Closed Bug 1011105 Opened 10 years ago Closed 10 years ago

crash in mozalloc_abort(char const* const) | mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input&, unsigned char&)

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
32 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 944873
Tracking Flags:
Tracking Status
firefox32 - affected

People

(Reporter: jbecerra, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-6f4b3fa6-3527-43c6-8db9-ee8832140508.
=============================================================

Top crasher, #5 or so, on nightly starting around 5/8, mostly on Windows 7 and Windows 8.1. There are a few comments in the reports and some of them say that the browser crashes when attempting to watch a video on Youtube or "anything that needs Adobe Flash."

0 	mozalloc.dll 	mozalloc_abort(char const * const) 	memory/mozalloc/mozalloc_abort.cpp
1 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
2 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
3 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
4 	xul.dll 	xptiInterfaceEntry::EnsureResolved() 	
5 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
6 	mozjs.dll 	JS::Rooted<JSFunction *>::Rooted<JSFunction *>(js::ContextFriendFields *,JSFunction *) 	
7 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
8 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
9 	mozjs.dll 	js::jit::LiveInterval::addRangeAtHead(js::jit::CodePosition,js::jit::CodePosition) 	
10 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
11 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
12 	mozjs.dll 	js::AbstractFramePtr::AbstractFramePtr(js::InterpreterFrame *) 	
13 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
14 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
15 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
16 		@0x15e4547d 	
17 		@0x970a780 	
18 		@0xc3c7f21 	
19 		@0x85df758 	
20 		@0x15e408f4 	
21 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
22 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
23 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
24 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
25 	mozjs.dll 	js::jit::LinearScanAllocator::assign(js::jit::LAllocation) 	
26 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
27 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
28 	mozjs.dll 	js::ThreadSafeContext::hasNursery() 	
29 	xul.dll 	nsGenericDOMDataNode::cycleCollection::CanSkipReal(void *,bool) 	
30 	xul.dll 	nsLoadGroup::AddRequest(nsIRequest *,nsISupports *) 	
31 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
32 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
33 	xul.dll 	mozilla::dom::Event::ConstructorInit(mozilla::dom::EventTarget *,nsPresContext *,mozilla::WidgetEvent *) 	
34 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
35 	xul.dll 	xptiInterfaceEntry::EnsureResolved() 	
36 		@0xa79004 	
37 		@0xb752110 	
38 		@0x15e408f4 	
39 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
40 	mozjs.dll 	js::jit::MTypeBarrier::accept(js::jit::MInstructionVisitor *) 	
41 	mozjs.dll 	JS::Rooted<JSFunction *>::Rooted<JSFunction *>(js::ContextFriendFields *,JSFunction *) 	
42 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
43 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
44 	mozjs.dll 	js::jit::BaselineCompiler::emitBody() 	
45 	mozjs.dll 	js::ThreadSafeContext::hasNursery() 	
46 	xul.dll 	nsGenericDOMDataNode::cycleCollection::CanSkipReal(void *,bool) 	
47 	xul.dll 	nsLoadGroup::AddRequest(nsIRequest *,nsISupports *) 	
48 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
49 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input &,unsigned char &) 	
50 	xul.dll 	mozilla::net::HttpBaseChannel::QueryInterface(nsID const &,void * *) 	
51 	xul.dll 	mozilla::widget::JumpListShortcut::SetFaviconPageUri(nsIURI *) 	
52 	xul.dll 	mozilla::RefreshDriverTimer::SetRate(double) 	
53 	xul.dll 	nsFileProtocolHandler::`vector deleting destructor'(unsigned int) 	
54 	xul.dll 	nsDNSRecord::ReportUnusable(unsigned short) 	
55 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
56 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
57 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
58 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c:552
59 	kernel32.dll 	kernel32.dll@0x1338a 	
60 	ntdll.dll 	__RtlUserThreadStart 	
61 	ntdll.dll 	_RtlUserThreadStart

https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozalloc_abort%28char+const%2A+const%29+%7C+mozilla%3A%3Apkix%3A%3Ader%3A%3AOptionalVersion%28mozilla%3A%3Apkix%3A%3Ader%3A%3AInput%26%2C+unsigned+char%26%29
status-firefox32: --- → affected
tracking-firefox32: --- → ?
(In reply to juan becerra [:juanb] from comment #0)
> 0 	mozalloc.dll 	mozalloc_abort(char const * const) 
> memory/mozalloc/mozalloc_abort.cpp
> 1 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input&,unsigned char &) 	
> 2 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input&,unsigned char &) 	
> 3 	xul.dll 	mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input&,unsigned char &) 	
> 4 	xul.dll 	xptiInterfaceEntry::EnsureResolved() 	
> 5 	mozjs.dll 	js::jit::BaselineCompiler::emitBody()

This stack trace is impossible. mozilla::pkix::der::OptionalVersion does not call mozalloc_abort or MOZ_ABORT or MOZ_ASSERT or anything like that. Further, there is no way to get from JS code to mozilla::pkix::der::* like this. Changing components.
Component: Security: PSM → JavaScript Engine: JIT
Crash Signature: [@ mozalloc_abort(char const* const) | mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input&, unsigned char&)] → [@ mozalloc_abort(char const* const) | mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input&, unsigned char&)] [@ mozilla::pkix::der::OptionalVersion(mozilla::pkix::der::Input&, unsigned char&)]
Crash-stats had some bad symbols last week, here is what the minidump actually says:

00 00ecb680 67ca0c8f mozalloc!mozalloc_abort+0x2c
01 00ecbab8 67ca0e05 xul!NS_DebugBreak+0x215
02 00ecbad4 67ca0ecd xul!nsDebugImpl::Abort+0x14
03 00ecbaf0 67adfa0c xul!NS_InvokeByIndex+0x27
04 00ecbe04 0322f5dc xul!XPC_WN_CallMethod+0x8ac
WARNING: Frame IP not in any known module. Following frames may be wrong.
05 00ecbe14 00000000 0x322f5dc

msg = 0x00ecb6c8 "[6188] ###!!! ABORT: file resource://gre/modules/AsyncShutdown.jsm, line 431"
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.