Closed Bug 1014554 Opened 10 years ago Closed 6 years ago

Random crashes with [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
31 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox31 --- affected
firefox32 --- affected
firefox33 --- affected
firefox40 --- affected
firefox41 --- affected
firefox42 --- affected
firefox43 --- affected
firefox44 --- affected
firefox45 --- affected
firefox46 --- affected
firefox47 --- affected
firefox48 --- ?
firefox49 --- ?
firefox-esr38 --- affected
firefox-esr45 --- affected
thunderbird_esr38 --- affected
thunderbird_esr45 --- affected

People

(Reporter: whimboo, Unassigned)

References

(
URL
)

Details

(Keywords: crash, reproducible, Whiteboard: [tbird crash], ShutDownKill)

Crash Data

Attachments

(1 file)

tb-gdb.txt
97.58 KB, text/plain
Details 
Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 ID:20140521030200 CSet: 9d8d16695f6a

I hit this crash twice in a row after updating Nightly to todays version, and when trying to click the former crash report in about:crashes.

Reports:
bp-b85e81b7-b5cb-47b3-9aec-874102140522
bp-68922d6d-072f-483d-9648-480842140522


Crash Reason 	SIGSEGV
Crash Address 	0x0

0 	libxul.so 	js::UncheckedUnwrap(JSObject*, bool, unsigned int*) 	js/src/jsfriendapi.h
1 	libxul.so 	js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow) 	js/src/jswrapper.cpp
2 	libxul.so 	WindowDestroyedEvent::Run() 	dom/base/nsGlobalWindow.cpp
3 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
4 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
5 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
6 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
7 	libxul.so 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
8 	libxul.so 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
9 	libxul.so 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
10 	libxul.so 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
11 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp
12 	firefox 	do_main 	browser/app/nsBrowserApp.cpp
13 	firefox 	main 	browser/app/nsBrowserApp.cpp
14 	libc-2.19.so 	libc-2.19.so@0x21ec5 	
15 	firefox 	firefox@0x37c0 	
16 	firefox 	firefox@0x6644

By operating system:

Windows 7 	67.87 %	676
Windows XP 	15.56 %	155
Windows Vista 	8.23 %	82
Windows 8.1 	2.91 %	29
Linux   	2.51 %	25
Windows 8 	2.51 %	25
OS X 10.6 	0.20 %	2
OS X 10.9 	0.10 %	1
OS X 10.7 	0.10 %	1
Crash Signature: [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] [@ js::UncheckedUnwrap(JSObject*, bool, unsigned int*) ]
Looks like the patch on bug 921171 didn't really fix the topcrash. Brian, can you have a look at?
(In reply to Henrik Skupin (:whimboo) from comment #1)
> Looks like the patch on bug 921171 didn't really fix the topcrash. Brian,
> can you have a look at?

There are lots of things which could cause this crash, bug 921171 just fixed one case where we were crashing (and definitely did fix that case, since there were STR).  Without STR here there's not much I can do.
Another user in post https://support.mozilla.org/en-US/questions/1004524
But no clues as to  STR one of the crashes (44% memory) Report bp-53f967d6-d1b1-45b1-b2e1-8a77c2140609
It happens to me just now in FF 31b4 bp-fbb64793-4b7f-47ff-9376-a59882140625
Not listed under top-crashers anymore. So removing keyword.

Fernando, any chance you can reproduce it?
URL: https://crash-stats.mozilla.com/repor...
status-firefox31: --- → affected
status-firefox32: --- → affected
status-firefox33: --- → affected
Keywords: topcrash
(In reply to Henrik Skupin (:whimboo) from comment #5)
> Fernando, any chance you can reproduce it?

Unfortunately no :-(
I was just opening allot of tabs (not more then usually I open) from RSS feed in Thunderbird and suddenly FF crash massage appeared
bp-e84a645b-f89a-487d-877f-7c3f92140718 me. never had this sig before
crash reporter URL gives about:blank

same stack as comment 0

http://hg.mozilla.org/mozilla-central/annotate/095d2a9c2be5/js/src/jswrapper.cpp#l920
wmccloskey@154394 907 for (CompartmentsIter c(rt, SkipAtoms); !c.done(); c.next()) {
gkrizsanits@99549 908  if (!sourceFilter.match(c))
khuey@92442       909    continue;
khuey@92442      910
khuey@92442      911   // Iterate the wrappers looking for anything interesting.
jcoppeard@114799 912   for (JSCompartment::WrapperEnum e(c); !e.empty(); e.popFront()) {
khuey@92442      913     // Some cross-compartment wrappers are for strings. We're not
khuey@92442      914     // interested in those.
jwalden@158689   915     const CrossCompartmentKey &k = e.front().key();
wmccloskey@96352 916     if (k.kind != CrossCompartmentKey::ObjectWrapper)
khuey@92442      917       continue;
khuey@92442 918
wmccloskey@112847 919    AutoWrapperRooter wobj(cx, WrapperValue(e));
maligree@128491   920    JSObject *wrapped = UncheckedUnwrap(wobj);
See Also: → 921171
Summary: [topcrash] Random crashes with [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] → Random crashes with [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)]
I have STR. 100% reproducible, using Firefox 43.01a on MacOS 10.10.4

1. Open telemetry.mozilla.org
2. Click "value being measured" and enter "foo_"
3. Immediate crash.
Flags: needinfo?(bhackett1024)
(In reply to David Rajchenbach-Teller [:Yoric] (use "needinfo") from comment #9)
> I have STR. 100% reproducible, using Firefox 43.01a on MacOS 10.10.4
> 
> 1. Open telemetry.mozilla.org
> 2. Click "value being measured" and enter "foo_"
> 3. Immediate crash.

Do you have a blame changeset?
Flags: needinfo?(bhackett1024)
I realize that this depends on the add-ons installed.
Attached file tb-gdb.txt 
Happens also with TB 38.2 on openSUSE Tumbleweed x86_64
STR(step by step)
1. Open https://telemetry.mozilla.org/
2. Click "Histogram Dashboard" big blue button and wait for repainting of the page
3. Click 1st link in  "xxx distribution for ..." paragraph and type "foo" into "Search" input field
Actual Results
 Immediate crash.
Flags: needinfo?(m_kato)
I cannot reproduce this using comment #9 and #14 on the latest nightly (2015-09-22) on OSX 10.10 x86_64 and Linux x86_64 with e10s and non-e10s.

Yoric, do you reproduce this on 44 too?
Flags: needinfo?(m_kato) → needinfo?(dteller)
I cannot reproduce anymore on 44, with e10s.
Flags: needinfo?(dteller)
crashed on the bad build Nightly 20150915030232. 
However, no longer crash on latest Nightly.
https://hg.mozilla.org/mozilla-central/rev/2235e56c94cf61614902fd3a4ac7b837f7154b97
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 ID:20150922030204


Progression window:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dab5c069d6d3428445d448b597aac238600cfc6d&tochange=34606afcc726

Fixed by Bug 1203381, at least with STR Comment 14
From comment #17, firefox 43 is fixed.
status-firefox43: affectedfixed
Crash Signature: [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] [@ js::UncheckedUnwrap(JSObject*, bool, unsigned int*) ] → [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] [@ js::UncheckedUnwrap(JSObject*, bool, unsigned int*) ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::Compute…
Version: 32 Branch → 31 Branch
#38 crash for Thunderbird 38.2.0. But perhaps won't be able to tell whether this patch happens until it hits beta because other channel crash rates are zero per crash-stats.
Whiteboard: [tbird crash]
(let's try again)

Won't be able to tell whether Bug 1203381 patch HELPS until Thunderbird hits beta 44 ~late December, because other channels' crash rates are zero.
Crash Signature: , unsigned int*) ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::ComputeStickyLimits(nsIFrame*, nsRect*, nsRect*) ] → , unsigned int*) ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::ComputeStickyLimits(nsIFrame*, nsRect*, nsRect*) ] [@ js::NukeCrossCompartmentWrappers] [@ js::UncheckedUnwrap ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::ComputeStickyLi…
Yesterday's build (which the crash report is from) had a memory corruption issue, so it is probably just that. If you update again hopefully it will be better.
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrappers%28JSContext*%2C+js%3A%3ACompartmentFilter+const%26%2C+js%3A%3ACompartmentFilter+const%26%2C+js%3A%3ANukeReferencesToWindow%29&range_value=7&range_unit=days&date=2015-10-17

Last 7 days ...

Operating System: Provides a breakdown of the crashes by OS for version(s) and product(s).
Operating System	Percentage 	Number Of Crashes
Windows 7 		72.44% 		791
Windows 10 		 7.78% 		85
Windows XP 		 7.42% 		81
Windows 8.1 		 4.85% 		53
OS X 10.10 		 2.29% 		25
Windows Vista 		 1.65% 		18
Windows 8 		 1.19% 		13
OS X 10.11 		 0.82% 		9
OS X 10.9 		 0.64% 		7
OS X 10.6 		 0.55% 		6
Linux 			 0.18% 		2
OS X 10.7 		 0.09% 		1
OS X 10.8 		 0.09% 		1


Product: Breakdown of total crashes per product and version.
Product 	Version 	Percentage 	Number Of Crashes
Firefox 	41.0.1 		37.00% 		404
Thunderbird 	38.3.0 		22.89% 		250
Firefox 	42.0b5 		10.07% 		110
Thunderbird 	38.2.0 		 4.30% 		47
Firefox 	42.0b6 		 2.56% 		28
Thunderbird 	38.1.0 		 2.56% 		28
Firefox 	43.0a2 		 1.83% 		20
Firefox 	40.0.3 		 1.74% 		19
Firefox 	44.0a1 		 1.47% 		16
Firefox 	42.0b4 		 1.47% 		16
Firefox 	41.0b99 	 1.19% 		13
Firefox 	39.0 		 0.73% 		8
Firefox 	39.0.3 		 0.46% 		5
Firefox 	38.0.5b3 	 0.46% 		5
Firefox 	40.0.2 		 0.46% 		5
Firefox 	42.0b1 		 0.46% 		5
Firefox 	38.0.5 		 0.37% 		4
Firefox 	40.0 		 0.37% 		4
Firefox 	41.0 		 0.37% 		4
Firefox 	42.0b3 		 0.37% 		4
Firefox 	36.0b4 		 0.28% 		3
Firefox 	41.0.2 		 0.28% 		3
Firefox 	41.0b5 		 0.28% 		3
Firefox 	41.0b9 		 0.28% 		3
Firefox 	41.0b6 		 0.28% 		3
Firefox 	38.0b9 		 0.28% 		3
Firefox 	37.0b4 		 0.18% 		2
Firefox 	20.0b7 		 0.18% 		2
Firefox 	40.0b99 	 0.18% 		2
SeaMonkey 	2.38 		 0.18% 		2
Firefox 	36.0b10 	 0.18% 		2
Firefox 	38.0.1 		 0.18% 		2
Firefox 	38.0b1 		 0.18% 		2
Thunderbird 	41.0b2 		 0.18% 		2
Firefox 	36.0b3 		 0.18% 		2
Firefox 	40.0b1 		 0.18% 		2
Firefox 	40.0b9 		 0.18% 		2
Firefox 	29.0b4 		 0.18% 		2
Firefox 	32.0.3 		 0.18% 		2
Firefox 	42.0b2 		 0.18% 		2
Firefox 	29.0b8 		 0.18% 		2
Firefox 	30.0b9 		 0.18% 		2
Firefox 	41.0b3 		 0.18% 		2
Firefox 	32.0b1 		 0.09% 		1
Firefox 	37.0b99 	 0.09% 		1
Firefox 	26.0b5 		 0.09% 		1
Thunderbird 	31.7.0 		 0.09% 		1
Firefox 	39.0b1 		 0.09% 		1
Firefox 	31.0b4 		 0.09% 		1
Firefox 	31.0b6 		 0.09% 		1
Firefox 	34.0b9 		 0.09% 		1
Firefox 	40.0b4 		 0.09% 		1
Firefox 	25.0b4 		 0.09% 		1
Firefox 	25.0.1 		 0.09% 		1
Thunderbird 	38.0.1 		 0.09% 		1
Firefox 	36.0b6 		 0.09% 		1
Firefox 	40.0b7 		 0.09% 		1
Firefox 	22.0b1 		 0.09% 		1
Firefox 	31.0 		 0.09% 		1
Firefox 	40.0a2 		 0.09% 		1
Firefox 	30.0b3 		 0.09% 		1
Firefox 	39.0b2 		 0.09% 		1
Firefox 	33.0b9 		 0.09% 		1
Firefox 	29.0 		 0.09% 		1
Firefox 	38.0b8 		 0.09% 		1
Firefox 	24.1.1esr 	 0.09% 		1
FennecAndroid 	29.0b8 		 0.09% 		1
Firefox 	32.0b8 		 0.09% 		1
Firefox 	32.0b99 	 0.09% 		1
Firefox 	28.0 		 0.09% 		1
FennecAndroid 	24.0 		 0.09% 		1
Firefox 	28.0b9 		 0.09% 		1
Firefox 	41.0a2 		 0.09% 		1
Firefox 	39.0b99 	 0.09% 		1
Firefox 	38.0b5 		 0.09% 		1
Firefox 	31.0b8 		 0.09% 		1
Firefox 	36.0b2 		 0.09% 		1
Firefox 	36.0.1 		 0.09% 		1
Firefox 	36.0b5 		 0.09% 		1
Firefox 	23.0b9 		 0.09% 		1
Firefox 	39.0b4 		 0.09% 		1
Firefox 	39.0b7 		 0.09% 		1
Firefox 	30.0 		 0.09% 		1
Thunderbird 	31.2.0 		 0.09% 		1
Firefox 	41.0b7 		 0.09% 		1
Firefox 	37.0.1 		 0.09% 		1
Firefox 	32.0b4 		 0.09% 		1
Firefox 	35.0b6 		 0.09% 		1
status-firefox41: --- → affected
status-firefox43: fixedaffected
status-firefox44: unaffectedaffected
status-firefox-esr38: --- → affected
Blocks: shutdownkill
Whiteboard: [tbird crash] → [tbird crash], ShutDownKill
Win7, FF45.0a1, 64bit

https://crash-stats.mozilla.com/report/index/bdd00f33-7787-4915-bf79-c8e092151109

Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow) 	js/src/proxy/CrossCompartmentWrapper.cpp
1 	xul.dll 	WindowDestroyedEvent::Run() 	dom/base/nsGlobalWindow.cpp
2 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
3 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
4 	xul.dll 	nsXMLHttpRequest::Send(nsIVariant*, mozilla::dom::Nullable<nsXMLHttpRequest::RequestBody> const&) 	dom/base/nsXMLHttpRequest.cpp
5 	xul.dll 	nsXMLHttpRequest::Send(nsXMLHttpRequest::RequestBody const&) 	dom/base/nsXMLHttpRequest.h
6 	xul.dll 	nsXMLHttpRequest::Send(JSContext*, nsAString_internal const&, mozilla::ErrorResult&) 	dom/base/nsXMLHttpRequest.h
7 	xul.dll 	mozilla::dom::XMLHttpRequestBinding::send 	obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp
8 	xul.dll 	mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) 	dom/bindings/BindingUtils.cpp
9 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
10 	xul.dll 	js::fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
11 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
12 	xul.dll 	Interpret 	js/src/vm/Interpreter.cpp
13 	xul.dll 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
14 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
15 	xul.dll 	js::fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
16 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
17 	xul.dll 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
18 	xul.dll 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
19 		@0x1e0a7ac1a5c 	
20 	xul.dll 	js::jit::DoTypeMonitorFallback 	js/src/jit/BaselineIC.cpp
21 		@0x38de97
From the crash signature js::NukeCrossCompartmentWrappers, the current affected versions are:
- Nightly: 47
- Aurora: 46
- Beta: 44.0b1, 44.0b2, 44.0b6, 44.0b8, 44.0b9, 44.0b99, 45.0b1, 45.0b2 
- Release: 44.0

From the crash signature UpdateCellPointersTyped<T> , the current affected versions are:
- Beta: 44.0b1, 44.0b8, 45.0b1, 45.0b2 
- Release: 44.0

From the crash signature  js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow), the current affected versions are:
- Nightly: 44

From the crash signature js::UncheckedUnwrap, the current affected versions are:
- Nightly: 46, 47
- Aurora: 46
- Beta: 44.0b1, 44.0b99, 45.0b1 
- Release: 44.0


Tested on Windows 7 x64 with Nightly 45.0a1 and 47.0a1 and Aurora 46.0a2, Linux and Mac OS 10.10 with Nightly 47.0a1 and Aurora 46.0a2. I can't reproduce this issue with the steps provided in Comment 9 and Comment 14.
I get this crash a lot lately.
Only from today, two of these crashes:
https://crash-stats.mozilla.com/report/index/c0e97e5e-4b07-416e-8441-b25d22160215
https://crash-stats.mozilla.com/report/index/4a682706-6174-432e-921d-e677d2160215
Firefox was idle while it crashed if that helps somehow.
Whiteboard: [tbird crash], ShutDownKill → [tbird topcrash], ShutDownKill
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #20)
> (let's try again)
> 
> Won't be able to tell whether Bug 1203381 patch HELPS until Thunderbird hits
> beta 44 ~late December, because other channels' crash rates are zero.

TB45.1.1 js::UncheckedUnwrap is #21 crash
(In reply to Petr Vones from comment #28)
> TB 52.2.1 js::UncheckedUnwrap
> https://crash-stats.mozilla.com/report/index/900a0cc2-25c1-4ec2-b6ef-
> 830d20170705

Petr no longer crashes
Keywords: topcrash-thunderbird
Whiteboard: [tbird topcrash], ShutDownKill → [tbird crash], ShutDownKill
Thunderbird 60 crashes for js::UncheckedUnwrap are near zero, and firefox 60 likewise
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: