Open Bug 1204909 Opened 10 years ago Updated 2 years ago

crash in TraceCallbackFunc::Trace(JS::Heap<T>*, char const*, void*) in nsJSArgArray

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
41 Branch
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox41 + wontfix
firefox48 --- affected
firefox49 --- affected
firefox51 --- affected

People

(Reporter: away, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-722856f6-194f-402a-8854-1122c2150912. ============================================================= 0034f4b0 639b14af xul!TraceCallbackFunc::Trace+0xb 0034f4cc 639b1634 xul!nsJSArgArray::cycleCollection::Trace+0x2e 0034f4f4 62dc0e0b xul!nsJSArgArray::cycleCollection::Traverse+0x3b 0034f514 63057d7f xul!CCGraphBuilder::BuildGraph+0x53 0034f524 6305737e xul!nsCycleCollector::MarkRoots+0x1a 0034f588 6326e2d0 xul!nsCycleCollector::Collect+0x104 0034f5b0 6326e086 xul!nsCycleCollector_collectSlice+0x3d 0034f6c8 62e1e7f6 xul!nsJSContext::RunCycleCollectorSlice+0x1a3 0034f798 63250334 xul!nsTimerImpl::Fire+0xf8 0034f7cc 62fb559b xul!nsTimerEvent::Run+0x37 0034f8dc 62fb40fc xul!nsThread::ProcessNextEvent+0x6e8 0034f90c 62fb3616 xul!mozilla::ipc::MessagePump::Run+0x5f 0034f944 62fb301f xul!MessageLoop::RunHandler+0x20 0034f964 62fb473c xul!MessageLoop::Run+0x19 0034f970 62fb4ad1 xul!nsBaseAppShell::Run+0x32 0034f97c 62d7ad10 xul!nsAppShell::Run+0x1b 0034f98c 6314014a xul!nsAppStartup::Run+0x20 0034fb70 6314036f xul!XREMain::XRE_mainRun+0x4a7
This exploded in 41b9. Any idea why? |aPtr| typically has values like 0x2000000, 0x6000000, etc.
Flags: needinfo?(continuation)
[Tracking Requested - why for this release]: At first glance this looks like a regression in 41b9. It may turn out to be random CC noise, but at this late stage I want to flag it just in case.
status-firefox41: --- → affected
tracking-firefox41: --- → ?
(In reply to David Major [:dmajor] from comment #1) > This exploded in 41b9. Any idea why? It's only 0.4% of overall 41.0b9 crashes, so "exploded" might be too strong a word. :) It's true that this signature practically didn't exist in previous betas, though.
It was bold/red in the explosiveness report. :)
Yes, the explosiveness report detects things at this level as well. An interesting detail about this crash is that it's listed in the Top Crash Scores report with 3.7 crashes per installation, so it's really annoying to those users that encounter it.
Component: XPCOM → DOM
Summary: crash in TraceCallbackFunc::Trace(JS::Heap<T>*, char const*, void*) → crash in TraceCallbackFunc::Trace(JS::Heap<T>*, char const*, void*) in nsJSArgArray
That's peculiar. nsJSArgArray looks to be only used by nsGlobalWindow::OpenDialogOuter().
Do you have a link to the patches that were landed between b8 and b9? Are there any interesting URLs or addons for these crashes? I don't think this code class has changed much recently. I don't have any concrete ideas beyond that, unfortunately.
Flags: needinfo?(continuation)
Thanks. There's nothing obviously related in there that I can see, though there are a couple of DOM patches.
41 will most likely go live tomorrow, too late to fix in 41.
status-firefox41: affectedwontfix
Crash Signature: [@ TraceCallbackFunc::Trace(JS::Heap<T>*, char const*, void*)] → [@ TraceCallbackFunc::Trace(JS::Heap<T>*, char const*, void*)] [@ TraceCallbackFunc::Trace]
Crash volume for signature 'TraceCallbackFunc::Trace': - nightly (version 50): 0 crashes from 2016-06-06. - aurora (version 49): 2 crashes from 2016-06-07. - beta (version 48): 63 crashes from 2016-06-06. - release (version 47): 108 crashes from 2016-05-31. - esr (version 45): 0 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 1 0 0 0 1 0 0 - beta 12 10 11 6 2 9 7 - release 19 12 14 9 20 12 13 - esr 0 0 0 0 0 0 0 Affected platform: Windows
status-firefox48: --- → affected
status-firefox49: --- → affected
Crash volume for signature 'TraceCallbackFunc::Trace': - nightly (version 51): 1 crash from 2016-08-01. - aurora (version 50): 0 crashes from 2016-08-01. - beta (version 49): 19 crashes from 2016-08-02. - release (version 48): 19 crashes from 2016-07-25. - esr (version 45): 0 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 1 0 0 - aurora 0 0 0 - beta 6 6 0 - release 5 4 8 - esr 0 0 0 Affected platforms: Windows, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta #1564 - release #3709 - esr
status-firefox51: --- → affected
Component: DOM → DOM: Core & HTML
QA Whiteboard: qa-not-actionable
Severity: critical → S2

At this point, this is relatively low volume, and the crashes seem to be from several unrelated callers. It may be worth breaking into separate bugs, since some callers come up repeatedly, but it's also possible that they're all the result of heap corruption.

Severity: S2 → S3
Crash Signature: [@ TraceCallbackFunc::Trace(JS::Heap<T>*, char const*, void*)] [@ TraceCallbackFunc::Trace] → [@ TraceCallbackFunc::Trace] [@ TraceCallbackFunc::Trace]
You need to log in before you can comment on or make changes to this bug.