Closed Bug 1142787 Opened 10 years ago Closed 9 years ago

Intermittent browser_ruleview_style-editor-link.js | application crashed [@ 0x5a5a5a5a][@ mozilla::dom::NodeBinding::appendChild]

Categories

(Core :: DOM: Core & HTML, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: RyanVM, Unassigned)

Details

(Keywords: crash, intermittent-failure, sec-other)

13:39:56 INFO - 5582 ERROR TEST-UNEXPECTED-FAIL | browser/devtools/styleinspector/test/browser_ruleview_style-editor-link.js | application terminated with exit code 11 13:39:56 INFO - runtests.py | Application ran for: 0:03:31.631212 13:39:56 INFO - zombiecheck | Reading PID log: /tmp/tmpx7gdx2pidlog 13:39:56 INFO - mozcrash Downloading symbols from: https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/fx-team-linux/1426185837/firefox-39.0a1.en-US.linux-i686.crashreporter-symbols.zip 13:40:18 INFO - mozcrash Saved minidump as /builds/slave/test/build/blobber_upload_dir/2bbc411c-92ee-b670-5d949a88-29d503d9.dmp 13:40:18 INFO - mozcrash Saved app info as /builds/slave/test/build/blobber_upload_dir/2bbc411c-92ee-b670-5d949a88-29d503d9.extra 13:40:18 WARNING - PROCESS-CRASH | browser/devtools/styleinspector/test/browser_ruleview_style-editor-link.js | application crashed [@ 0x5a5a5a5a] 13:40:18 INFO - Crash dump filename: /tmp/tmpEBEOqq.mozrunner/minidumps/2bbc411c-92ee-b670-5d949a88-29d503d9.dmp 13:40:18 INFO - Operating system: Linux 13:40:18 INFO - 0.0.0 Linux 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 13:40:18 INFO - CPU: x86 13:40:18 INFO - GenuineIntel family 6 model 45 stepping 7 13:40:18 INFO - 1 CPU 13:40:18 INFO - Crash reason: SIGSEGV 13:40:18 INFO - Crash address: 0x5a5a5a5a 13:40:18 INFO - Thread 0 (crashed) 13:40:18 INFO - 0 0x5a5a5a5a 13:40:18 INFO - eip = 0x5a5a5a5a esp = 0xbf9a24fc ebp = 0xbf9a2698 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xb7225500 edi = 0x8719dea0 eax = 0x8719dea4 ecx = 0x00000000 13:40:18 INFO - edx = 0xbf9a26e0 efl = 0x00210282 13:40:18 INFO - Found by: given as instruction pointer in context 13:40:18 INFO - 1 libxul.so!mozilla::dom::NodeBinding::appendChild [nsINode.h:749740c78886 : 1680 + 0x9] 13:40:18 INFO - eip = 0xb3deb1a7 esp = 0xbf9a26a0 ebp = 0xbf9a2708 13:40:18 INFO - Found by: previous frame's frame pointer 13:40:18 INFO - 2 libxul.so!mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) [BindingUtils.cpp:749740c78886 : 2492 + 0x5] 13:40:18 INFO - eip = 0xb413ae11 esp = 0xbf9a2710 ebp = 0xbf9a2768 ebx = 0xb6efec68 13:40:18 INFO - esi = 0x873c34c0 edi = 0x00000162 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 3 libxul.so!js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [jscntxtinlines.h:749740c78886 : 235 + 0x15] 13:40:18 INFO - eip = 0xb5043ecd esp = 0xbf9a2770 ebp = 0xbf9a2ad8 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xb7225500 edi = 0xb413acf4 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 4 libxul.so!Interpret [Interpreter.cpp:749740c78886 : 2596 + 0x21] 13:40:18 INFO - eip = 0xb503e3b8 esp = 0xbf9a2ae0 ebp = 0xbf9a2f38 ebx = 0xb6efec68 13:40:18 INFO - esi = 0x873160a0 edi = 0xb7225500 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 5 libxul.so!js::RunScript(JSContext*, js::RunState&) [Interpreter.cpp:749740c78886 : 448 + 0x9] 13:40:18 INFO - eip = 0xb50422a7 esp = 0xbf9a2f40 ebp = 0xbf9a2f88 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xbf9a2fe8 edi = 0xbf9a2f68 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 6 libxul.so!js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [Interpreter.cpp:749740c78886 : 517 + 0x11] 13:40:18 INFO - eip = 0xb5043e0c esp = 0xbf9a2f90 ebp = 0xbf9a32f8 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xb7225500 edi = 0xbf9a3370 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 7 libxul.so!js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) [Interpreter.cpp:749740c78886 : 554 + 0x1e] 13:40:18 INFO - eip = 0xb5044b43 esp = 0xbf9a3300 ebp = 0xbf9a33b8 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xbf9a3460 edi = 0xb722550c 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 8 libxul.so!js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [DirectProxyHandler.cpp:749740c78886 : 77 + 0x4] 13:40:18 INFO - eip = 0xb53a859c esp = 0xbf9a33c0 ebp = 0xbf9a33f8 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xbf9a353c edi = 0xb7225500 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 9 libxul.so!js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [CrossCompartmentWrapper.cpp:749740c78886 : 288 + 0x19] 13:40:18 INFO - eip = 0xb53bfaff esp = 0xbf9a3400 ebp = 0xbf9a34b8 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xb7225500 edi = 0xb7225500 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 10 libxul.so!js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) [Proxy.cpp:749740c78886 : 391 + 0x16] 13:40:18 INFO - eip = 0xb53c4668 esp = 0xbf9a34c0 ebp = 0xbf9a3518 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xb7225500 edi = 0xbf9a354c 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 11 libxul.so!js::proxy_Call(JSContext*, unsigned int, JS::Value*) [Proxy.cpp:749740c78886 : 703 + 0xf] 13:40:18 INFO - eip = 0xb53c4765 esp = 0xbf9a3520 ebp = 0xbf9a3558 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xb7225500 edi = 0xb53c4720 13:40:18 INFO - Found by: call frame info 13:40:18 INFO - 12 libxul.so!js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [jscntxtinlines.h:749740c78886 : 235 + 0x15] 13:40:18 INFO - eip = 0xb5043ecd esp = 0xbf9a3560 ebp = 0xbf9a38c8 ebx = 0xb6efec68 13:40:18 INFO - esi = 0xb7225500 edi = 0xb53c4720 13:40:18 INFO - Found by: call frame info
Boris, has something in this code changed recently that you can think of? (We've also had some weird crashes that seem to be jemalloc3 fallout, so this could be more of that.)
Flags: needinfo?(bzbarsky)
Nothing obvious recently changed here. What slightly confuses me is that eip=0x5a5a5a5a business. The crash is claimed to be on this line: return ReplaceOrInsertBefore(false, &aNode, aChild, aError); in nsINode::InsertBefore. That's fine as far as it goes, but that's a non-virtual function call, so it's odd that it ended up with a bogus eip. Note that Firebot claiims that 0x5a5a5a5a is "jemalloc freed junk memory"...
Flags: needinfo?(bzbarsky)
I'm going to leave this open for now, but a crash that happened once could just be some random memory corruption or jemalloc3 fallout.
Keywords: sec-other
Inactive; closing (see bug 1180138).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.