Closed Bug 602803 Opened 14 years ago Closed 6 years ago

crash in js::gc::MarkChildren

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101007
Firefox/4.0b8pre

This is a new crash signature. Crashes first appeared in b7pre/20100929 build.
It is #130 top crasher in b7pre build for the last week.

Signature	js::gc::MarkChildren
UUID	d3cc13dc-0617-45f3-8ef4-80c2f2101007
Time 	2010-10-07 09:15:33.3146
Uptime	56
Last Crash	77 seconds before submission
Install Age	87 seconds since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101007042624
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0x0
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0422

Frame 	Module 	Signature [Expand] 	Source
0 		@0x9c8b1fb 	
1 	mozjs.dll 	js::gc::MarkChildren 	js/src/jsgcinlines.h:199
2 	mozjs.dll 	js::gc::MarkObject 	js/src/jsgcinlines.h:179
3 	mozjs.dll 	fun_trace 	js/src/jsfun.cpp:2085
4 	mozjs.dll 	js_TraceObject 	js/src/jsobj.cpp:6175

The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c257bfb8cad0&tochange=a60414d076b5

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3Agc%3A%3AMarkChildren
It is #31 top crasher in 4.0b8 for the last week.
It is #35 top crasher in 4.0b11.
I have had this crash today with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0a2) Gecko/20110515 Firefox/5.0a2 ID:20110515042002

Crash report: bp-7559beb0-88eb-4b9f-b820-0e1332110520

Firefox crashed while it was in the background.
OS: Windows 7 → All
Hardware: x86 → All
It is #37 top crasher in 4.0.1 and #7 top crasher in 5.0b2
the volume has increased quite a bit on 4.0.1 in the last few weeks.  not sure if this reflects a regression in 4.0.1 or just migration of users up from 3.6, or both.

here are some snapshots of a few days in may showing that growth.

         js::gc::MarkChildren
date     total    breakdown by build
         crashes  count build, count build, ...

20110501 267  	159 4.0.12011041322, 
        		62 4.02011031805, 	15 4.0b112011020314, 
        		8 4.0b122011022221, 	4 4.0b82010121417, 
        		4 4.0b102011012116, 	3 5.0a22011050104, 
        		3 5.0a22011043004, 	3 4.0b72010110414, 
        		1 5.0a22011042904, 	1 4.2a1pre2011041203, 
        		1 4.0b92011011019, 	1 4.0b122011022200, 
        		1 4.0.1pre2011041103, 	1 4.02011030319, 


20110508 331  	255 4.0.12011041322, 
        		27 4.02011031805, 	14 4.0b112011020314, 
        		9 4.0b122011022221, 	6 4.0b92011011019, 
        		6 4.0b102011012116, 	3 5.02011042714, 
        		3 4.0b82010121417, 	2 6.0a12011042603, 
        		2 5.0a22011050804, 	2 4.0b72010110414, 
        		1 5.0a22011050204, 	1 4.02011030319, 
20110509 383  	307 4.0.12011041322, 
        		26 4.02011031805, 	10 4.0b112011020314, 
        		7 5.02011042714, 	6 5.0a22011050804, 
        		6 4.0b82010121417, 	6 4.0b122011022221, 
        		4 4.0b92011011019, 	3 5.0a22011050904, 
        		3 4.0b72010110414, 	3 4.0b102011012116, 
        		1 5.0a22011050404, 	1 5.0a22011042204, 

---




20110524 640  	436 4.0.12011041322, 
        		114 5.02011051719, 	28 5.02011042714, 
        		23 4.02011031805, 	8 4.0b112011020314, 
        		5 4.0b92011011019, 	4 5.0a22011052304, 
        		4 4.0b122011022221, 	3 5.0a22011052404, 
        		3 5.0a22011052204, 	3 4.0b82010121417, 
        		2 4.2a1pre2011041203, 	2 4.0b72010110414, 
        		1 5.0a22011051904, 	1 5.0a22011051004, 
        		1 4.0b102011012116, 	1 4.0.12011041400, 
        		1 4.02011030319,
This probably should be on the list in bug 613650.
We are going to + this because there is a clear regression to deal with and I think we need to look at making 5 more stable.
I tried to look into when this had a volume regression on trunk or 5.0, but that's really hard to find out as it had one-digit numbers on trunk most of the time and fluctuations there are hard to analyze. From 4.0b13pre builds to the end of April on trunk, the rate stayed about the same, in the 1-digit range on crashes and topcrash ranks in double digits. On aurora, with even fewer people testing, the crash rate is about the same, the rank going into the top 10 at times, though. In the first 5.0 beta build though, which actually is a 04-27 aurora build, this was a top 10 crasher all along.

What's remarkable on trunk though is that on 2011-04-30 it seemed to change the signature to js::gc::MarkChildren(JSTracer*, js::Shape const*) and even since a few days before then, this signature barely shows up any more on Nightly builds - in fact we only have only one single crash report in js::gc::MarkChildren with a 6.0a1 build on a higher build ID than 20110509030631 - that one being bp-e1485f28-c875-4ae5-93fc-d2dfc2110515 with a nightly from the 15th but since then, we don't have any at all in 6.0a1 or 7.0a1 - will be interesting what Aurora 6 looks like (and I really hope we'll get Aurora to eclipse Nightly in ADUs one day, as right now it's the other way round, which makes crash analysis herd).
I spoke to dmandelin about this...his comments - This is one of the GC bug signatures. It can't be solved in the short term, because the cause of the crash is arbitrarily far in time and code from the point of the crash. I generally try to persuade people not to bother with these. Bill and I have some ideas for
trying to attack it, but they are all heavyweight diagnostics that send
back tiny bits of info".

Removing the tracking flag since we can't do much for FF5.
Crash Signature: [@ js::gc::MarkChildren ]
FWIW, js::gc::MarkChildren is #6 crash for Thunderbird 5. Of those users who we've had contact with
a) most had many crash signatures, most notably UnmarkGrayChildren (our #1 crash)
b) TB6 resolved their crashes

So for thunderbird, it would seem js::gc::MarkChildren is gone due to Bug 660778 - Stack Overflow Crash - whose patch is in TB6 beta 1.

(js::gc::MarkChildren does seem arbitrary. But for completeness js::gc::MarkChildren  with recent activity are: bug 643839 landed in T5 5/FF 5, bug 649152 hasn't landed)
It happens at a very low volume:
* 84 crashes in 22.0
* 4 in 23.0b9
Crash Signature: [@ js::gc::MarkChildren ] → [@ js::gc::MarkChildren ] [@ js::gc::MarkChildren(JSTracer*, js::types::TypeObject*) ] [@ js::gc::MarkChildren(JSTracer*, JSObject*) ] [@ js::gc::MarkChildren(JSTracer*, JSScript*) ] [@ js::gc::MarkChildren(JSTracer*, js::Shape const*) ]
Summary: crash [@ js::gc::MarkChildren ] → crash in js::gc::MarkChildren
Whiteboard: [mobile-crash]
Assignee: general → nobody
In the last six months only 32 crashes, none newer than firefox version 35.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.