http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1309942636.1309945416.24035.gz Looks to be intermittent, as it didn't happen on the following pushes. Possibly triggered by cset 58101c64c83c (bug 658738 - Schedule final GC before finishing the browser-chrome test suite), which landed immediately before the push where this occurred? But the test ran green on that push itself. PROCESS-CRASH | chrome://mochitests/content/chrome/js/src/xpconnect/tests/chrome/test_precisegc.xul | application crashed (minidump found) Crash dump filename: /tmp/tmpvQgUce/minidumps/49557b5c-3a57-fa66-36b7aba1-349c9f81.dmp Operating system: Linux 0.0.0 Linux 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 CPU: amd64 family 6 model 23 stepping 10 2 CPUs Crash reason: SIGSEGV Crash address: 0x28 Thread 0 (crashed) 0 libxul.so!JS_ON_TRACE [jscompartment.h:7daa4cc9fb07 : 553 + 0xc] rbx = 0xc9bc27d0 r12 = 0x00000000 r13 = 0xa6e036c9 r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa74c3187 rsp = 0xc9bc26e0 rbp = 0xc9bc26f0 Found by: given as instruction pointer in context 1 libxul.so!JS_IsRunning [jsapi.cpp:7daa4cc9fb07 : 5156 + 0xb] rbx = 0xc9bc27d0 r12 = 0x00000000 r13 = 0xa6e036c9 r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa74e1142 rsp = 0xc9bc2700 rbp = 0xc9bc2720 Found by: call frame info 2 libxul.so!PreciseGCRunnable::Run [xpccomponents.cpp:7daa4cc9fb07 : 3797 + 0xb] rbx = 0xc9bc27d0 r12 = 0x00000000 r13 = 0xa6e036c9 r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa692b1ba rsp = 0xc9bc2730 rbp = 0xc9bc2770 Found by: call frame info 3 libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:7daa4cc9fb07 : 617 + 0x1a] rbx = 0xc9bc27d0 r12 = 0x00000000 r13 = 0xa6e036c9 r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa70ef2b8 rsp = 0xc9bc2780 rbp = 0xc9bc2850 Found by: call frame info 4 libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp:7daa4cc9fb07 : 245 + 0x1f] rbx = 0xa70eeebe r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa7082ca2 rsp = 0xc9bc2860 rbp = 0xc9bc2890 Found by: call frame info 5 libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp:7daa4cc9fb07 : 110 + 0x14] rbx = 0x00000001 r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa6f669da rsp = 0xc9bc28a0 rbp = 0xc9bc2900 Found by: call frame info 6 libxul.so!MessageLoop::RunInternal [message_loop.cc:7daa4cc9fb07 : 218 + 0x27] rbx = 0xa59e3a54 r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa713cc17 rsp = 0xc9bc2910 rbp = 0xc9bc2940 Found by: call frame info 7 libxul.so!MessageLoop::RunHandler [message_loop.cc:7daa4cc9fb07 : 202 + 0xb] rbx = 0xa59e3a54 r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa713cba8 rsp = 0xc9bc2950 rbp = 0xc9bc2960 Found by: call frame info 8 libxul.so!MessageLoop::Run [message_loop.cc:7daa4cc9fb07 : 176 + 0xb] rbx = 0xa59e3a54 r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa713cb81 rsp = 0xc9bc2970 rbp = 0xc9bc29a0 Found by: call frame info 9 libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp:7daa4cc9fb07 : 189 + 0xc] rbx = 0xa59e3a54 r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa6e031f1 rsp = 0xc9bc29b0 rbp = 0xc9bc29d0 Found by: call frame info 10 libxul.so!nsAppStartup::Run [nsAppStartup.cpp:7daa4cc9fb07 : 222 + 0x1e] rbx = 0xa59e3a54 r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa6b435cd rsp = 0xc9bc29e0 rbp = 0xc9bc2a00 Found by: call frame info 11 libxul.so!XRE_main [nsAppRunner.cpp:7daa4cc9fb07 : 3570 + 0x1d] rbx = 0xa59e3a54 r12 = 0x01a4d260 r13 = 0xa6ec583a r14 = 0x010960b0 r15 = 0x010997a0 rip = 0xa59e6a8c rsp = 0xc9bc2a10 rbp = 0xc9bc3340 Found by: call frame info 12 firefox-bin!do_main [nsBrowserApp.cpp:7daa4cc9fb07 : 198 + 0x21] rbx = 0xa59e3a54 r12 = 0xa70d7ce6 r13 = 0xc9bc5650 r14 = 0x00000000 r15 = 0x00000000 rip = 0x004019db rsp = 0xc9bc3350 rbp = 0xc9bc4400 Found by: call frame info 13 firefox-bin!main [nsBrowserApp.cpp:7daa4cc9fb07 : 281 + 0x1d] rbx = 0x00000000 r12 = 0x00401110 r13 = 0xc9bc5650 r14 = 0x00000000 r15 = 0x00000000 rip = 0x00401bf1 rsp = 0xc9bc4410 rbp = 0xc9bc5570 Found by: call frame info 14 libc-2.11.so + 0x1eb1c rbx = 0x00000000 r12 = 0x00401110 r13 = 0xc9bc5650 r14 = 0x00000000 r15 = 0x00000000 rip = 0xd2e1eb1d rsp = 0xc9bc5580 rbp = 0x00000000 Found by: call frame info 15 firefox-bin!do_main [nsBrowserApp.cpp:7daa4cc9fb07 : 201 + 0xb] rip = 0x00401a0e rsp = 0xc9bc55a0 Found by: stack scanning

Darn, that means that the context being used has already been destroyed by the time the scheduled event is run. I'm going to need to figure out some way to check if a JSContext is still valid before using it.

JS_SetContextCallback?

My patch apparently makes this random bug more likely. The fix is pretty simple: JS_IsRunning needs to test whether cx->thread() is null before accessing its thread-data (in JS_ON_TRACE).

Comment on attachment 549269 [details] [diff] [review] need to test whether cx->thread() is null Review of attachment 549269 [details] [diff] [review]: -----------------------------------------------------------------

Oops, that only works for JS_THREADSAFE builds. This is better: http://hg.mozilla.org/integration/mozilla-inbound/rev/3e1a24105739

Thanks Luke!

http://hg.mozilla.org/mozilla-central/rev/22134b2abde4 http://hg.mozilla.org/mozilla-central/rev/3e1a24105739