segfault in GCGraphBuilder::AddNode

Bug #286366 reported by Brian J. Murrell on 2008-10-20
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Invalid
Critical
firefox-3.0 (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: firefox-3.0

Firefox 3 sefaulted on me yet again.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7dd66c0 (LWP 31377)]
GCGraphBuilder::AddNode (this=0xbfaab9fc, s=0xda1d520, aParticipant=0x9253c84)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbfaab9fc, s=0xda1d520, aParticipant=0x9253c84)
    at nsCycleCollector.cpp:1287
#1 0xb7a3d401 in GCGraphBuilder::NoteScriptChild (this=0xbfaab9fc, langID=2, child=0xda1d520)
    at nsCycleCollector.cpp:1237
#2 0xb728b6b0 in NoteJSChild (trc=0x1af03e10, thing=0xda1d520, kind=0) at nsXPConnect.cpp:744
#3 0xb7d73df9 in JS_CallTracer (trc=0xbfaab950, thing=0xda1d520, kind=0) at jsgc.c:2449
#4 0xb7d89ecc in js_TraceObject (trc=0xbfaab950, obj=0xda1dd60) at jsobj.c:5082
#5 0xb7d73bba in JS_TraceChildren (trc=0xbfaab950, thing=0xda1dd60, kind=0) at jsgc.c:2233
#6 0xb728b770 in nsXPConnect::Traverse (this=0x9253c70, p=0xda1dd60, cb=@0xbfaab9fc)
    at nsXPConnect.cpp:935
#7 0xb7a3cc84 in GCGraphBuilder::Traverse (this=0xbfaab9fc, aPtrInfo=0xa4d6123c)
    at nsCycleCollector.cpp:1319
#8 0xb7a3cce7 in nsCycleCollector::MarkRoots (this=0x91f16b0, builder=@0xbfaab9fc)
    at nsCycleCollector.cpp:1513
#9 0xb7a3d795 in nsCycleCollector::BeginCollection (this=0x91f16b0) at nsCycleCollector.cpp:2368
#10 0xb7a3d7d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#11 0xb728c6cc in XPCCycleCollectGCCallback (cx=0x94ba360, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#12 0xb7d74d7a in js_GC (cx=0x94ba360, gckind=GC_NORMAL) at jsgc.c:3239
#13 0xb7d5163a in JS_GC (cx=0x94ba360) at jsapi.c:2469
#14 0xb728b950 in nsXPConnect::Collect (this=0x9253c70) at nsXPConnect.cpp:529
#15 0xb7a3d8fa in nsCycleCollector::Collect (this=0x91f16b0, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#16 0xb7a3da39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#17 0xb7638f42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#18 0xb7639012 in nsJSContext::MaybeCC (aHigherProbability=1) at nsJSEnvironment.cpp:3397
#19 0xb76393c5 in nsUserActivityObserver::Observe (this=0x94b9bd0, aSubject=0x0,
    aTopic=0xb7ba4bcc "user-interaction-inactive", aData=0x0) at nsJSEnvironment.cpp:291
#20 0xb7a0c9a0 in nsObserverList::NotifyObservers (this=0x964c608, aSubject=0x0,
    aTopic=0xb7ba4bcc "user-interaction-inactive", someData=0x0) at nsObserverList.cpp:128
#21 0xb7a0cc6e in nsObserverService::NotifyObservers (this=0x9243fa0, aSubject=0x0,
    aTopic=0xb7ba4bcc "user-interaction-inactive", someData=0x0) at nsObserverService.cpp:181
#22 0xb75627e6 in nsUITimerCallback::Notify (this=0x95dc450, aTimer=0x95c1730)
    at nsEventStateManager.cpp:210
#23 0xb7a34a42 in nsTimerImpl::Fire (this=0x95c1730) at nsTimerImpl.cpp:403
#24 0xb7a34ab7 in nsTimerEvent::Run (this=0xaf6f7938) at nsTimerImpl.cpp:490
#25 0xb7a3256c in nsThread::ProcessNextEvent (this=0x91cb6b0, mayWait=1, result=0xbfaafd34)
    at nsThread.cpp:510
#26 0xb7a02f88 in NS_ProcessNextEvent_P (thread=0x1af03e10, mayWait=1) at nsThreadUtils.cpp:227
#27 0xb79862c4 in nsBaseAppShell::Run (this=0x9274708) at nsBaseAppShell.cpp:170
#28 0xb781bab8 in nsAppStartup::Run (this=0x92b7620) at nsAppStartup.cpp:181
#29 0xb7280508 in XRE_main (argc=2, argv=0xbfab3494, aAppData=0x9156830) at nsAppRunner.cpp:3194
#30 0x080491ab in ?? ()
#31 0xb7dee685 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#32 0x08048d11 in ?? ()

All threads:

(gdb) thread apply all bt

Thread 259 (Thread 0xae412b90 (LWP 27653)):
#0 0xb80b2430 in __kernel_vsyscall ()
#1 0xb80693a2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7d0bf9e in pt_TimedWait (cv=0xa995204, ml=0xa9951a0, timeout=60000) at ptsynch.c:280
#3 0xb7d0cdc0 in PR_WaitCondVar (cvar=0xa995200, timeout=60000) at ptsynch.c:407
#4 0xb72e6d4a in nsHostResolver::GetHostToLookup (this=0xaadae90, result=0xae412378)
    at nsHostResolver.cpp:595
#5 0xb72e7412 in nsHostResolver::ThreadFunc (arg=0xaadae90) at nsHostResolver.cpp:690
#6 0xb7d131e1 in _pt_root (arg=0x18035188) at ptthread.c:221
#7 0xb806550f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#8 0xb7eb97ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 9 (Thread 0xb5b12b90 (LWP 31505)):
#0 0xb80b2430 in __kernel_vsyscall ()
#1 0xb7eaef77 in poll () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7d0ed8c in _pr_poll_with_poll (pds=0x9243240, npds=1, timeout=4294967295) at ptio.c:3895
#3 0xb72dda7b in nsSocketTransportService::Poll (this=0x9242d60, wait=1, interval=0xb5b121e8)
    at nsSocketTransportService2.cpp:349
#4 0xb72ddf70 in nsSocketTransportService::DoPollIteration (this=0x9242d60, wait=1)
    at nsSocketTransportService2.cpp:644
#5 0xb72de21a in nsSocketTransportService::OnProcessNextEvent (this=0x9242d60, thread=0xa9952c8,
    mayWait=1, depth=1) at nsSocketTransportService2.cpp:523
#6 0xb7a3250e in nsThread::ProcessNextEvent (this=0xa9952c8, mayWait=1, result=0xb5b12294)
    at nsThread.cpp:497
#7 0xb7a02f88 in NS_ProcessNextEvent_P (thread=0x1, mayWait=1) at nsThreadUtils.cpp:227
#8 0xb72ddc93 in nsSocketTransportService::Run (this=0x9242d60)
    at nsSocketTransportService2.cpp:565
#9 0xb7a3256c in nsThread::ProcessNextEvent (this=0xa9952c8, mayWait=1, result=0xb5b12344)
    at nsThread.cpp:510
#10 0xb7a02f88 in NS_ProcessNextEvent_P (thread=0x1, mayWait=1) at nsThreadUtils.cpp:227
#11 0xb7a32cd3 in nsThread::ThreadFunc (arg=0xa9952c8) at nsThread.cpp:253
#12 0xb7d131e1 in _pt_root (arg=0x9b1f060) at ptthread.c:221
#13 0xb806550f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#14 0xb7eb97ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 7 (Thread 0xb3002b90 (LWP 31480)):
#0 0xb80b2430 in __kernel_vsyscall ()
#1 0xb8069075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7d0ce39 in PR_WaitCondVar (cvar=0x9c7ee90, timeout=4294967295) at ptsynch.c:405
#3 0xb7d0ceb7 in PR_Wait (mon=0x9594b78, timeout=4294967295) at ptsynch.c:584
#4 0xb7a31791 in nsEventQueue::GetEvent (this=0x95ba0c8, mayWait=1, result=0xb3002304)
    at ../../dist/include/xpcom/nsAutoLock.h:340
#5 0xb7a32540 in nsThread::ProcessNextEvent (this=0x95ba0a8, mayWait=1, result=0xb3002344)
    at nsThread.h:112
#6 0xb7a02f88 in NS_ProcessNextEvent_P (thread=0x80, mayWait=1) at nsThreadUtils.cpp:227
#7 0xb7a32cd3 in nsThread::ThreadFunc (arg=0x95ba0a8) at nsThread.cpp:253
#8 0xb7d131e1 in _pt_root (arg=0x95961c0) at ptthread.c:221
#9 0xb806550f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#10 0xb7eb97ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 5 (Thread 0xb52f0b90 (LWP 31382)):
#0 0xb80b2430 in __kernel_vsyscall ()
#1 0xb80693a2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7d0bf9e in pt_TimedWait (cv=0x91cb3e4, ml=0x91dbc38, timeout=2328) at ptsynch.c:280
#3 0xb7d0cdc0 in PR_WaitCondVar (cvar=0x91cb3e0, timeout=2328) at ptsynch.c:407
#4 0xb7a354bc in TimerThread::Run (this=0x91dbdd8) at TimerThread.cpp:345
#5 0xb7a3256c in nsThread::ProcessNextEvent (this=0x92fc858, mayWait=1, result=0xb52f0344)
    at nsThread.cpp:510
#6 0xb7a02f88 in NS_ProcessNextEvent_P (thread=0x80, mayWait=1) at nsThreadUtils.cpp:227
#7 0xb7a32cd3 in nsThread::ThreadFunc (arg=0x92fc858) at nsThread.cpp:253
#8 0xb7d131e1 in _pt_root (arg=0x92fca60) at ptthread.c:221
#9 0xb806550f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#10 0xb7eb97ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 4 (Thread 0xb4987b90 (LWP 31386)):
#0 0xb80b2430 in __kernel_vsyscall ()
#1 0xb8069075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7d0ce39 in PR_WaitCondVar (cvar=0x9605578, timeout=4294967295) at ptsynch.c:405
#3 0xb783b266 in nsSSLThread::Run (this=0x96054f0) at nsSSLThread.cpp:964
#4 0xb783ab9a in nsPSMBackgroundThread::nsThreadRunner (arg=0x96054f0)
    at nsPSMBackgroundThread.cpp:44
#5 0xb7d131e1 in _pt_root (arg=0x96055b8) at ptthread.c:221
#6 0xb806550f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#7 0xb7eb97ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 3 (Thread 0xb391ab90 (LWP 31387)):
#0 0xb80b2430 in __kernel_vsyscall ()
#1 0xb8069075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7d0ce39 in PR_WaitCondVar (cvar=0x9605748, timeout=4294967295) at ptsynch.c:405
#3 0xb783c2fe in nsCertVerificationThread::Run (this=0x9605698)
    at nsCertVerificationThread.cpp:138
#4 0xb783ab9a in nsPSMBackgroundThread::nsThreadRunner (arg=0x9605698)
    at nsPSMBackgroundThread.cpp:44
#5 0xb7d131e1 in _pt_root (arg=0x9605788) at ptthread.c:221
#6 0xb806550f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#7 0xb7eb97ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 1 (Thread 0xb7dd66c0 (LWP 31377)):
#0 GCGraphBuilder::AddNode (this=0xbfaab9fc, s=0xda1d520, aParticipant=0x9253c84)
    at nsCycleCollector.cpp:1287
#1 0xb7a3d401 in GCGraphBuilder::NoteScriptChild (this=0xbfaab9fc, langID=2, child=0xda1d520)
    at nsCycleCollector.cpp:1237
#2 0xb728b6b0 in NoteJSChild (trc=0x1af03e10, thing=0xda1d520, kind=0) at nsXPConnect.cpp:744
#3 0xb7d73df9 in JS_CallTracer (trc=0xbfaab950, thing=0xda1d520, kind=0) at jsgc.c:2449
#4 0xb7d89ecc in js_TraceObject (trc=0xbfaab950, obj=0xda1dd60) at jsobj.c:5082
#5 0xb7d73bba in JS_TraceChildren (trc=0xbfaab950, thing=0xda1dd60, kind=0) at jsgc.c:2233
#6 0xb728b770 in nsXPConnect::Traverse (this=0x9253c70, p=0xda1dd60, cb=@0xbfaab9fc)
    at nsXPConnect.cpp:935
#7 0xb7a3cc84 in GCGraphBuilder::Traverse (this=0xbfaab9fc, aPtrInfo=0xa4d6123c)
    at nsCycleCollector.cpp:1319
#8 0xb7a3cce7 in nsCycleCollector::MarkRoots (this=0x91f16b0, builder=@0xbfaab9fc)
    at nsCycleCollector.cpp:1513
#9 0xb7a3d795 in nsCycleCollector::BeginCollection (this=0x91f16b0) at nsCycleCollector.cpp:2368
#10 0xb7a3d7d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#11 0xb728c6cc in XPCCycleCollectGCCallback (cx=0x94ba360, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#12 0xb7d74d7a in js_GC (cx=0x94ba360, gckind=GC_NORMAL) at jsgc.c:3239
#13 0xb7d5163a in JS_GC (cx=0x94ba360) at jsapi.c:2469
#14 0xb728b950 in nsXPConnect::Collect (this=0x9253c70) at nsXPConnect.cpp:529
#15 0xb7a3d8fa in nsCycleCollector::Collect (this=0x91f16b0, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#16 0xb7a3da39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#17 0xb7638f42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#18 0xb7639012 in nsJSContext::MaybeCC (aHigherProbability=1) at nsJSEnvironment.cpp:3397
#19 0xb76393c5 in nsUserActivityObserver::Observe (this=0x94b9bd0, aSubject=0x0,
    aTopic=0xb7ba4bcc "user-interaction-inactive", aData=0x0) at nsJSEnvironment.cpp:291
#20 0xb7a0c9a0 in nsObserverList::NotifyObservers (this=0x964c608, aSubject=0x0,
    aTopic=0xb7ba4bcc "user-interaction-inactive", someData=0x0) at nsObserverList.cpp:128
#21 0xb7a0cc6e in nsObserverService::NotifyObservers (this=0x9243fa0, aSubject=0x0,
    aTopic=0xb7ba4bcc "user-interaction-inactive", someData=0x0) at nsObserverService.cpp:181
#22 0xb75627e6 in nsUITimerCallback::Notify (this=0x95dc450, aTimer=0x95c1730)
    at nsEventStateManager.cpp:210
#23 0xb7a34a42 in nsTimerImpl::Fire (this=0x95c1730) at nsTimerImpl.cpp:403
#24 0xb7a34ab7 in nsTimerEvent::Run (this=0xaf6f7938) at nsTimerImpl.cpp:490
#25 0xb7a3256c in nsThread::ProcessNextEvent (this=0x91cb6b0, mayWait=1, result=0xbfaafd34)
    at nsThread.cpp:510
#26 0xb7a02f88 in NS_ProcessNextEvent_P (thread=0x1af03e10, mayWait=1) at nsThreadUtils.cpp:227
#27 0xb79862c4 in nsBaseAppShell::Run (this=0x9274708) at nsBaseAppShell.cpp:170
#28 0xb781bab8 in nsAppStartup::Run (this=0x92b7620) at nsAppStartup.cpp:181
#29 0xb7280508 in XRE_main (argc=2, argv=0xbfab3494, aAppData=0x9156830) at nsAppRunner.cpp:3194
#30 0x080491ab in ?? ()
#31 0xb7dee685 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#32 0x08048d11 in ?? ()

Alexander Sack (asac) wrote :

do you have a way to reproduce this?

Changed in firefox-3.0:
status: New → Incomplete
Download full text (18.1 KiB)

Not at will. It happens fairly frequently though. Several times a day. Here's another one:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7de66c0 (LWP 14458)]
GCGraphBuilder::AddNode (this=0xbfcb98ac, s=0xb04b8268, aParticipant=0x98a5c84)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbfcb98ac, s=0xb04b8268, aParticipant=0x98a5c84)
    at nsCycleCollector.cpp:1287
#1 0xb7a4d401 in GCGraphBuilder::NoteScriptChild (this=0xbfcb98ac, langID=2, child=0xb04b8268)
    at nsCycleCollector.cpp:1237
#2 0xb729b6b0 in NoteJSChild (trc=0x1e116820, thing=0xb04b8268, kind=0) at nsXPConnect.cpp:744
#3 0xb7d83df9 in JS_CallTracer (trc=0xbfcb9800, thing=0xb04b8268, kind=0) at jsgc.c:2449
#4 0xb7d99ecc in js_TraceObject (trc=0xbfcb9800, obj=0x12686780) at jsobj.c:5082
#5 0xb7d83bba in JS_TraceChildren (trc=0xbfcb9800, thing=0x12686780, kind=0) at jsgc.c:2233
#6 0xb729b770 in nsXPConnect::Traverse (this=0x98a5c70, p=0x12686780, cb=@0xbfcb98ac)
    at nsXPConnect.cpp:935
#7 0xb7a4cc84 in GCGraphBuilder::Traverse (this=0xbfcb98ac, aPtrInfo=0xadd5c134)
    at nsCycleCollector.cpp:1319
#8 0xb7a4cce7 in nsCycleCollector::MarkRoots (this=0x98436b0, builder=@0xbfcb98ac)
    at nsCycleCollector.cpp:1513
#9 0xb7a4d795 in nsCycleCollector::BeginCollection (this=0x98436b0) at nsCycleCollector.cpp:2368
#10 0xb7a4d7d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#11 0xb729c6cc in XPCCycleCollectGCCallback (cx=0x9b0b368, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#12 0xb7d84d7a in js_GC (cx=0x9b0b368, gckind=GC_NORMAL) at jsgc.c:3239
#13 0xb7d6163a in JS_GC (cx=0x9b0b368) at jsapi.c:2469
#14 0xb729b950 in nsXPConnect::Collect (this=0x98a5c70) at nsXPConnect.cpp:529
#15 0xb7a4d8fa in nsCycleCollector::Collect (this=0x98436b0, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#16 0xb7a4da39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#17 0xb7648f42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#18 0xb7649012 in nsJSContext::MaybeCC (aHigherProbability=1) at nsJSEnvironment.cpp:3397
#19 0xb76493c5 in nsUserActivityObserver::Observe (this=0x9b0abd8, aSubject=0x0,
    aTopic=0xb7bb4be6 "user-interaction-active", aData=0x0) at nsJSEnvironment.cpp:291
#20 0xb7a1c9a0 in nsObserverList::NotifyObservers (this=0x9c9d4ac, aSubject=0x0,
    aTopic=0xb7bb4be6 "user-interaction-active", someData=0x0) at nsObserverList.cpp:128
#21 0xb7a1cc6e in nsObserverService::NotifyObservers (this=0x9895fa0, aSubject=0x0,
    aTopic=0xb7bb4be6 "user-interaction-active", someData=0x0) at nsObserverService.cpp:181
#22 0xb75747ff in nsEventStateManager::PreHandleEvent (this=0x148e5938, aPresContext=0x136dcac0,
    aEvent=0xbfcbdf94, aTargetFrame=0x1473a868, aStatus=0xbfcbde4c, aView=0x12574c98)
    at nsEventStateManager.cpp:777
#23 0xb7401f5f in PresShell::HandleEventInternal (this=0x17bd30f8, aEvent=0xbfcbdf94,
    aView=0x12574c98, aStatus=0xbfcbde4c) at nsPresShell.cpp:5911
#24 0xb7402674 in PresShell::HandlePositionedEvent (this=0x17bd30f8, aView=0x12574c9...

Download full text (9.9 KiB)

For posterity, another:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d406c0 (LWP 22826)]
GCGraphBuilder::AddNode (this=0xbf813e5c, s=0xa2a5540, aParticipant=0x8dc53f4)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbf813e5c, s=0xa2a5540, aParticipant=0x8dc53f4)
    at nsCycleCollector.cpp:1287
#1 0xb79a7401 in GCGraphBuilder::NoteScriptChild (this=0xbf813e5c, langID=2, child=0xa2a5540)
    at nsCycleCollector.cpp:1237
#2 0xb71f56b0 in NoteJSChild (trc=0x1354db20, thing=0xa2a5540, kind=0) at nsXPConnect.cpp:744
#3 0xb7cdddf9 in JS_CallTracer (trc=0xbf813db0, thing=0xa2a5540, kind=0) at jsgc.c:2449
#4 0xb7cf3ecc in js_TraceObject (trc=0xbf813db0, obj=0xac52a9a0) at jsobj.c:5082
#5 0xb7cddbba in JS_TraceChildren (trc=0xbf813db0, thing=0xac52a9a0, kind=0) at jsgc.c:2233
#6 0xb71f5770 in nsXPConnect::Traverse (this=0x8dc53e0, p=0xac52a9a0, cb=@0xbf813e5c)
    at nsXPConnect.cpp:935
#7 0xb79a6c84 in GCGraphBuilder::Traverse (this=0xbf813e5c, aPtrInfo=0x9d3288c4)
    at nsCycleCollector.cpp:1319
#8 0xb79a6ce7 in nsCycleCollector::MarkRoots (this=0x8dcd698, builder=@0xbf813e5c)
    at nsCycleCollector.cpp:1513
#9 0xb79a7795 in nsCycleCollector::BeginCollection (this=0x8dcd698) at nsCycleCollector.cpp:2368
#10 0xb79a77d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#11 0xb71f66cc in XPCCycleCollectGCCallback (cx=0x92a1838, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#12 0xb7cded7a in js_GC (cx=0x92a1838, gckind=GC_NORMAL) at jsgc.c:3239
#13 0xb7cbb63a in JS_GC (cx=0x92a1838) at jsapi.c:2469
#14 0xb71f5950 in nsXPConnect::Collect (this=0x8dc53e0) at nsXPConnect.cpp:529
#15 0xb79a78fa in nsCycleCollector::Collect (this=0x8dcd698, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#16 0xb79a7a39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#17 0xb75a2f42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#18 0xb75a31fa in nsJSContext::Notify (this=0xacf47d68, timer=0x9e79d190)
    at nsJSEnvironment.cpp:3438
#19 0xb799ea42 in nsTimerImpl::Fire (this=0x9e79d190) at nsTimerImpl.cpp:403
#20 0xb799eab7 in nsTimerEvent::Run (this=0xa9883950) at nsTimerImpl.cpp:490
#21 0xb799c56c in nsThread::ProcessNextEvent (this=0x8db78d0, mayWait=1, result=0xbf8180b4)
    at nsThread.cpp:510
#22 0xb796cf88 in NS_ProcessNextEvent_P (thread=0x1354db20, mayWait=1) at nsThreadUtils.cpp:227
#23 0xb78f02c4 in nsBaseAppShell::Run (this=0x9185638) at nsBaseAppShell.cpp:170
#24 0xb7785ab8 in nsAppStartup::Run (this=0x91c7ed0) at nsAppStartup.cpp:181
#25 0xb71ea508 in XRE_main (argc=2, argv=0xbf81b814, aAppData=0x8d32830) at nsAppRunner.cpp:3194
#26 0x080491ab in ?? ()
#27 0xb7d58685 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#28 0x08048d11 in ?? ()

(gdb) thread apply all bt

Thread 8 (Thread 0xb1532b90 (LWP 22935)):
#0 0xb801c430 in __kernel_vsyscall ()
#1 0xb7fd3075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7c76e39 in PR_WaitCondVar (cvar=0x8fc9380, timeout=4294967295) at ptsynch.c:405
#3...

Download full text (10.5 KiB)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008101315 Ubuntu/8.10 (intrepid) Firefox/3.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008101315 Ubuntu/8.10 (intrepid) Firefox/3.0.3

I've been getting a segfault several times a day now for a while and I've finally tracked it down. The details of several crashes can be found in the launchpad bug I've put in the URL field of this bug.

Reproducible: Always

Steps to Reproduce:
1. Run firefox3
2. Browse

Actual Results:
Crashes eventually

Expected Results:
Uhm. No crashing? :-)

Here's the latest stack traces:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7d406c0 (LWP 22826)]
GCGraphBuilder::AddNode (this=0xbf813e5c, s=0xa2a5540, aParticipant=0x8dc53f4)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbf813e5c, s=0xa2a5540, aParticipant=0x8dc53f4)
    at nsCycleCollector.cpp:1287
#1 0xb79a7401 in GCGraphBuilder::NoteScriptChild (this=0xbf813e5c, langID=2, child=0xa2a5540)
    at nsCycleCollector.cpp:1237
#2 0xb71f56b0 in NoteJSChild (trc=0x1354db20, thing=0xa2a5540, kind=0) at nsXPConnect.cpp:744
#3 0xb7cdddf9 in JS_CallTracer (trc=0xbf813db0, thing=0xa2a5540, kind=0) at jsgc.c:2449
#4 0xb7cf3ecc in js_TraceObject (trc=0xbf813db0, obj=0xac52a9a0) at jsobj.c:5082
#5 0xb7cddbba in JS_TraceChildren (trc=0xbf813db0, thing=0xac52a9a0, kind=0) at jsgc.c:2233
#6 0xb71f5770 in nsXPConnect::Traverse (this=0x8dc53e0, p=0xac52a9a0, cb=@0xbf813e5c)
    at nsXPConnect.cpp:935
#7 0xb79a6c84 in GCGraphBuilder::Traverse (this=0xbf813e5c, aPtrInfo=0x9d3288c4)
    at nsCycleCollector.cpp:1319
#8 0xb79a6ce7 in nsCycleCollector::MarkRoots (this=0x8dcd698, builder=@0xbf813e5c)
    at nsCycleCollector.cpp:1513
#9 0xb79a7795 in nsCycleCollector::BeginCollection (this=0x8dcd698) at nsCycleCollector.cpp:2368
#10 0xb79a77d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#11 0xb71f66cc in XPCCycleCollectGCCallback (cx=0x92a1838, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#12 0xb7cded7a in js_GC (cx=0x92a1838, gckind=GC_NORMAL) at jsgc.c:3239
#13 0xb7cbb63a in JS_GC (cx=0x92a1838) at jsapi.c:2469
#14 0xb71f5950 in nsXPConnect::Collect (this=0x8dc53e0) at nsXPConnect.cpp:529
#15 0xb79a78fa in nsCycleCollector::Collect (this=0x8dcd698, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#16 0xb79a7a39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#17 0xb75a2f42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#18 0xb75a31fa in nsJSContext::Notify (this=0xacf47d68, timer=0x9e79d190)
    at nsJSEnvironment.cpp:3438
#19 0xb799ea42 in nsTimerImpl::Fire (this=0x9e79d190) at nsTimerImpl.cpp:403
#20 0xb799eab7 in nsTimerEvent::Run (this=0xa9883950) at nsTimerImpl.cpp:490
#21 0xb799c56c in nsThread::ProcessNextEvent (this=0x8db78d0, mayWait=1, result=0xbf8180b4)
    at nsThread.cpp:510
#22 0xb796cf88 in NS_ProcessNextEvent_P (thread=0x1354db20, mayWait=1) at nsThreadUtils.cpp:227
#23 0xb78f02c4 in nsBaseAppShell::Run (this=0x9185638) at nsBas...

I get segfaults also. It's not only affecting FF 3.03 but also seamonkey, will post bug report there.

Download full text (10.6 KiB)

Another:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c7b6c0 (LWP 30529)]
GCGraphBuilder::AddNode (this=0xbf85070c, s=0xb113b80, aParticipant=0x8aecd14)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbf85070c, s=0xb113b80, aParticipant=0x8aecd14)
    at nsCycleCollector.cpp:1287
#1 0xb78e2401 in GCGraphBuilder::NoteScriptChild (this=0xbf85070c, langID=2, child=0xb113b80)
    at nsCycleCollector.cpp:1237
#2 0xb71306b0 in NoteJSChild (trc=0x1b47cca8, thing=0xb113b80, kind=0) at nsXPConnect.cpp:744
#3 0xb7c18df9 in JS_CallTracer (trc=0xbf850660, thing=0xb113b80, kind=0) at jsgc.c:2449
#4 0xb7c2eecc in js_TraceObject (trc=0xbf850660, obj=0xb113ba0) at jsobj.c:5082
#5 0xb7c18bba in JS_TraceChildren (trc=0xbf850660, thing=0xb113ba0, kind=0) at jsgc.c:2233
#6 0xb7130770 in nsXPConnect::Traverse (this=0x8aecd00, p=0xb113ba0, cb=@0xbf85070c)
    at nsXPConnect.cpp:935
#7 0xb78e1c84 in GCGraphBuilder::Traverse (this=0xbf85070c, aPtrInfo=0xb3e79c64)
    at nsCycleCollector.cpp:1319
#8 0xb78e1ce7 in nsCycleCollector::MarkRoots (this=0x8a8a6b0, builder=@0xbf85070c)
    at nsCycleCollector.cpp:1513
#9 0xb78e2795 in nsCycleCollector::BeginCollection (this=0x8a8a6b0) at nsCycleCollector.cpp:2368
#10 0xb78e27d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#11 0xb71316cc in XPCCycleCollectGCCallback (cx=0x8d53b78, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#12 0xb7c19d7a in js_GC (cx=0x8d53b78, gckind=GC_NORMAL) at jsgc.c:3239
#13 0xb7bf663a in JS_GC (cx=0x8d53b78) at jsapi.c:2469
#14 0xb7130950 in nsXPConnect::Collect (this=0x8aecd00) at nsXPConnect.cpp:529
#15 0xb78e28fa in nsCycleCollector::Collect (this=0x8a8a6b0, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#16 0xb78e2a39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#17 0xb74ddf42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#18 0xb74de1fa in nsJSContext::Notify (this=0xaa90b78, timer=0x1acce880)
    at nsJSEnvironment.cpp:3438
#19 0xb78d9a42 in nsTimerImpl::Fire (this=0x1acce880) at nsTimerImpl.cpp:403
#20 0xb78d9ab7 in nsTimerEvent::Run (this=0x1accadf8) at nsTimerImpl.cpp:490
#21 0xb78d756c in nsThread::ProcessNextEvent (this=0x8a646b0, mayWait=1, result=0xbf854964)
    at nsThread.cpp:510
#22 0xb78a7f88 in NS_ProcessNextEvent_P (thread=0x1b47cca8, mayWait=1) at nsThreadUtils.cpp:227
#23 0xb782b2c4 in nsBaseAppShell::Run (this=0x8b0d7a0) at nsBaseAppShell.cpp:170
#24 0xb76c0ab8 in nsAppStartup::Run (this=0x8b50948) at nsAppStartup.cpp:181
#25 0xb7125508 in XRE_main (argc=2, argv=0xbf8580c4, aAppData=0x89ef830) at nsAppRunner.cpp:3194
#26 0x080491ab in ?? ()
#27 0xb7c93685 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#28 0x08048d11 in ?? ()
(gdb) thread apply all bt

Thread 531 (Thread 0xa60eab90 (LWP 14413)):
#0 0xb7f57430 in __kernel_vsyscall ()
#1 0xb7f0e3a2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7bb0f9e in pt_TimedWait (cv=0x9b8be34, ml=0x9b8bdd0, timeout=60000) at ptsynch.c:280
#3 0xb7bb...

Download full text (10.5 KiB)

hit another:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7c7b6c0 (LWP 30529)]
GCGraphBuilder::AddNode (this=0xbf85070c, s=0xb113b80, aParticipant=0x8aecd14)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbf85070c, s=0xb113b80, aParticipant=0x8aecd14)
    at nsCycleCollector.cpp:1287
#1 0xb78e2401 in GCGraphBuilder::NoteScriptChild (this=0xbf85070c, langID=2, child=0xb113b80)
    at nsCycleCollector.cpp:1237
#2 0xb71306b0 in NoteJSChild (trc=0x1b47cca8, thing=0xb113b80, kind=0) at nsXPConnect.cpp:744
#3 0xb7c18df9 in JS_CallTracer (trc=0xbf850660, thing=0xb113b80, kind=0) at jsgc.c:2449
#4 0xb7c2eecc in js_TraceObject (trc=0xbf850660, obj=0xb113ba0) at jsobj.c:5082
#5 0xb7c18bba in JS_TraceChildren (trc=0xbf850660, thing=0xb113ba0, kind=0) at jsgc.c:2233
#6 0xb7130770 in nsXPConnect::Traverse (this=0x8aecd00, p=0xb113ba0, cb=@0xbf85070c)
    at nsXPConnect.cpp:935
#7 0xb78e1c84 in GCGraphBuilder::Traverse (this=0xbf85070c, aPtrInfo=0xb3e79c64)
    at nsCycleCollector.cpp:1319
#8 0xb78e1ce7 in nsCycleCollector::MarkRoots (this=0x8a8a6b0, builder=@0xbf85070c)
    at nsCycleCollector.cpp:1513
#9 0xb78e2795 in nsCycleCollector::BeginCollection (this=0x8a8a6b0) at nsCycleCollector.cpp:2368
#10 0xb78e27d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#11 0xb71316cc in XPCCycleCollectGCCallback (cx=0x8d53b78, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#12 0xb7c19d7a in js_GC (cx=0x8d53b78, gckind=GC_NORMAL) at jsgc.c:3239
#13 0xb7bf663a in JS_GC (cx=0x8d53b78) at jsapi.c:2469
#14 0xb7130950 in nsXPConnect::Collect (this=0x8aecd00) at nsXPConnect.cpp:529
#15 0xb78e28fa in nsCycleCollector::Collect (this=0x8a8a6b0, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#16 0xb78e2a39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#17 0xb74ddf42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#18 0xb74de1fa in nsJSContext::Notify (this=0xaa90b78, timer=0x1acce880)
    at nsJSEnvironment.cpp:3438
#19 0xb78d9a42 in nsTimerImpl::Fire (this=0x1acce880) at nsTimerImpl.cpp:403
#20 0xb78d9ab7 in nsTimerEvent::Run (this=0x1accadf8) at nsTimerImpl.cpp:490
#21 0xb78d756c in nsThread::ProcessNextEvent (this=0x8a646b0, mayWait=1, result=0xbf854964)
    at nsThread.cpp:510
#22 0xb78a7f88 in NS_ProcessNextEvent_P (thread=0x1b47cca8, mayWait=1) at nsThreadUtils.cpp:227
#23 0xb782b2c4 in nsBaseAppShell::Run (this=0x8b0d7a0) at nsBaseAppShell.cpp:170
#24 0xb76c0ab8 in nsAppStartup::Run (this=0x8b50948) at nsAppStartup.cpp:181
#25 0xb7125508 in XRE_main (argc=2, argv=0xbf8580c4, aAppData=0x89ef830) at nsAppRunner.cpp:3194
#26 0x080491ab in ?? ()
#27 0xb7c93685 in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
#28 0x08048d11 in ?? ()
(gdb) thread apply all bt

Thread 531 (Thread 0xa60eab90 (LWP 14413)):
#0 0xb7f57430 in __kernel_vsyscall ()
#1 0xb7f0e3a2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7bb0f9e in pt_TimedWait (cv=0x9b8be34, ml=0x9b8bdd0, timeout=60000) at ptsynch.c:280
#3 0xb7bb1dc0 in PR_...

Alexander Sack (asac) wrote :

is this still a problem with the latest ffox 3? If so, can you provide reliable step by step instructions to reproduce?

In any case, this is best dealt upstream as its not a ubuntu specific issue. Please search in bugzilla.mozilla.org to ensure that your bug isnt filed; then open a bug in bugzilla.mozilla.org and post your bug id (or the one you found matching your issue) here. Thanks!

On Thu, 2008-10-23 at 08:40 +0000, Alexander Sack wrote:
> is this still a problem with the latest ffox 3?

Absolutely. It's been happening many times a day as recent as
yesterday.

> If so, can you provide
> reliable step by step instructions to reproduce?

Nope. I'm afraid I can't provoke it into happening. I just have to sit
waiting (and using FF3) with gdb to catch it.

> In any case, this is best dealt upstream as its not a ubuntu specific
> issue. Please search in bugzilla.mozilla.org to ensure that your bug
> isnt filed; then open a bug in bugzilla.mozilla.org and post your bug id
> (or the one you found matching your issue) here.

I had already posted it upstream a few days ago. The bug number is
460916 although it's seen no love upstream yet.

Changed in firefox:
status: Unknown → New
Download full text (28.8 KiB)

Here's another with a full backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7ccd6c0 (LWP 20164)]
GCGraphBuilder::AddNode (this=0xbfba390c, s=0xa152c28, aParticipant=0xb7bdcd00)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbfba390c, s=0xa152c28, aParticipant=0xb7bdcd00)
    at nsCycleCollector.cpp:1287
#1 0xb79344c5 in GCGraphBuilder::NoteXPCOMChild (this=0xbfba390c, child=0xa152c28)
    at nsCycleCollector.cpp:1237
#2 0xb7423092 in nsGenericElement::cycleCollection::Traverse (this=0xb7bdcd00, p=0xa126490,
    cb=@0xbfba390c) at nsGenericElement.cpp:3531
#3 0xb75b21ee in nsXULElement::cycleCollection::Traverse (this=0xb7bdcd00, p=0xa126490,
    cb=@0xbfba390c) at nsXULElement.cpp:376
#4 0xb7933c84 in GCGraphBuilder::Traverse (this=0xbfba390c, aPtrInfo=0xaabad014)
    at nsCycleCollector.cpp:1319
#5 0xb7933ce7 in nsCycleCollector::MarkRoots (this=0x96d8698, builder=@0xbfba390c)
    at nsCycleCollector.cpp:1513
#6 0xb7934795 in nsCycleCollector::BeginCollection (this=0x96d8698) at nsCycleCollector.cpp:2368
#7 0xb79347d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#8 0xb71836cc in XPCCycleCollectGCCallback (cx=0x9bc0460, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#9 0xb7c6bd7a in js_GC (cx=0x9bc0460, gckind=GC_NORMAL) at jsgc.c:3239
#10 0xb7c4863a in JS_GC (cx=0x9bc0460) at jsapi.c:2469
#11 0xb7182950 in nsXPConnect::Collect (this=0x96d03e0) at nsXPConnect.cpp:529
#12 0xb79348fa in nsCycleCollector::Collect (this=0x96d8698, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#13 0xb7934a39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#14 0xb752ff42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#15 0xb7530012 in nsJSContext::MaybeCC (aHigherProbability=0) at nsJSEnvironment.cpp:3397
#16 0xb75303c5 in nsUserActivityObserver::Observe (this=0x9bbfca0, aSubject=0x0,
    aTopic=0xb7a9bbe6 "user-interaction-active", aData=0x0) at nsJSEnvironment.cpp:291
#17 0xb79039a0 in nsObserverList::NotifyObservers (this=0x9cef59c, aSubject=0x0,
    aTopic=0xb7a9bbe6 "user-interaction-active", someData=0x0) at nsObserverList.cpp:128
#18 0xb7903c6e in nsObserverService::NotifyObservers (this=0x96ed060, aSubject=0x0,
    aTopic=0xb7a9bbe6 "user-interaction-active", someData=0x0) at nsObserverService.cpp:181
#19 0xb74597e6 in nsUITimerCallback::Notify (this=0x9c817b0, aTimer=0x9c42148)
    at nsEventStateManager.cpp:210
#20 0xb792ba42 in nsTimerImpl::Fire (this=0x9c42148) at nsTimerImpl.cpp:403
#21 0xb792bab7 in nsTimerEvent::Run (this=0xb1c912b8) at nsTimerImpl.cpp:490
#22 0xb792956c in nsThread::ProcessNextEvent (this=0x96c28d0, mayWait=1, result=0xbfba7c44)
    at nsThread.cpp:510
#23 0xb78f9f88 in NS_ProcessNextEvent_P (thread=0x1c2f6f50, mayWait=1) at nsThreadUtils.cpp:227
#24 0xb787d2c4 in nsBaseAppShell::Run (this=0x9aa3fd8) at nsBaseAppShell.cpp:170
#25 0xb7712ab8 in nsAppStartup::Run (this=0x9ae6630) at nsAppStartup.cpp:181
#26 0xb7177508 in XRE_main (argc=2, argv=0xbfbab3a4, aAppData=0x963d830) at nsAppRunn...

Download full text (28.8 KiB)

here's a "full" bt.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7ccd6c0 (LWP 20164)]
GCGraphBuilder::AddNode (this=0xbfba390c, s=0xa152c28, aParticipant=0xb7bdcd00)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) where
#0 GCGraphBuilder::AddNode (this=0xbfba390c, s=0xa152c28, aParticipant=0xb7bdcd00)
    at nsCycleCollector.cpp:1287
#1 0xb79344c5 in GCGraphBuilder::NoteXPCOMChild (this=0xbfba390c, child=0xa152c28)
    at nsCycleCollector.cpp:1237
#2 0xb7423092 in nsGenericElement::cycleCollection::Traverse (this=0xb7bdcd00, p=0xa126490,
    cb=@0xbfba390c) at nsGenericElement.cpp:3531
#3 0xb75b21ee in nsXULElement::cycleCollection::Traverse (this=0xb7bdcd00, p=0xa126490,
    cb=@0xbfba390c) at nsXULElement.cpp:376
#4 0xb7933c84 in GCGraphBuilder::Traverse (this=0xbfba390c, aPtrInfo=0xaabad014)
    at nsCycleCollector.cpp:1319
#5 0xb7933ce7 in nsCycleCollector::MarkRoots (this=0x96d8698, builder=@0xbfba390c)
    at nsCycleCollector.cpp:1513
#6 0xb7934795 in nsCycleCollector::BeginCollection (this=0x96d8698) at nsCycleCollector.cpp:2368
#7 0xb79347d8 in nsCycleCollector_beginCollection () at nsCycleCollector.cpp:2910
#8 0xb71836cc in XPCCycleCollectGCCallback (cx=0x9bc0460, status=JSGC_MARK_END)
    at nsXPConnect.cpp:440
#9 0xb7c6bd7a in js_GC (cx=0x9bc0460, gckind=GC_NORMAL) at jsgc.c:3239
#10 0xb7c4863a in JS_GC (cx=0x9bc0460) at jsapi.c:2469
#11 0xb7182950 in nsXPConnect::Collect (this=0x96d03e0) at nsXPConnect.cpp:529
#12 0xb79348fa in nsCycleCollector::Collect (this=0x96d8698, aTryCollections=1)
    at nsCycleCollector.cpp:2250
#13 0xb7934a39 in nsCycleCollector_collect () at nsCycleCollector.cpp:2898
#14 0xb752ff42 in nsJSContext::CC () at nsJSEnvironment.cpp:3346
#15 0xb7530012 in nsJSContext::MaybeCC (aHigherProbability=0) at nsJSEnvironment.cpp:3397
#16 0xb75303c5 in nsUserActivityObserver::Observe (this=0x9bbfca0, aSubject=0x0,
    aTopic=0xb7a9bbe6 "user-interaction-active", aData=0x0) at nsJSEnvironment.cpp:291
#17 0xb79039a0 in nsObserverList::NotifyObservers (this=0x9cef59c, aSubject=0x0,
    aTopic=0xb7a9bbe6 "user-interaction-active", someData=0x0) at nsObserverList.cpp:128
#18 0xb7903c6e in nsObserverService::NotifyObservers (this=0x96ed060, aSubject=0x0,
    aTopic=0xb7a9bbe6 "user-interaction-active", someData=0x0) at nsObserverService.cpp:181
#19 0xb74597e6 in nsUITimerCallback::Notify (this=0x9c817b0, aTimer=0x9c42148)
    at nsEventStateManager.cpp:210
#20 0xb792ba42 in nsTimerImpl::Fire (this=0x9c42148) at nsTimerImpl.cpp:403
#21 0xb792bab7 in nsTimerEvent::Run (this=0xb1c912b8) at nsTimerImpl.cpp:490
#22 0xb792956c in nsThread::ProcessNextEvent (this=0x96c28d0, mayWait=1, result=0xbfba7c44)
    at nsThread.cpp:510
#23 0xb78f9f88 in NS_ProcessNextEvent_P (thread=0x1c2f6f50, mayWait=1) at nsThreadUtils.cpp:227
#24 0xb787d2c4 in nsBaseAppShell::Run (this=0x9aa3fd8) at nsBaseAppShell.cpp:170
#25 0xb7712ab8 in nsAppStartup::Run (this=0x9ae6630) at nsAppStartup.cpp:181
#26 0xb7177508 in XRE_main (argc=2, argv=0xbfbab3a4, aAppData=0x963d830) at nsAppRunner.cpp:3194
#27 0x...

Download full text (9.6 KiB)

Here's another. Boy it's going to be fun times if Intrepid is released with this bug still in it given how often it hits me.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cb36c0 (LWP 18297)]
GCGraphBuilder::AddNode (this=0xbfa86fec, s=0xf8a3140, aParticipant=0xb7bc10c4)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) thread apply all bt

Thread 132 (Thread 0xae0feb90 (LWP 2026)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f463a2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7be8f9e in pt_TimedWait (cv=0x95ffdcc, ml=0x95ffd68, timeout=60000) at ptsynch.c:280
#3 0xb7be9dc0 in PR_WaitCondVar (cvar=0x95ffdc8, timeout=60000) at ptsynch.c:407
#4 0xb71c3d4a in nsHostResolver::GetHostToLookup (this=0x95ffd08, result=0xae0fe378)
    at nsHostResolver.cpp:595
#5 0xb71c4412 in nsHostResolver::ThreadFunc (arg=0x95ffd08) at nsHostResolver.cpp:690
#6 0xb7bf01e1 in _pt_root (arg=0xa2fc9988) at ptthread.c:221
#7 0xb7f4250f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#8 0xb7d967ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 58 (Thread 0xb0cbdb90 (LWP 18540)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f46075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xaced96cf in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#3 0xad00b29f in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#4 0xaced9b8d in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#5 0xb7f4250f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#6 0xb7d967ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 57 (Thread 0xb04bcb90 (LWP 18539)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f46075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xaced96cf in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#3 0xad00b29f in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#4 0xaced9b8d in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#5 0xb7f4250f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#6 0xb7d967ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 10 (Thread 0xb14beb90 (LWP 18357)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f46075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7be9e39 in PR_WaitCondVar (cvar=0xa728fd0, timeout=4294967295) at ptsynch.c:405
#3 0xb7be9eb7 in PR_Wait (mon=0xa72e910, timeout=4294967295) at ptsynch.c:584
#4 0xb790e791 in nsEventQueue::GetEvent (this=0xa728f48, mayWait=1, result=0xb14be304)
    at ../../dist/include/xpcom/nsAutoLock.h:340
#5 0xb790f540 in nsThread::ProcessNextEvent (this=0xa728f28, mayWait=1, result=0xb14be344)
    at nsThread.h:112
#6 0xb78dff88 in NS_ProcessNextEvent_P (thread=0x80, mayWait=1) at nsThreadUtils.cpp:227
#7 0xb790fcd3 in nsThread::ThreadFunc (arg=0xa728f28) at nsThread.cpp:253
#8 0xb7bf01e1 in _pt_root (arg=0xa7290d8) at ptthread.c:221
#9 0xb7f4250f in start_thread () from /lib/tls/i686/cmov/libpthread....

Read more...

Download full text (9.6 KiB)

Here's another. Forgot "full" on my bt though. Sorry.

Is there no interest in resolving this one at all? It happens to me all of the time. I can provide more debug info on fairly short order I think.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7cb36c0 (LWP 18297)]
GCGraphBuilder::AddNode (this=0xbfa86fec, s=0xf8a3140, aParticipant=0xb7bc10c4)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) thread apply all bt

Thread 132 (Thread 0xae0feb90 (LWP 2026)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f463a2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7be8f9e in pt_TimedWait (cv=0x95ffdcc, ml=0x95ffd68, timeout=60000) at ptsynch.c:280
#3 0xb7be9dc0 in PR_WaitCondVar (cvar=0x95ffdc8, timeout=60000) at ptsynch.c:407
#4 0xb71c3d4a in nsHostResolver::GetHostToLookup (this=0x95ffd08, result=0xae0fe378)
    at nsHostResolver.cpp:595
#5 0xb71c4412 in nsHostResolver::ThreadFunc (arg=0x95ffd08) at nsHostResolver.cpp:690
#6 0xb7bf01e1 in _pt_root (arg=0xa2fc9988) at ptthread.c:221
#7 0xb7f4250f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#8 0xb7d967ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 58 (Thread 0xb0cbdb90 (LWP 18540)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f46075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xaced96cf in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#3 0xad00b29f in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#4 0xaced9b8d in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#5 0xb7f4250f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#6 0xb7d967ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 57 (Thread 0xb04bcb90 (LWP 18539)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f46075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xaced96cf in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#3 0xad00b29f in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#4 0xaced9b8d in ?? () from /usr/lib/flashplugin-nonfree/libflashplayer.so
#5 0xb7f4250f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#6 0xb7d967ee in clone () from /lib/tls/i686/cmov/libc.so.6

Thread 10 (Thread 0xb14beb90 (LWP 18357)):
#0 0xb7f8f430 in __kernel_vsyscall ()
#1 0xb7f46075 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/tls/i686/cmov/libpthread.so.0
#2 0xb7be9e39 in PR_WaitCondVar (cvar=0xa728fd0, timeout=4294967295) at ptsynch.c:405
#3 0xb7be9eb7 in PR_Wait (mon=0xa72e910, timeout=4294967295) at ptsynch.c:584
#4 0xb790e791 in nsEventQueue::GetEvent (this=0xa728f48, mayWait=1, result=0xb14be304)
    at ../../dist/include/xpcom/nsAutoLock.h:340
#5 0xb790f540 in nsThread::ProcessNextEvent (this=0xa728f28, mayWait=1, result=0xb14be344)
    at nsThread.h:112
#6 0xb78dff88 in NS_ProcessNextEvent_P (thread=0x80, mayWait=1) at nsThreadUtils.cpp:227
#7 0xb790fcd3 in nsThread::ThreadFunc (arg=0xa728f28) at nsThread.cpp:253
#8 0xb7bf01e1 in _pt_root (arg=0xa7290d8) at ptthread.c:221
#9 0xb7f4250f in start_t...

Read more...

Alexander Sack (asac) on 2008-11-02
Changed in firefox-3.0:
importance: Undecided → Medium
status: Incomplete → Triaged
Alexander Sack (asac) wrote :

do you have any website that regularaly triggers this? Have you checked that this is not caused by an extension? try to disable them. Also plugins.

On Sun, 2008-11-02 at 14:10 +0000, Alexander Sack wrote:
> do you have any website that regularaly triggers this?

No, it's not a per-website thing. Looking at the stack traces, it
appears to be garbage collection to me. I tend to think garbage
collection happens more based on needs than particular websites.

> Have you checked
> that this is not caused by an extension? try to disable them.

I've had done that already. Currently I only have Flashblock, Resizable
Textarea, Tab Mix Plus and Ubuntu Firefox Modifications enabled.

> Also
> plugins.

Hrm. I have not tried disabling any plugins. Currently I have:
Default Plugin
Demo Print Plugin for unix/linux
DivX Web Player
Java(TM) Plug-in 1.6.0_10-b33
QuickTime Plug-in 7.2.0
Shockware Flash (10.0 r12)
Totem Web Browser Plugin 2.24.2
Windows Media Player Plug-in 10 (compatible; Totem)

Alexander Sack (asac) wrote :

tabmix and resizable textarea are probably good candidates.

On Sun, 2008-11-02 at 17:28 +0000, Alexander Sack wrote:
> tabmix and resizable textarea are probably good candidates.

Disabling tabmix renders FF3 useless for me as it is the only thing that
returns me to productivity quickly when FF3 crashes, which it is doing
many times a day. If I had to try to remember all of the tabs I had
open every time I restart FF3 from a crash I'd waste my whole day doing
that.

Resiable text area was disabled when I said I had disabled all of my
extensions and FF3 was still crashing.

Same here in current nightly:
Build identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre) Gecko/20081102 Minefield/3.1b2pre

http://crash-stats.mozilla.com/report/index/76287226-a916-11dd-9ff9-001a4bd43ef6

Alexander Sack (asac) wrote :

hey, we try to track down a bug here and not start fundamental debats. just do what i say for testing. what you do before and after that is your thing ;).

Alexander Sack (asac) wrote :

ok oversaw that you said that you had everything disabled all extensions. please check that this is not flash then and uninstall that temporarily.

On Sun, 2008-11-02 at 21:29 +0000, Alexander Sack wrote:
> hey, we try to track down a bug here and not start fundamental debats.

I'm not trying to start any debates, just tell you what problems I have
with the process of trying to find this bug. The bottom line is that it
takes a while for FF3 to trigger this problem and I cannot use FF3
without having all of the tabs that tabmix plus restores for me. If I
don't have the tabs restored (and saved before a crash) FF3 is useless
to me and I am completely unproductive.

To use the ever useful car analogy it's like asking me to drive my car
for a while without the steering wheel so that we can determine if the
steering wheel is causing the problem with the brakes.

> just do what i say for testing.

But what I'm saying is that I cannot use FF3 for the hours that it would
take to see this reproduce without the tabs that tabmix plus will
restore for me when I start using FF3.

BTW: did you notice the update to the upstream bug
(https://bugzilla.mozilla.org/show_bug.cgi?id=460916) by another seeing
the same problem with a crash-stats.mozilla.com link included?

On Sun, 2008-11-02 at 21:31 +0000, Alexander Sack wrote:
> ok oversaw that you said that you had everything disabled all
> extensions. please check that this is not flash then and uninstall that
> temporarily.

Flash was my first suspect and I ran with that un-installed for a while
too and saw the same problem still.

(In reply to comment #5)
> Same here in current nightly:
> Build identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b2pre)
> Gecko/20081102 Minefield/3.1b2pre
>
> http://crash-stats.mozilla.com/report/index/76287226-a916-11dd-9ff9-001a4bd43ef6

Ahhh. Very nice. Glad somebody else is seeing this problem. Can we collaborate on what we might have in common that is causing this? How about extensions and plugins... what do you have installed and enabled?

Alexander Sack (asac) wrote :

ok thanks. we need to find someone else to reproduce this then i guess. but lets continue all discussion in bugzilla ... where this issue needs to be dealt with in the first place.

Does it really not matter to anyone that this is crashing my FF3 many times a day? It's been marked critical and has not even been triaged yet. Maybe this bug database goes into a black hole.

I'm really not trying to be a dick, but seriously, a bug that crashes a FF3 many times a day? That has got to have some amount of priority even if it's simply because there is ample opportunity to analyze and fix it.

Have I not supplied enough information? Just tell me what more I can supply.

Maybe that crash-stats thingie is how bugs are assessed. How I start submitting my crashes via that? Hrm. It seems I cannot. I use Ubuntu and they disable the crashreporter. Damn you Ubuntu. If you are going to hijack my bug reports, at least work them.

Well, its been 5 days and I have not seen you comment in the bugzilla bug yet so I will follow-up here.

Is there not some more scientific way to attack this problem than stabbing in the dark at enabling and disabling plugins and extensions (and making firefox unusable) until we find the one causing the problem, assuming we even find one. I tend to believe it's not a plugin given that I have most of them disabled right now.

Given enough time (i.e. a day or two is all it takes at most and usually it's only a few hours) I can most certainly reproduce this problem so why do we need to wait for somebody else who can reproduce this problem?

Tell me what I should do with a crashed FF3 at a gdb prompt and I will do it. Or tell me what other information you need to get to the root of the problem and I will endeavor to supply that.

FWIW, I have now disabled all of my extensions. I will try to use and be productive without them. I have a gdb camped on the firefox process just waiting for something interesting to happen.

Given that I have had to start a brand new session with none of my dozen or two tabs open, it might take a while before this kicks again.

Just a supposition.

I noticed that since the crash appeared firefox is using much more disk space (over half a gigabyte of disk with few tab opened), and I often find myself with the filesystem full.

Could this crash be caused by a full filesystem?

What can be the cause that makes firefox use so much more temporary space lately?

I notice no correlation to disk space use in my crashes.

Download full text (24.5 KiB)

OK. So here we are... all extensions disabled and another segfault:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7ddb6c0 (LWP 21047)]
GCGraphBuilder::AddNode (this=0xbfeb05dc, s=0x9bcbda0, aParticipant=0x8e0f39c)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) thread apply all bt full

Thread 1191 (Thread 0xb16ffb90 (LWP 18833)):
#0 0xb80b8430 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb806e3a2 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2 0xb7d0ff9e in pt_TimedWait (cv=0x8e05ce4, ml=0x8e05c80, timeout=60000)
    at ptsynch.c:280
 rv = 1507
 now = {tv_sec = 1226325435, tv_usec = 384749}
 tmo = {tv_sec = 1226325495, tv_nsec = 384749000}
 ticks = 1000
#3 0xb7d10dc0 in PR_WaitCondVar (cvar=0x8e05ce0, timeout=60000)
    at ptsynch.c:407
 rv = <value optimized out>
 thred = <value optimized out>
#4 0xb72ead4a in nsHostResolver::GetHostToLookup (this=0x8e05c20,
    result=0xb16ff378) at nsHostResolver.cpp:595
 delta = <value optimized out>
 start = 2259756024
 timeout = 60000
#5 0xb72eb412 in nsHostResolver::ThreadFunc (arg=0x8e05c20)
    at nsHostResolver.cpp:690
 rec = (nsHostRecord *) 0xb17f2638
 ai = (PRAddrInfo *) 0x1966a3c0
#6 0xb7d171e1 in _pt_root (arg=0xaa9611e8) at ptthread.c:221
 detached = 1
#7 0xb806a50f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#8 0xb7ebe7ee in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.

Thread 8 (Thread 0xb5b14b90 (LWP 21051)):
#0 0xb80b8430 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7eb3f77 in poll () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#2 0xb7d12d8c in _pr_poll_with_poll (pds=0x8e00e18, npds=3, timeout=65535000)
    at ptio.c:3895
 stack_syspoll = {{fd = 17, events = 1, revents = 0}, {fd = 38,
    events = 3, revents = 0}, {fd = 23, events = 3, revents = 0}, {
    fd = -1359628320, events = -26880, revents = 2264}, {fd = -1246675016,
    events = 4365, revents = -18526}, {fd = -1211346956, events = 0,
    revents = 0}, {fd = -1246675016, events = 9477, revents = -18528}, {
    fd = -1359628312, events = 92, revents = 2275}, {fd = 149094492,
    events = 20468, revents = -18484}, {fd = 425761320, events = 442,
    revents = 0}, {fd = -1246674984, events = 9022, revents = -18528}, {
    fd = -1246674908, events = 0, revents = 0}, {fd = -1246674908,
    events = 16420, revents = -19023}, {fd = -1246674908, events = 442,
    revents = 0}, {fd = -1246674952, events = 3490, revents = -18526}, {
    fd = 425761320, events = -18456, revents = -20747}, {fd = -1246674952,
    events = 3558, revents = -18526}, {fd = -1211346956, events = -18464,
    revents = -20747}, {fd = -1246674872, events = 6558, revents = -18526}, {
    fd = -1207518754, events = 442, revents = 0}, {fd = -1246674908,
    events = -15090, revents = -19845}, {fd = -2142830590, events = 5384,
    revents = -20748}, {fd = 3, events = 30754, revents = -18638}, {
    fd = -1207...

Download full text (24.2 KiB)

~sigh~ I continue to get these. Here's another in case it offers any new information:

Program received signal SIGSEGV, Segmentation fault.
GCGraphBuilder::AddNode (this=0xbf9d481c, s=0xd667e90, aParticipant=0xb7d0a0f4)
    at nsCycleCollector.cpp:1287
1287 nsCycleCollector.cpp: No such file or directory.
 in nsCycleCollector.cpp
Current language: auto; currently c++
(gdb) thread apply all bt full

Thread 1458 (Thread 0xae2ffb90 (LWP 32628)):
#0 0xb80da430 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb80903a2 in pthread_cond_timedwait@@GLIBC_2.3.2 ()
   from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#2 0xb7d31f9e in pt_TimedWait (cv=0x9584efc, ml=0x9584e98, timeout=60000)
    at ptsynch.c:280
 rv = 4657
 now = {tv_sec = 1226525850, tv_usec = 580317}
 tmo = {tv_sec = 1226525910, tv_nsec = 580317000}
 ticks = 1000
#3 0xb7d32dc0 in PR_WaitCondVar (cvar=0x9584ef8, timeout=60000)
    at ptsynch.c:407
 rv = <value optimized out>
 thred = <value optimized out>
#4 0xb730cd4a in nsHostResolver::GetHostToLookup (this=0x9584e38,
    result=0xae2ff378) at nsHostResolver.cpp:595
 delta = <value optimized out>
 start = 2460171220
 timeout = 60000
#5 0xb730d412 in nsHostResolver::ThreadFunc (arg=0x9584e38)
    at nsHostResolver.cpp:690
 rec = (nsHostRecord *) 0xad61a128
 ai = (PRAddrInfo *) 0x1b1c7170
#6 0xb7d391e1 in _pt_root (arg=0xac732870) at ptthread.c:221
 detached = 1
#7 0xb808c50f in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
No symbol table info available.
#8 0xb7ee07ee in clone () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.

Thread 7 (Thread 0xb5b36b90 (LWP 4834)):
#0 0xb80da430 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7ed5f77 in poll () from /lib/tls/i686/cmov/libc.so.6
No symbol table info available.
#2 0xb7d34d8c in _pr_poll_with_poll (pds=0x957ff28, npds=1,
    timeout=4294967295) at ptio.c:3895
 stack_syspoll = {{fd = 17, events = 1, revents = 0}, {fd = 160383452,
    events = 0, revents = 0}, {fd = -1246535784, events = 12080,
    revents = -18477}, {fd = 160383452, events = 1, revents = -15885}, {
    fd = -1246535768, events = 17149, revents = -18526}, {fd = -1207379490,
    events = 16856, revents = 2447}, {fd = -1246535752, events = 12185,
    revents = -18477}, {fd = 160383452, events = 28660, revents = -18482}, {
    fd = 3, events = -28184, revents = -18526}, {fd = -1207373780,
    events = -4384, revents = 6757}, {fd = 4834, events = 0, revents = 0}, {
    fd = 1, events = 6, revents = -32693}, {fd = -1402476800, events = 12276,
    revents = -18476}, {fd = -1402475428, events = -5184, revents = -21401}, {
    fd = -1246535688, events = 12080, revents = -18477}, {fd = -1402475428,
    events = 16, revents = -23296}, {fd = 0, events = -5192,
    revents = -21401}, {fd = -1210830860, events = -5032, revents = -21401}, {
    fd = -1246535656, events = 12185, revents = -18477}, {fd = -1402475428,
    events = 16856, revents = 2447}, {fd = 1, events = 28660,
    revents = -18482}, {fd = -1211207692, events = 24692, revents = -19021}, {
    fd = -1246535624, events = 3877, revents = -18423}, {fd = -1210830860,
    ev...

Is there really no chance at all at getting a very common crasher like this at least even diagnosed/triaged?

FWIW I still see this crasher, every single day, several times a day usually.

Ok. So quite a while ago I went to some large efforts to reproduce my crash with no extensions enabled and provided the backtraces and nothing has been done with it yet. C'mon, I held up my end of the bargain and lived through the pain of firefox with no extensions and crashing all the time.

Can you at least acknowledge that effort and let me know how you plan to move this issue forward? This crashes for me every single day.

--> Core::General

XPCOM, actually. And confirming based on prevalence of similar crashes in crash-stats.

Brian, this particular crash looks like it can only happen when your machine runs out of memory... How much RAM do you have? Maybe try closing some of your other programs until we can figure out a way to keep OOM from crashing you.

(In reply to comment #14)
> XPCOM, actually. And confirming based on prevalence of similar crashes in
> crash-stats.

Cool.

> Brian, this particular crash looks like it can only happen when your machine
> runs out of memory...

Hrm. _Memory_ or VM? To Firefox (i.e. a userspace app) it should be the same thing, right?

> How much RAM do you have?

$ cat /proc/meminfo
MemTotal: 2851356 kB
MemFree: 83000 kB
Buffers: 111924 kB
Cached: 527796 kB
SwapCached: 162904 kB
Active: 2136748 kB
Inactive: 374328 kB
HighTotal: 1964992 kB
HighFree: 7664 kB
LowTotal: 886364 kB
LowFree: 75336 kB
SwapTotal: 3145720 kB
SwapFree: 2582716 kB
Dirty: 1020 kB
Writeback: 0 kB
AnonPages: 1867844 kB
Mapped: 130508 kB
Slab: 195464 kB
SReclaimable: 71900 kB
SUnreclaim: 123564 kB
PageTables: 8232 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 4571396 kB
Committed_AS: 3758232 kB
VmallocTotal: 110584 kB
VmallocUsed: 61080 kB
VmallocChunk: 49136 kB
HugePages_Total: 0
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 4096 kB
DirectMap4k: 880640 kB
DirectMap4M: 36864 kB

So, 2.8G total, 80MB currently free, of physical memory, but 3G total and 2.5G free of swap.

Why would additional memory requirements not be satisfied by swapping? I recognize that unless you know of some specific limitations that Firefox is imposing on swapability, you can't really know why swap is not being used.

> Maybe try closing some of your
> other programs until we can figure out a way to keep OOM from crashing you.

Indeed. Or discover why swap is not being utilized to deal with this OO(physical)M.

OK. I should note that I have a 600MB ulimit here, I had set it at .6 of physical memory back when I had 1G just to prevent bad apps from ooming the box.

Clearly, 600M is only a small fraction of almost 3GB now. But still. 600M should be lots for any app. :-( I guess my 40 tabs doesn't help. :-/

I will relax the ulimit and see how things fare.

Changed in firefox:
status: New → Confirmed

brian: wait, if you get this several times a day, before you let your debugger go, can you check to see how much memory firefox is using? if it isn't near your ulimit, which seems likely....

fwiw, the garbage collector relies on a component which currently does the wrong thing near oom. but if you hit that, it'd flag w/ something else (which i'd definitely spot, since i'm working on it). because of that, there's code in the cc which wouldn't handle oom well (i have an unfinished queue for this stuff)

actually, if it's really the limit, instead of relaxing it, it'd be better if you tightened it (400 or 500).

as to your 40 tabs, assuming ff is using 600mb, that's 15mb per tab (this assumes tabs only have a single page), not including any bfcache, image cache. i don't remember the expected cost per page. but

Created attachment 355651
Fault on OOM in the cycle collector, rev. 1

We weren't null-checking the result of PL_DHASH_ADD, obviously. It's documented that in OOM conditions PL_DHashTableOperate can return a null entry. I don't think this bug is a blocker, but we should try to get it landed, along with bug 423473 so that this "fix" doesn't cause even more leaking.

Created attachment 355654
Fault on OOM in the cycle collector, rev. 1.001

Would help if I check the right variable, of course.

FWIW, since increasing my ulimit, I have not seen this problem. Thankfully!

Of course, a nice fix so that the next guy OOMing doesn't bounce his head off the wall the way I was would be ideal.

Comment on attachment 355654
Fault on OOM in the cycle collector, rev. 1.001

>diff --git a/xpcom/base/nsCycleCollector.cpp b/xpcom/base/nsCycleCollector.cpp

>+ // catch faults that happen during graph building
>+ if (mParams.mDoNothing)
>+ return PR_FALSE;
>
> return PR_TRUE;

Could do return !mParams.mDoNothing;

I was worried that we'd somehow not mark everything for the JS GC, but it looks fine. If BeginCollection returns false nsXPConnect will just mark all the XPConnect JS objects (with TraceXPConnectRoots), and it won't call FinishCollection.

Comment on attachment 355654
Fault on OOM in the cycle collector, rev. 1.001

Ugh, actually, this won't work. We'll call RootWhite, which might root and unlink objects. That must be avoided, because we won't be calling FinishCollection to unroot. I think the rest should be fine to call, though a bit pointless (no need to traverse if we won't collect)?

Though at least XPConnect would like FinishCollection to be called, so it can clean up. That looks broken already in case of a fault :-(.

Bug 502687 added a null check here (without the Fault call).

Changed in firefox:
importance: Unknown → Critical

OOM check was added to PL_DHashTableOperate at some point in the past.

*** Bug 466364 has been marked as a duplicate of this bug. ***

Changed in firefox:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.