Open Bug 1472632 Opened 7 years ago Updated 2 years ago

Crash in bool js::gc::IsAboutToBeFinalizedInternal<T>

Categories

(Core :: JavaScript: GC, defect, P5)

Product:
Core
Component:
JavaScript: GC
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
REOPENED
Tracking Flags:
Tracking Status
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- affected
firefox65 --- affected
firefox66 --- affected
firefox67 --- affected

People

(Reporter: gsvelto, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, stalled, Whiteboard: qa-not-actionable)

Crash Data

This bug was filed from the Socorro interface and is report bp-e04eb924-4b49-4c32-ac12-ef5d00180701. ============================================================= Top 10 frames of crashing thread: 0 libxul.so bool js::gc::IsAboutToBeFinalizedInternal<js::ObjectGroup> js/src/gc/Marking.cpp:3307 1 libxul.so js::ConstraintTypeSet::sweep js/src/gc/Marking.h:102 2 libxul.so js::ObjectGroup::sweep 3 libxul.so js::gc::GCRuntime::sweepTypeInformation js/src/vm/TypeInference-inl.h:1231 4 libxul.so sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&, JS::Zone*>::run js/src/gc/GC.cpp:6385 5 libxul.so sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run js/src/gc/GC.cpp:6416 6 libxul.so sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run js/src/gc/GC.cpp:6385 7 libxul.so sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run js/src/gc/GC.cpp:6446 8 libxul.so js::gc::GCRuntime::performSweepActions 9 libxul.so js::gc::GCRuntime::incrementalCollectSlice ============================================================= The stacks here look quite similar to bug 1289075 and the crash reports with this signature only affect versions starting from 62.0b1 while reports for bug 1289075 end with 61.0b5. My guess is that this is really bug 1289075 with a new signature but I'm not 100% as at least some reports have stacks that look somewhat different.
Blocks: GCCrashes
Just found another signature with a stack that is eerily similar save for a missing entry.
Crash Signature: [@ bool js::gc::IsAboutToBeFinalizedInternal<T>] → [@ bool js::gc::IsAboutToBeFinalizedInternal<T>] [@ js::gc::IsAboutToBeFinalizedInternal<T> ]
The js::gc::IsAboutToBeFinalizedInternal<T> signature spiked since we released 62 with close to 300 crashes a day (vs 50 before we shipped 62), Jon, could that bug be priorotized and investigated? Thanks
status-firefox64: --- → affected
Flags: needinfo?(jcoppeard)
Crashes with this signature mainly fall into two buckets: js::gc::IsAboutToBeFinalizedInternal<T> js::PreliminaryObjectArray::sweep js::ObjectGroup::sweep and js::gc::IsAboutToBeFinalizedInternal<T> IsObjectKeyAboutToBeFinalized js::ConstraintTypeSet::sweep JSScript::sweepTypes For the first one we're hitting an invalid JSObject pointer that is small but not null. Fpr the second we're hitting an ObjectKey will a null ObjectGroup pointer. Neither of those should be possible (and we assert this in debug builds), so this is probably more heap corruption / bad memory. This is probably just bug 1112741 in a different guise.
Flags: needinfo?(jcoppeard)
See Also: → 1112741
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
There are still some crashes so reopen it.
Status: RESOLVED → REOPENED
status-firefox62: affectedwontfix
status-firefox63: affectedwontfix
status-firefox65: --- → affected
status-firefox66: --- → affected
Resolution: WONTFIX → ---
Keywords: stalled
Priority: -- → P5
Whiteboard: qa-not-actionable
Severity: critical → S2
Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.