Closed Bug 1014554 Opened 11 years ago Closed 7 years ago

Random crashes with [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
31 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox31 --- affected
firefox32 --- affected
firefox33 --- affected
firefox40 --- affected
firefox41 --- affected
firefox42 --- affected
firefox43 --- affected
firefox44 --- affected
firefox45 --- affected
firefox46 --- affected
firefox47 --- affected
firefox48 --- ?
firefox49 --- ?
firefox-esr38 --- affected
firefox-esr45 --- affected
thunderbird_esr38 --- affected
thunderbird_esr45 --- affected

People

(Reporter: whimboo, Unassigned)

References

(
URL
)

Details

(Keywords: crash, reproducible, Whiteboard: [tbird crash], ShutDownKill)

Crash Data

Attachments

(1 file)

tb-gdb.txt
97.58 KB, text/plain
Details
Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 ID:20140521030200 CSet: 9d8d16695f6a I hit this crash twice in a row after updating Nightly to todays version, and when trying to click the former crash report in about:crashes. Reports: bp-b85e81b7-b5cb-47b3-9aec-874102140522 bp-68922d6d-072f-483d-9648-480842140522 Crash Reason SIGSEGV Crash Address 0x0 0 libxul.so js::UncheckedUnwrap(JSObject*, bool, unsigned int*) js/src/jsfriendapi.h 1 libxul.so js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow) js/src/jswrapper.cpp 2 libxul.so WindowDestroyedEvent::Run() dom/base/nsGlobalWindow.cpp 3 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 4 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 5 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 6 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 7 libxul.so nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 8 libxul.so nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 9 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 10 libxul.so XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp 11 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp 12 firefox do_main browser/app/nsBrowserApp.cpp 13 firefox main browser/app/nsBrowserApp.cpp 14 libc-2.19.so libc-2.19.so@0x21ec5 15 firefox firefox@0x37c0 16 firefox firefox@0x6644 By operating system: Windows 7 67.87 % 676 Windows XP 15.56 % 155 Windows Vista 8.23 % 82 Windows 8.1 2.91 % 29 Linux 2.51 % 25 Windows 8 2.51 % 25 OS X 10.6 0.20 % 2 OS X 10.9 0.10 % 1 OS X 10.7 0.10 % 1
Crash Signature: [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] [@ js::UncheckedUnwrap(JSObject*, bool, unsigned int*) ]
Looks like the patch on bug 921171 didn't really fix the topcrash. Brian, can you have a look at?
(In reply to Henrik Skupin (:whimboo) from comment #1) > Looks like the patch on bug 921171 didn't really fix the topcrash. Brian, > can you have a look at? There are lots of things which could cause this crash, bug 921171 just fixed one case where we were crashing (and definitely did fix that case, since there were STR). Without STR here there's not much I can do.
Another user in post https://support.mozilla.org/en-US/questions/1004524 But no clues as to STR one of the crashes (44% memory) Report bp-53f967d6-d1b1-45b1-b2e1-8a77c2140609
It happens to me just now in FF 31b4 bp-fbb64793-4b7f-47ff-9376-a59882140625
Not listed under top-crashers anymore. So removing keyword. Fernando, any chance you can reproduce it?
URL: https://crash-stats.mozilla.com/repor...
status-firefox31: --- → affected
status-firefox32: --- → affected
status-firefox33: --- → affected
Keywords: topcrash
(In reply to Henrik Skupin (:whimboo) from comment #5) > Fernando, any chance you can reproduce it? Unfortunately no :-( I was just opening allot of tabs (not more then usually I open) from RSS feed in Thunderbird and suddenly FF crash massage appeared
bp-e84a645b-f89a-487d-877f-7c3f92140718 me. never had this sig before crash reporter URL gives about:blank same stack as comment 0 http://hg.mozilla.org/mozilla-central/annotate/095d2a9c2be5/js/src/jswrapper.cpp#l920 wmccloskey@154394 907 for (CompartmentsIter c(rt, SkipAtoms); !c.done(); c.next()) { gkrizsanits@99549 908 if (!sourceFilter.match(c)) khuey@92442 909 continue; khuey@92442 910 khuey@92442 911 // Iterate the wrappers looking for anything interesting. jcoppeard@114799 912 for (JSCompartment::WrapperEnum e(c); !e.empty(); e.popFront()) { khuey@92442 913 // Some cross-compartment wrappers are for strings. We're not khuey@92442 914 // interested in those. jwalden@158689 915 const CrossCompartmentKey &k = e.front().key(); wmccloskey@96352 916 if (k.kind != CrossCompartmentKey::ObjectWrapper) khuey@92442 917 continue; khuey@92442 918 wmccloskey@112847 919 AutoWrapperRooter wobj(cx, WrapperValue(e)); maligree@128491 920 JSObject *wrapped = UncheckedUnwrap(wobj);
See Also: → 921171
Summary: [topcrash] Random crashes with [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] → Random crashes with [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)]
I have STR. 100% reproducible, using Firefox 43.01a on MacOS 10.10.4 1. Open telemetry.mozilla.org 2. Click "value being measured" and enter "foo_" 3. Immediate crash.
Flags: needinfo?(bhackett1024)
(In reply to David Rajchenbach-Teller [:Yoric] (use "needinfo") from comment #9) > I have STR. 100% reproducible, using Firefox 43.01a on MacOS 10.10.4 > > 1. Open telemetry.mozilla.org > 2. Click "value being measured" and enter "foo_" > 3. Immediate crash. Do you have a blame changeset?
Flags: needinfo?(bhackett1024)
I realize that this depends on the add-ons installed.
Attached file tb-gdb.txt
Happens also with TB 38.2 on openSUSE Tumbleweed x86_64
STR(step by step) 1. Open https://telemetry.mozilla.org/ 2. Click "Histogram Dashboard" big blue button and wait for repainting of the page 3. Click 1st link in "xxx distribution for ..." paragraph and type "foo" into "Search" input field Actual Results Immediate crash.
Flags: needinfo?(m_kato)
I cannot reproduce this using comment #9 and #14 on the latest nightly (2015-09-22) on OSX 10.10 x86_64 and Linux x86_64 with e10s and non-e10s. Yoric, do you reproduce this on 44 too?
Flags: needinfo?(m_kato) → needinfo?(dteller)
I cannot reproduce anymore on 44, with e10s.
Flags: needinfo?(dteller)
crashed on the bad build Nightly 20150915030232. However, no longer crash on latest Nightly. https://hg.mozilla.org/mozilla-central/rev/2235e56c94cf61614902fd3a4ac7b837f7154b97 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 ID:20150922030204 Progression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dab5c069d6d3428445d448b597aac238600cfc6d&tochange=34606afcc726 Fixed by Bug 1203381, at least with STR Comment 14
From comment #17, firefox 43 is fixed.
status-firefox43: affectedfixed
Crash Signature: [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] [@ js::UncheckedUnwrap(JSObject*, bool, unsigned int*) ] → [@ js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow)] [@ js::UncheckedUnwrap(JSObject*, bool, unsigned int*) ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::Compute…
Version: 32 Branch → 31 Branch
#38 crash for Thunderbird 38.2.0. But perhaps won't be able to tell whether this patch happens until it hits beta because other channel crash rates are zero per crash-stats.
Whiteboard: [tbird crash]
(let's try again) Won't be able to tell whether Bug 1203381 patch HELPS until Thunderbird hits beta 44 ~late December, because other channels' crash rates are zero.
Crash Signature: , unsigned int*) ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::ComputeStickyLimits(nsIFrame*, nsRect*, nsRect*) ] → , unsigned int*) ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::ComputeStickyLimits(nsIFrame*, nsRect*, nsRect*) ] [@ js::NukeCrossCompartmentWrappers] [@ js::UncheckedUnwrap ] [@ _chkstk | @0x0 | mozilla::StickyScrollContainer::ComputeStickyLi…
Yesterday's build (which the crash report is from) had a memory corruption issue, so it is probably just that. If you update again hopefully it will be better.
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANukeCrossCompartmentWrappers%28JSContext*%2C+js%3A%3ACompartmentFilter+const%26%2C+js%3A%3ACompartmentFilter+const%26%2C+js%3A%3ANukeReferencesToWindow%29&range_value=7&range_unit=days&date=2015-10-17 Last 7 days ... Operating System: Provides a breakdown of the crashes by OS for version(s) and product(s). Operating System Percentage Number Of Crashes Windows 7 72.44% 791 Windows 10 7.78% 85 Windows XP 7.42% 81 Windows 8.1 4.85% 53 OS X 10.10 2.29% 25 Windows Vista 1.65% 18 Windows 8 1.19% 13 OS X 10.11 0.82% 9 OS X 10.9 0.64% 7 OS X 10.6 0.55% 6 Linux 0.18% 2 OS X 10.7 0.09% 1 OS X 10.8 0.09% 1 Product: Breakdown of total crashes per product and version. Product Version Percentage Number Of Crashes Firefox 41.0.1 37.00% 404 Thunderbird 38.3.0 22.89% 250 Firefox 42.0b5 10.07% 110 Thunderbird 38.2.0 4.30% 47 Firefox 42.0b6 2.56% 28 Thunderbird 38.1.0 2.56% 28 Firefox 43.0a2 1.83% 20 Firefox 40.0.3 1.74% 19 Firefox 44.0a1 1.47% 16 Firefox 42.0b4 1.47% 16 Firefox 41.0b99 1.19% 13 Firefox 39.0 0.73% 8 Firefox 39.0.3 0.46% 5 Firefox 38.0.5b3 0.46% 5 Firefox 40.0.2 0.46% 5 Firefox 42.0b1 0.46% 5 Firefox 38.0.5 0.37% 4 Firefox 40.0 0.37% 4 Firefox 41.0 0.37% 4 Firefox 42.0b3 0.37% 4 Firefox 36.0b4 0.28% 3 Firefox 41.0.2 0.28% 3 Firefox 41.0b5 0.28% 3 Firefox 41.0b9 0.28% 3 Firefox 41.0b6 0.28% 3 Firefox 38.0b9 0.28% 3 Firefox 37.0b4 0.18% 2 Firefox 20.0b7 0.18% 2 Firefox 40.0b99 0.18% 2 SeaMonkey 2.38 0.18% 2 Firefox 36.0b10 0.18% 2 Firefox 38.0.1 0.18% 2 Firefox 38.0b1 0.18% 2 Thunderbird 41.0b2 0.18% 2 Firefox 36.0b3 0.18% 2 Firefox 40.0b1 0.18% 2 Firefox 40.0b9 0.18% 2 Firefox 29.0b4 0.18% 2 Firefox 32.0.3 0.18% 2 Firefox 42.0b2 0.18% 2 Firefox 29.0b8 0.18% 2 Firefox 30.0b9 0.18% 2 Firefox 41.0b3 0.18% 2 Firefox 32.0b1 0.09% 1 Firefox 37.0b99 0.09% 1 Firefox 26.0b5 0.09% 1 Thunderbird 31.7.0 0.09% 1 Firefox 39.0b1 0.09% 1 Firefox 31.0b4 0.09% 1 Firefox 31.0b6 0.09% 1 Firefox 34.0b9 0.09% 1 Firefox 40.0b4 0.09% 1 Firefox 25.0b4 0.09% 1 Firefox 25.0.1 0.09% 1 Thunderbird 38.0.1 0.09% 1 Firefox 36.0b6 0.09% 1 Firefox 40.0b7 0.09% 1 Firefox 22.0b1 0.09% 1 Firefox 31.0 0.09% 1 Firefox 40.0a2 0.09% 1 Firefox 30.0b3 0.09% 1 Firefox 39.0b2 0.09% 1 Firefox 33.0b9 0.09% 1 Firefox 29.0 0.09% 1 Firefox 38.0b8 0.09% 1 Firefox 24.1.1esr 0.09% 1 FennecAndroid 29.0b8 0.09% 1 Firefox 32.0b8 0.09% 1 Firefox 32.0b99 0.09% 1 Firefox 28.0 0.09% 1 FennecAndroid 24.0 0.09% 1 Firefox 28.0b9 0.09% 1 Firefox 41.0a2 0.09% 1 Firefox 39.0b99 0.09% 1 Firefox 38.0b5 0.09% 1 Firefox 31.0b8 0.09% 1 Firefox 36.0b2 0.09% 1 Firefox 36.0.1 0.09% 1 Firefox 36.0b5 0.09% 1 Firefox 23.0b9 0.09% 1 Firefox 39.0b4 0.09% 1 Firefox 39.0b7 0.09% 1 Firefox 30.0 0.09% 1 Thunderbird 31.2.0 0.09% 1 Firefox 41.0b7 0.09% 1 Firefox 37.0.1 0.09% 1 Firefox 32.0b4 0.09% 1 Firefox 35.0b6 0.09% 1
status-firefox41: --- → affected
status-firefox43: fixedaffected
status-firefox44: unaffectedaffected
status-firefox-esr38: --- → affected
Blocks: shutdownkill
Whiteboard: [tbird crash] → [tbird crash], ShutDownKill
Win7, FF45.0a1, 64bit https://crash-stats.mozilla.com/report/index/bdd00f33-7787-4915-bf79-c8e092151109 Crashing Thread Frame Module Signature Source 0 xul.dll js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow) js/src/proxy/CrossCompartmentWrapper.cpp 1 xul.dll WindowDestroyedEvent::Run() dom/base/nsGlobalWindow.cpp 2 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 3 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 4 xul.dll nsXMLHttpRequest::Send(nsIVariant*, mozilla::dom::Nullable<nsXMLHttpRequest::RequestBody> const&) dom/base/nsXMLHttpRequest.cpp 5 xul.dll nsXMLHttpRequest::Send(nsXMLHttpRequest::RequestBody const&) dom/base/nsXMLHttpRequest.h 6 xul.dll nsXMLHttpRequest::Send(JSContext*, nsAString_internal const&, mozilla::ErrorResult&) dom/base/nsXMLHttpRequest.h 7 xul.dll mozilla::dom::XMLHttpRequestBinding::send obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp 8 xul.dll mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp 9 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 10 xul.dll js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp 11 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 12 xul.dll Interpret js/src/vm/Interpreter.cpp 13 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 14 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 15 xul.dll js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp 16 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 17 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 18 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp 19 @0x1e0a7ac1a5c 20 xul.dll js::jit::DoTypeMonitorFallback js/src/jit/BaselineIC.cpp 21 @0x38de97
From the crash signature js::NukeCrossCompartmentWrappers, the current affected versions are: - Nightly: 47 - Aurora: 46 - Beta: 44.0b1, 44.0b2, 44.0b6, 44.0b8, 44.0b9, 44.0b99, 45.0b1, 45.0b2 - Release: 44.0 From the crash signature UpdateCellPointersTyped<T> , the current affected versions are: - Beta: 44.0b1, 44.0b8, 45.0b1, 45.0b2 - Release: 44.0 From the crash signature js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, js::CompartmentFilter const&, js::NukeReferencesToWindow), the current affected versions are: - Nightly: 44 From the crash signature js::UncheckedUnwrap, the current affected versions are: - Nightly: 46, 47 - Aurora: 46 - Beta: 44.0b1, 44.0b99, 45.0b1 - Release: 44.0 Tested on Windows 7 x64 with Nightly 45.0a1 and 47.0a1 and Aurora 46.0a2, Linux and Mac OS 10.10 with Nightly 47.0a1 and Aurora 46.0a2. I can't reproduce this issue with the steps provided in Comment 9 and Comment 14.
I get this crash a lot lately. Only from today, two of these crashes: https://crash-stats.mozilla.com/report/index/c0e97e5e-4b07-416e-8441-b25d22160215 https://crash-stats.mozilla.com/report/index/4a682706-6174-432e-921d-e677d2160215 Firefox was idle while it crashed if that helps somehow.
Whiteboard: [tbird crash], ShutDownKill → [tbird topcrash], ShutDownKill
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #20) > (let's try again) > > Won't be able to tell whether Bug 1203381 patch HELPS until Thunderbird hits > beta 44 ~late December, because other channels' crash rates are zero. TB45.1.1 js::UncheckedUnwrap is #21 crash
(In reply to Petr Vones from comment #28) > TB 52.2.1 js::UncheckedUnwrap > https://crash-stats.mozilla.com/report/index/900a0cc2-25c1-4ec2-b6ef- > 830d20170705 Petr no longer crashes
Keywords: topcrash-thunderbird
Whiteboard: [tbird topcrash], ShutDownKill → [tbird crash], ShutDownKill
Thunderbird 60 crashes for js::UncheckedUnwrap are near zero, and firefox 60 likewise
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: