a hazy one?
Flags: needinfo?(bhackett1024)
I started to do a bisection and got this far: changeset 256479:888019c4ff5b fails changeset 256165:a4baa2a12eef fails changeset 256008:b28d496da7bf fails changeset 255851:51672b103c61 works
Continuing the bisection I get: changeset 256479:888019c4ff5b fails changeset 256165:a4baa2a12eef fails changeset 256008:b28d496da7bf fails changeset 255988:579d50cc0ca7 fails changeset 255968:4e05c3afe0e0 fails changeset 255967:2f16fb18314a fails - This seems to be the culprit changeset 255966:8ad982618f06 works changeset 255963:502c196722eb works changeset 255958:d1288e84b4a0 works changeset 255948:0ebb7da63ced works changeset 255929:c2b099fa12ee works changeset 255851:51672b103c61 works I'm not sure why this changeset would cause the problem: changeset: 255967:2f16fb18314a user: Boris Zbarsky <bzbarsky@mit.edu> date: Mon Aug 03 11:51:57 2015 -0400 summary: Bug 1181908. The CompileOptions constructor should properly copy the introducerFilename and isRunOnce state. r=luke Perhaps its exposing a race? ni'ing luke (since he reviewed it - bz is on PTO until 8/24)
Flags: needinfo?(luke)
That's pretty bizarre. I don't have time to dig into this, so probably just need to back out. But before that, Terrence, any idea what this could be?
Flags: needinfo?(luke) → needinfo?(terrence)
That's already been backed out for causing bug 1191465.
Blocks: 1181908
Flags: needinfo?(bhackett1024)
Flags: needinfo?(terrence)
This is fixed by https://hg.mozilla.org/integration/mozilla-inbound/rev/8cd6dd07c27a
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.