Closed Bug 1033854 Opened 10 years ago Closed 10 years ago

Intermittent test_garbage_at_end_of_declarations.html | application crashed [@ JSCompartment::findOutgoingEdges(js::gc::ComponentFinder<JS::Zone>&)] after Assertion failure: kind == CrossCompartmentKey::DebuggerScript ...

Categories

(Core :: JavaScript: GC, defect)

22 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1010666
Tracking Status
firefox31 --- affected
firefox32 --- affected
firefox33 --- affected
firefox-esr24 --- affected

People

(Reporter: KWierso, Unassigned)

References

()

Details

(Keywords: crash)

Crash Data

https://tbpl.mozilla.org/php/getParsedLog.php?id=42978953&tree=Mozilla-Inbound
Rev4 MacOSX Snow Leopard 10.6 mozilla-inbound debug test mochitest-5 on 2014-07-02 16:12:54 PDT for push 73a651b7e30a

slave: t-snow-r4-0058



16:19:45     INFO -  2173 INFO TEST-START | /tests/layout/style/test/test_font_feature_values_parsing.html
16:19:45     INFO -  ++DOMWINDOW == 102 (0x125138800) [pid = 947] [serial = 1869] [outer = 0x12f928800]
16:19:45     INFO -  2174 INFO TEST-PASS | /tests/layout/style/test/test_font_feature_values_parsing.html | @font-feature-values rule parsing tests: Elided 100 passes or known failures.
16:19:45     INFO -  2175 INFO TEST-PASS | /tests/layout/style/test/test_font_feature_values_parsing.html | serialization check - @font-feature-values bongo { @swash { blah: 1; } }
16:19:45     INFO -  2176 INFO TEST-PASS | /tests/layout/style/test/test_font_feature_values_parsing.html | @font-feature-values rule parsing tests: Elided 100 passes or known failures.
16:19:45     INFO -  2177 INFO TEST-PASS | /tests/layout/style/test/test_font_feature_values_parsing.html | invalid declarations don't affect valid ones - @font-feature-values bongo { @annotation { blah: 1 2 } }
16:19:45     INFO -  2178 INFO TEST-PASS | /tests/layout/style/test/test_font_feature_values_parsing.html | @font-feature-values rule parsing tests: Elided 100 passes or known failures.
16:19:45     INFO -  2179 INFO TEST-PASS | /tests/layout/style/test/test_font_feature_values_parsing.html | invalid declarations don't affect valid ones - @font-feature-values bongo { @styleset { complex blah: 1; } }
16:19:45     INFO -  2180 INFO TEST-PASS | /tests/layout/style/test/test_font_feature_values_parsing.html | @font-feature-values rule parsing tests: Elided 4 passes or known failures.
16:19:45     INFO -  2181 INFO TEST-INFO | MEMORY STAT vsize after test: 4020412416
16:19:45     INFO -  2182 INFO TEST-INFO | MEMORY STAT residentFast after test: 532631552
16:19:45     INFO -  2183 INFO TEST-INFO | MEMORY STAT heapAllocated after test: 201566672
16:19:45     INFO -  2184 INFO TEST-END | /tests/layout/style/test/test_font_feature_values_parsing.html | finished in 555ms
16:19:45     INFO -  ++DOMWINDOW == 103 (0x125133c00) [pid = 947] [serial = 1870] [outer = 0x12f928800]
16:19:45     INFO -  2185 INFO TEST-START | /tests/layout/style/test/test_garbage_at_end_of_declarations.html
16:19:45     INFO -  ++DOMWINDOW == 104 (0x12516e000) [pid = 947] [serial = 1871] [outer = 0x12f928800]
16:19:46     INFO -  Assertion failure: kind == CrossCompartmentKey::DebuggerScript || kind == CrossCompartmentKey::DebuggerSource || kind == CrossCompartmentKey::DebuggerObject || kind == CrossCompartmentKey::DebuggerEnvironment, at /builds/slave/m-in-osx64-d-00000000000000000/build/js/src/jsgc.cpp:3703
16:19:49     INFO -  TEST-INFO | Main app process: killed by SIGHUP
16:19:49  WARNING -  TEST-UNEXPECTED-FAIL | /tests/layout/style/test/test_garbage_at_end_of_declarations.html | application terminated with exit code 1
16:19:49     INFO -  INFO | runtests.py | Application ran for: 0:05:14.071611
16:19:49     INFO -  INFO | zombiecheck | Reading PID log: /var/folders/gp/gp6E0Yo7GAOF8RNmVxgKMU+++-k/-Tmp-/tmpnX82n8pidlog
16:20:09  WARNING -  PROCESS-CRASH | /tests/layout/style/test/test_garbage_at_end_of_declarations.html | application crashed [@ JSCompartment::findOutgoingEdges(js::gc::ComponentFinder<JS::Zone>&)]
16:20:09     INFO -  Crash dump filename: /var/folders/gp/gp6E0Yo7GAOF8RNmVxgKMU+++-k/-Tmp-/tmpSxY4mm.mozrunner/minidumps/7B457E9B-2240-4F96-A84C-C58F39D1FC78.dmp
16:20:09     INFO -  Operating system: Mac OS X
16:20:09     INFO -                    10.6.8 10K549
16:20:09     INFO -  CPU: amd64
16:20:09     INFO -       family 6 model 23 stepping 10
16:20:09     INFO -       2 CPUs
16:20:09     INFO -  Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
16:20:09     INFO -  Crash address: 0x0
16:20:09     INFO -  Thread 0 (crashed)
16:20:09     INFO -   0  XUL!JSCompartment::findOutgoingEdges(js::gc::ComponentFinder<JS::Zone>&) [HashTable.h:73a651b7e30a : 1470 + 0x0]
16:20:09     INFO -      rbx = 0x00007fff710922f8   r12 = 0x00007fff5fbfca80
16:20:09     INFO -      r13 = 0x00000001537b9f00   r14 = 0x000000012f0f1000
16:20:09     INFO -      r15 = 0x00007fff5fbfc718   rip = 0x000000010434de86
16:20:09     INFO -      rsp = 0x00007fff5fbfc710   rbp = 0x00007fff5fbfc780
16:20:09     INFO -      Found by: given as instruction pointer in context
16:20:09     INFO -   1  XUL!JS::Zone::findOutgoingEdges(js::gc::ComponentFinder<JS::Zone>&) [jsgc.cpp:73a651b7e30a : 3730 + 0x7]
16:20:09     INFO -      rbx = 0x00007fff5fbfc7b8   r12 = 0x0000000118ddf000
16:20:09     INFO -      r13 = 0x000000012cfc7760   r14 = 0x0000000127873000
16:20:09     INFO -      r15 = 0x00007fff5fbfca80   rip = 0x000000010434dff4
16:20:09     INFO -      rsp = 0x00007fff5fbfc790   rbp = 0x00007fff5fbfc7f0
16:20:09     INFO -      Found by: call frame info
16:20:09     INFO -   2  XUL!js::gc::ComponentFinder<JS::Zone>::processNode(JS::Zone*) [FindSCCs.h:73a651b7e30a : 159 + 0xa]
16:20:09     INFO -      rbx = 0x00007fff5fbfca80   r12 = 0x00007fff5fbfca80
16:20:09     INFO -      r13 = 0x000000012cfc7760   r14 = 0x0000000127873000
16:20:09     INFO -      r15 = 0x000000011eb28000   rip = 0x000000010439148d
16:20:09     INFO -      rsp = 0x00007fff5fbfc800   rbp = 0x00007fff5fbfc820
16:20:09     INFO -      Found by: call frame info
16:20:09     INFO -   3  XUL!JSCompartment::findOutgoingEdges(js::gc::ComponentFinder<JS::Zone>&) [FindSCCs.h:73a651b7e30a : 129 + 0xa]
16:20:09     INFO -      rbx = 0x0000000127873000   r12 = 0x00007fff5fbfca80
16:20:09     INFO -      r13 = 0x000000012cfc7760   r14 = 0x000000011eb28800
16:20:09     INFO -      r15 = 0x00007fff5fbfc838   rip = 0x000000010434dd7d
16:20:09     INFO -      rsp = 0x00007fff5fbfc830   rbp = 0x00007fff5fbfc8a0
16:20:09     INFO -      Found by: call frame info
16:20:09     INFO -   4  XUL!JS::Zone::findOutgoingEdges(js::gc::ComponentFinder<JS::Zone>&) [jsgc.cpp:73a651b7e30a : 3730 + 0x7]
16:20:09     INFO -      rbx = 0x00007fff5fbfc8d8   r12 = 0x0000000118ddf000
16:20:09     INFO -      r13 = 0x000000012b272b80   r14 = 0x000000011eb28000
16:20:09     INFO -      r15 = 0x00007fff5fbfca80   rip = 0x000000010434dff4
16:20:09     INFO -      rsp = 0x00007fff5fbfc8b0   rbp = 0x00007fff5fbfc910
16:20:09     INFO -      Found by: call frame info
I had the same crash today with an Aurora build: bp-623b6aa6-9cf7-46b2-b344-7a3272140704. It happened when I left the box alone for a while.

Crash Reason 	SIGSEGV
Crash Address 	0x0

According to crash stats all platforms are affected here, but majorly it's happening on Windows:

Windows 7 	65.52 %	95
Windows XP 	20.69 %	30
Windows 8 	4.14 %	6
Windows 8.1 	3.45 %	5
Windows Vista 	2.07 %	3
OS X 10.9 	1.38 %	2
Linux 	        1.38 %	2
OS X 10.6 	1.38 %	2 

While on Linux we seem to have a null pointer, on Windows we are accessing some random memory:

bp-60a624fe-1423-4533-bb13-ecf8d2140628:
Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0xffffffffaaaffa9c

The earliest branch I can see where this is happening, is 22.0. So a crash which exists for a long time.
Group: core-security
Severity: normal → critical
OS: Mac OS X → All
Hardware: x86_64 → All
Version: unspecified → 22 Branch
The linux null crashes don't bother me too much (but still, during GC) but reading crazy stuff on windows might lead us to free the wrong things.
sec-moderate only because of the intermittency... if we can make this happen at will it's more likely sec-high.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security
Keywords: sec-moderate
You need to log in before you can comment on or make changes to this bug.