Closed Bug 279858 Opened 20 years ago Closed 20 years ago

Trunk FFTrunk crash [@ UnmarkedGCThingFlags]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: aha, Assigned: brendan)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

fix off-by-one-slot bug
655 bytes, patch
shaver
: review+
dbaron
: approval1.8b+
Details | Diff | Splinter Review
With January Seamonkey trunk builds I met several times crashes with this signature (and also probably related MarkGCThing). I'm not able to reproduce it on demand, but it isn't one-time-crash. As I can remember, one situation repeated - Mozilla crashes while I was opening many pages to tabs in our CMS JS-enabled), but it crashed in 3 of about 130 times. Other user (http://forum.czilla.cz/viewtopic.php?p=26669#26669 - but in Czech language) is crashing very soon after startup (clean install). Crashes with UnmarkedGCThingFlags signature are for all platforms (Win, Lin, Mac) and both browsers, 106 ones: http://tinyurl.com/6lr3c Maybe bug 203278 should be related(?) TB3276082: UnmarkedGCThingFlags [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 997] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] js_MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1399] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1100] js_MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1399] XPC_WN_Shared_Mark [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 706] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1100] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1190] js_MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1399] js_GC [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1654] js_ForceGC [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1463] nsAppStartup::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 208] main [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1811] WinMain [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1839] KERNEL32.DLL + 0x2893d (0x796f893d)
This is a topcrasher for recent MozillaTrunk and FirefoxTrunk builds. Here's a link to all "UnmarkedGCThingFlags": http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=UnmarkedGCThingFlags&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid The stacks vary, but this looks like a new crash that started showing up on the Trunk recently (there are no crashes with this stack signature for Firefox 1.0 or Mozilla 1.7x builds).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: topcrash
Summary: crash [@ UnmarkedGCThingFlags() ] → Trunk FFTrunk crash [@ UnmarkedGCThingFlags]
btw: I found a clean way (but it's rather complicated) to reproduce this: 1. Install Enigmail 2. Send encrypted(&signed) e-mail to someone 3. Go to Sent folder and click on Edit As New... 4. Move mouse in that window or try to resize some widgets in this window. 5. Observe crash
Flags: blocking1.8b-
Flags: blocking1.8b- → blocking1.8b?
This regressed between 2004-12-28-05 and 2005-01-05-06. Between those two dates no builds are available from archive.mozilla.org Bonsai link for checkins in mozilla/js/ in that timeframe (i think this crash is caused by code in there?): http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=SeaMonkeyAll&branch=HEAD&branchtype=match&dir=mozilla%2Fjs%2F&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2004-12-28+04%3A00%3A00&maxdate=2005-01-05+07%3A00%3A00&cvsroot=%2Fcvsroot
Keywords: regression
Flags: blocking1.8b? → blocking1.8b+
Assignee: general → brendan
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta
Anyone able to get instruction-level analysis and register contents out of talkback, and say what was the problem? I'm guessing flagp was a bogus pointer, but that doesn't say what thing might have been. Frank, can you give me instructions for beginners on how to set up mozilla with enigmail? I haven't built the suite in a while, so if I could use an existing debug build that would help. /be
Status: NEW → ASSIGNED
I found a few incidents with a little more detailed info (just assembly stuff to go along with the stack): FirefoxTrunk crash: Incident ID: 3400459 Stack Signature UnmarkedGCThingFlags 5260f895 Product ID FirefoxTrunk Build ID 2005012407 Trigger Time 2005-01-31 03:16:33.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module js3250.dll + (0001b7d3) URL visited User Comments Since Last Crash 21441 sec Total Uptime 28350 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 997 Stack Trace UnmarkedGCThingFlags [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 997] MarkGCThing [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1189] MarkGCThing [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1189] js_MarkGCThing [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1398] XPC_WN_Shared_Proto_Mark [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1386] MarkGCThing [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1099] js_MarkGCThing [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1398] XPC_WN_Shared_Mark [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 706] MarkGCThing [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1099] js_MarkGCThing [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1398] js_GC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1653] js_ForceGC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1462] nsJSEventListener::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/dom/src/events/nsJSEventListener.cpp, line 184] nsEventListenerManager::HandleEventSubType [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1519] nsEventListenerManager::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp, line 1596] nsDocument::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp, line 3830] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2028] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] nsGenericElement::HandleDOMEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsGenericElement.cpp, line 2020] PresShell::HandleEventInternal [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 5905] PresShell::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp, line 5761] nsViewManager::HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2424] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp, line 2151] HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1103] nsWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5402] ChildWindow::DispatchMouseEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 5653] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp, line 1389] USER32.dll + 0x2a420 (0x77e3a420) USER32.dll + 0x4605 (0x77e14605) USER32.dll + 0xa7ba (0x77e1a7ba) nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 146] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.0_Clobber/mozilla/browser/app/nsBrowserApp.cpp, line 60] KERNEL32.DLL + 0x2893d (0x793f893d) ------------------------------------------ x86 Registers: Not Available Code Around the PC: 6009b7b3 7424 jz 6009b7d9 6009b7b5 0ce8 or al,0xe8 6009b7b7 260000 add es:[eax],al 6009b7ba 0083c40cc383 add [ebx+0x83c30cc4],al 6009b7c0 7c24 jl 6009b7e6 6009b7c2 0400 add al,0x0 6009b7c4 7503 jnz 6009b7c9 6009b7c6 33c0 xor eax,eax 6009b7c8 c3 ret 6009b7c9 ff742404 push dword ptr [esp+0x4] 6009b7cd e8a2f9ffff call 6009b174 6009b7d2 59 pop ecx 6009b7d3 8a08 mov cl,[eax] 6009b7d5 80e110 and cl,0x10 6009b7d8 f6d9 neg cl 6009b7da 1bc9 sbb ecx,ecx 6009b7dc f7d1 not ecx 6009b7de 23c1 and eax,ecx 6009b7e0 c3 ret 6009b7e1 55 push ebp 6009b7e2 8bec mov ebp,esp 6009b7e4 83ec0c sub esp,0xc 6009b7e7 8b4510 mov eax,[ebp+0x10] 6009b7ea 53 push ebx 6009b7eb 56 push esi 6009b7ec 57 push edi 6009b7ed 8a08 mov cl,[eax] 6009b7ef f6c110 test cl,0x10 6009b7f2 0f8551010000 jne 6009b949 6009b7f8 33db xor ebx,ebx 6009b7fa 80c910 or cl,0x10 6009b7fd 8808 mov [eax],cl 6009b7ff 8b4d10 mov ecx,[ebp+0x10] 6009b802 8a01 mov al,[ecx] 6009b804 83e00f and eax,0xf 6009b807 2bc3 sub eax,ebx 6009b809 7433 jz 6009b83e 6009b80b 83e803 sub eax,0x3 6009b80e 0f85f4000019 jne 7909b908 ======================================================= MozillaTrunk crash: Incident ID: 3399206 Stack Signature UnmarkedGCThingFlags ddc7f193 Product ID MozillaTrunk Build ID 2005013005 Trigger Time 2005-01-31 01:26:52.0 Platform Win32 Operating System Windows NT 5.0 build 2195 Module js3250.dll + (0001b802) URL visited User Comments Since Last Crash 29 sec Total Uptime 29 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 997 Stack Trace UnmarkedGCThingFlags [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 997] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1187] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1187] MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1187] js_MarkGCThing [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1396] js_GC [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1651] js_ForceGC [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsgc.c, line 1460] nsAppStartup::Run [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/components/startup/src/nsAppStartup.cpp, line 208] main [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1811] WinMain [c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1839] KERNEL32.DLL + 0x2893d (0x77e9893d) ----------------------------------------- x86 Registers: Not Available Code Around the PC: 60d7b7e2 7424 jz 60d7b808 60d7b7e4 0ce8 or al,0xe8 60d7b7e6 260000 add es:[eax],al 60d7b7e9 0083c40cc383 add [ebx+0x83c30cc4],al 60d7b7ef 7c24 jl 60d7b815 60d7b7f1 0400 add al,0x0 60d7b7f3 7503 jnz 60d7b7f8 60d7b7f5 33c0 xor eax,eax 60d7b7f7 c3 ret 60d7b7f8 ff742404 push dword ptr [esp+0x4] 60d7b7fc e8a2f9ffff call 60d7b1a3 60d7b801 59 pop ecx 60d7b802 8a08 mov cl,[eax] 60d7b804 80e110 and cl,0x10 60d7b807 f6d9 neg cl 60d7b809 1bc9 sbb ecx,ecx 60d7b80b f7d1 not ecx 60d7b80d 23c1 and eax,ecx 60d7b80f c3 ret 60d7b810 55 push ebp 60d7b811 8bec mov ebp,esp 60d7b813 83ec0c sub esp,0xc 60d7b816 8b4510 mov eax,[ebp+0x10] 60d7b819 53 push ebx 60d7b81a 56 push esi 60d7b81b 57 push edi 60d7b81c 8a08 mov cl,[eax] 60d7b81e f6c110 test cl,0x10 60d7b821 0f8551010000 jne 60d7b978 60d7b827 33db xor ebx,ebx 60d7b829 80c910 or cl,0x10 60d7b82c 8808 mov [eax],cl 60d7b82e 8b4510 mov eax,[ebp+0x10] 60d7b831 8a00 mov al,[eax] 60d7b833 83e00f and eax,0xf 60d7b836 2bc3 sub eax,ebx 60d7b838 7433 jz 60d7b86d 60d7b83a 83e803 sub eax,0x3 60d7b83d 0f85f2000019 jne 79d7b935 Brendan: Not much more available, still unsure why the stack is missing in the detailed reports, but go ahead and look up the 2 incidents above on hal.mozilla.org to see if there is anything else useful. The data should be around until at least Wed.
(In reply to comment #4) > Anyone able to get instruction-level analysis and register contents out of > talkback, and say what was the problem? I'm guessing flagp was a bogus pointer, > but that doesn't say what thing might have been. If i understand you correctly, here is some var info for the stack: UnmarkedGCThingFlags: - flagp 0xddddfe28 "" CXX0030: Error: expression cannot be evaluated flags 0x03 '' thing 0x0641a658 js_MarkGCThing: arg 0x00000000 + cx 0x0651c3d0 - flagp 0x00000050 "" CXX0030: Error: expression cannot be evaluated thing 0x0641a658 MarkGCThing: no flagp MarkGCThing: + cx 0x0651c3d0 - flagp 0x05d30e2d "" 0x10 '' next_thing 0x05d2fdf0 thing 0x05d2fde8 > Frank, can you give me instructions for beginners on how to set up mozilla with > enigmail? I haven't built the suite in a while, so if I could use an existing > debug build that would help. Quite simple: Create .mozconfig with ac_add_options --enable-crypto ac_add_options --enable-debug ac_add_options --disable-optimize ac_add_options --enable-application=suite mk_add_options MOZ_CO_PROJECT=suite mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-@CONFIG_GUESS@-debug and afterwards install the Enigmail nightly from http://enigmail.mozdev.org/nightly.html. Of course you need to have GnuPG already working for that.
With a real debug build it also shows another line for the crash (probably more accurate), there it shows as crasher line: flags = *flagp; (line 990, jsgc.c) which is in disassembly this: 0125463F mov ecx,dword ptr [flagp] 01254642 mov dl,byte ptr [ecx] <-- crashes here 01254644 mov byte ptr [flags],dl ecx is different on every crash btw (but it's always something like 0xdddd(another four characters or digits, changing). Registers: EAX = DDDDDE01 EBX = 7FFDF000 ECX = DDDDDE01 EDX = 05D85000 ESI = 00750062 EDI = 00650064 EIP = 01254642 ESP = 0012FB1C EBP = 0012FB24 EFL = 00000202 MM0 = 00FFFFFF00FFFFFF MM1 = 00FFFFFF00FFFFFF MM2 = 00060E1200FFFFFF MM3 = 00FFFFFF00FFFFFF MM4 = 0000000000000000 MM5 = C44C888D26D00000 MM6 = 8800007700000000 MM7 = F8E2000000000000 XMM0 = FFE2FFE5FFE8FFEBFFEDFFF0FFF3FFF8 XMM1 = FFFFFFDAFFFFFFE0FFFFFFE6FFFFFFF0 XMM2 = FFFFFFC4FFFFFFCAFFFFFFD0FFFFFFD6 XMM3 = 00000000000000000000000000000000 XMM4 = 00000000000000000000000000000000 XMM5 = 00000000000000000000000000000000 XMM6 = 00000000000000000000000000000000 XMM7 = 7FFF7FFF7FFF7FFF7FFF7FFF7FFF7FFF CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 0038 GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=0 AC=0 PE=0 CY=0
I have a fresh trunk suite build, and enigmail-trunk-moz-linux-trunk.xpi, and I keep crashing with: Program received signal SIGSEGV, Segmentation fault. 0xf6f27325 in ~nsCOMPtr_base (this=0x0) at nsCOMPtr.cpp:79 79 NSCAP_LOG_RELEASE(this, mRawPtr); (gdb) fr #0 0xf6f27325 in ~nsCOMPtr_base (this=0x0) at nsCOMPtr.cpp:79 79 NSCAP_LOG_RELEASE(this, mRawPtr); (gdb) bt 10 #0 0xf6f27325 in ~nsCOMPtr_base (this=0x0) at nsCOMPtr.cpp:79 #1 0xf3076a3c in nsStdoutPoller::AsyncStart () from /home/brendan/src/mozsuite/mozilla/dist/bin/components/libenigmime.so #2 0xf30745db in nsPipeTransport::OpenInputStream () from /home/brendan/src/mozsuite/mozilla/dist/bin/components/libenigmime.so #3 0xf3080bbd in nsIPCService::ExecPipe () from /home/brendan/src/mozsuite/mozilla/dist/bin/components/libenigmime.so when trying to send signed, encrypted mail. I also seem to have a similar crash when trying to open About Enigmail in the Enigmail menu. Help? /be
(In reply to comment #8) > when trying to send signed, encrypted mail. I also seem to have a similar crash > when trying to open About Enigmail in the Enigmail menu. Help? > > /be I could send you a encrypted mail (upload your pgp key to a keyserver). You could try saving your encrypted mail and then right-click that mail and Edit As New... Too bad it doesn't work you :/, here everything works with the up-to-date source from CVS.
I think I have a similar/identical crash on Linux: #0 0x40116d72 in js_ChangeExternalStringFinalizer () from /usr/lib/mozilla/libmozjs.so #1 0x40173f78 in ?? () from /usr/lib/mozilla/libmozjs.so #2 0xbfffe2e8 in ?? () #3 0x4011724a in js_MarkGCThing () from /usr/lib/mozilla/libmozjs.so Previous frame inner to this frame (corrupt stack?) Sorry, but this is no debug build. It happens for me while replying to a partly signed mail. The composition window opens and then it crashes. I can reproduce this with this special mail all the time.
(In reply to comment #10) > Sorry, but this is no debug build. > It happens for me while replying to a partly signed mail. > The composition window opens and then it crashes. I can reproduce this with this > special mail all the time. PGP/GPG signed mail or S/MIME signed mail?
(In reply to comment #11) > PGP/GPG signed mail or S/MIME signed mail? PGP signed mail with latest enigmail (0.90.0)
There are current TB reports with that stack for MacOSX (5) and Linux (44).
OS: Windows 2000 → All
Hardware: PC → All
(In reply to comment #2) > btw: I found a clean way (but it's rather complicated) to reproduce this: > 1. Install Enigmail > 2. Send encrypted(&signed) e-mail to someone > 3. Go to Sent folder and click on Edit As New... > 4. Move mouse in that window or try to resize some widgets in this window. > 5. Observe crash please see also bug http://mozdev.org/bugs/show_bug.cgi?id=8911 maybe give assistance this Talkback IncidentID: TB3164598Z from the bug to fix this
Just for the reference, i created two Purify logs, you can look at it under http://www.mcsmurf.de/purify.txt and http://www.mcsmurf.de/purify2.txt
Target Milestone: mozilla1.8beta1 → mozilla1.8beta2
maybe enigmail bug. possibly for beta 2 if this is fully diagnosed in time.
Flags: blocking1.8b+ → blocking1.8b2?
Those purify logs are not helpful, because they don't show how an object connected to the live-thing graph marked by the GC became garbage while still (or again) being connected to a live thing -- the |obj| parameter to the MarkGCThing call one frame removed (i.e., the caller of the top MarkGCThing frame) on the stack. If you can stop in a debugger and go up one frame, then print *(JSClass*)(obj->slots[2]-1), that might tell us something. You might want to go up frame by frame doing that, recording the results, until you reach a frame not executing in MarkGCThing. /be
Flags: blocking1.8b2?
(In reply to comment #16) > maybe enigmail bug. possibly for beta 2 if this is fully diagnosed in time. Enigmail may trigger this in Tb/Seamonkey, but Firefox crashing surely has nothing to do with enigmail?
Got it, thanks to mcsmurf's help. Patch next. /be
Flags: blocking1.8b2?
Flags: blocking1.8b+
Target Milestone: mozilla1.8beta2 → mozilla1.8beta1
See jsobj.c:AllocSlots, where obj->slots[0] has one added to it before being scaled by sizeof(jsval) and compared to GC_NBYTES_MAX. /be
Attachment #174551 - Flags: review?(shaver)
Attachment #174551 - Flags: approval1.8b?
Attachment #174551 - Flags: review?(shaver) → review+
Yay, the patch seems to work :)!
Attachment #174551 - Flags: approval1.8b? → approval1.8b+
Fixed. Thanks again, mcsmurf! /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
btw: There are still a few UnmarkedGCThingFlags crashers with current builds (like 4 incidents out of 467 incidents, so only very few) in Talkback data, but i think those can be tracked in another bug if necessary.
Flags: testcase-
Crash Signature: [@ UnmarkedGCThingFlags]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: