Bug#695625: iceweasel: hang in js::WeakMapBase::markAllIteratively

Peter Denison bug-reports at marshadder.org
Sun Jun 16 21:17:32 UTC 2013 

Package: libmozjs10d
Version: 10.0.12esr-1+nmu1
Followup-For: Bug #695625

Dear Maintainer,
   * What led up to the situation?
	Running iceweasel with many windows (16 windows, 96 tabs)
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
	Seems to happen at random times, both during activity and when idle
   * What was the outcome of this action?
        as per previous report, a hang with 100% CPU on one core

Further to the information above, the hang is at line 66 of js/src/jsweakmap.cpp
in the parent thread of the process

js/src/jsweakmap.cpp:
62 WeakMapBase::markAllIteratively(JSTracer *tracer)
63 {
64     bool markedAny = false;
65     JSRuntime *rt = tracer->context->runtime;
66     for (WeakMapBase *m = rt->gcWeakMapList; m; m = m->next) {
67        if (m->markIteratively(tracer))
68            markedAny = true;
69    }
70    return markedAny;
71 }

(gdb) p m
$10 = (js::WeakMapBase *) 0xa7cc8850
(gdb) p m->next
$11 = (js::WeakMapBase *) 0xa7cc8850

So somehow the tracer->context->runtime->gcWeakMapList has become corrupted,
and it's in an endless loop.

The recent call trace is js_GC, GCCycle, MarkAndSweep, EndMarkPhase,
then markAllIteratively

js/src/jsgc.cpp:
2511 static void
2512 EndMarkPhase(JSContext *cx, GCMarker *gcmarker, JSGCInvocationKind gckind)
2513 {
...
2525     while (WatchpointMap::markAllIteratively(gcmarker) ||
2526           WeakMapBase::markAllIteratively(gcmarker) ||

js/src/jsgc.cpp:
2662 static void
2663 MarkAndSweep(JSContext *cx, JSGCInvocationKind gckind)
2664 {
...
2677     GCMarker gcmarker(cx);
2678     JS_ASSERT(IS_GC_MARKING_TRACER(&gcmarker));
2679     JS_ASSERT(gcmarker.getMarkColor() == BLACK);
2680     rt->gcMarkingTracer = &gcmarker;
2681 
2682     BeginMarkPhase(cx, &gcmarker, gckind);
2683     gcmarker.drainMarkStack();
2684     EndMarkPhase(cx, &gcmarker, gckind);

So the gcWeakMapList in question comes out of the JSContext that is passed to
js_GC. I can't begin to speculate as to what has corrupted the gcWeakMapList
in the JSContext, I'm afraid.



Full backtrace:
(gdb) bt
#0  js::WeakMapBase::markAllIteratively (tracer=tracer at entry=0xbfb7a430) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/js/src/jsweakmap.cpp:66
#1  0xb6f114c9 in EndMarkPhase (gcmarker=0xbfb7a430, cx=0xa3f92a60, gckind=<optimized out>) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/js/src/jsgc.cpp:2526
#2  MarkAndSweep (gckind=GC_SHRINK, cx=0xa3f92a60) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/js/src/jsgc.cpp:2684
#3  GCCycle (cx=cx at entry=0xa3f92a60, comp=comp at entry=0x0, gckind=gckind at entry=GC_SHRINK) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/js/src/jsgc.cpp:2929
#4  0xb6f12507 in js_GC (cx=cx at entry=0xa3f92a60, comp=comp at entry=0x0, gckind=gckind at entry=GC_SHRINK, reason=reason at entry=js::gcstats::MAYBEGC)
    at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/js/src/jsgc.cpp:2991
#5  0xb6f12722 in js::MaybeGC (cx=0xa3f92a60) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/js/src/jsgc.cpp:2152
#6  0xb5fee726 in nsJSContext::ScriptEvaluated (this=0xaf2c5cc0, aTerminated=true) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/dom/base/nsJSEnvironment.cpp:3127
#7  0xb5e345c6 in nsCxPusher::Pop (this=this at entry=0xbfb7a604) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/content/base/src/nsContentUtils.cpp:2708
#8  0xb5ff2f0e in nsJSContext::CallEventHandler (this=0xaf2c5cc0, aTarget=<optimized out>, aScope=0x938f94d8, aHandler=0x8c027938, aargv=0x8bf540e4, arv=0xbfb7a7d0)
    at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/dom/base/nsJSEnvironment.cpp:1964
#9  0xb6006366 in nsGlobalWindow::RunTimeout (this=0x911f4250, aTimeout=aTimeout at entry=0x8bf53150)
    at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/dom/base/nsGlobalWindow.cpp:9322
#10 0xb600f17b in nsGlobalWindow::TimerCallback (aTimer=0x8c1fed30, aClosure=0x8bf53150)
    at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/dom/base/nsGlobalWindow.cpp:9762
#11 0xb65e5b7d in nsTimerImpl::Fire (this=this at entry=0x8c1fed30) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/xpcom/threads/nsTimerImpl.cpp:425
#12 0xb65e5c56 in nsTimerEvent::Run (this=0x51f0d8c0) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/xpcom/threads/nsTimerImpl.cpp:521
#13 0xb65e2aa0 in nsThread::ProcessNextEvent (this=0xb72ec640, mayWait=true, result=0xbfb7a97f)
    at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/xpcom/threads/nsThread.cpp:631
#14 0xb65b2219 in NS_ProcessNextEvent_P (thread=<optimized out>, mayWait=mayWait at entry=true)
    at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/build-xulrunner/xpcom/build/nsThreadUtils.cpp:245
#15 0xb653fb74 in mozilla::ipc::MessagePump::Run (this=0xb72fea60, aDelegate=0xb7255690) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/ipc/glue/MessagePump.cpp:134
#16 0xb6602654 in MessageLoop::RunInternal (this=this at entry=0xb7255690) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/ipc/chromium/src/base/message_loop.cc:208
#17 0xb660277c in RunHandler (this=0xb7255690) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/ipc/chromium/src/base/message_loop.cc:201
#18 MessageLoop::Run (this=0xb7255690) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/ipc/chromium/src/base/message_loop.cc:175
#19 0xb64ad3d3 in nsBaseAppShell::Run (this=0xb72dc420) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/widget/src/xpwidgets/nsBaseAppShell.cpp:189
#20 0xb63658c6 in nsAppStartup::Run (this=0xb1dcda30) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/toolkit/components/startup/nsAppStartup.cpp:228
#21 0xb5b53253 in XRE_main (argc=7, argv=0xbfb7ef54, aAppData=0xb726c4c0) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/toolkit/xre/nsAppRunner.cpp:3551
#22 0x08049ff6 in main (argc=7, argv=0xbfb7ef54) at /build/buildd-iceweasel_10.0.12esr-1+nmu1-i386-shkHac/iceweasel-10.0.12esr/xulrunner/stub/nsXULStub.cpp:516


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.9.5 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libmozjs10d depends on:
ii  libc6        2.17-3
ii  libffi5      3.0.10-3
ii  libgcc1      1:4.8.1-2
ii  libnspr4     2:4.9.6-1
ii  libnspr4-0d  2:4.9.6-1
ii  libstdc++6   4.8.1-2

libmozjs10d recommends no packages.

libmozjs10d suggests no packages.

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list