1207620 - crash in js::GCMarker::mark<T>(JSObject*) due to corruption

Status: NEW

(Core :: JavaScript: GC, defect)

Description

[Liz Henry (:lizzard) (relman/hg->git project)]

This bug was filed from the Socorro interface and is 
report bp-768c2eb6-2937-4bbc-aef4-402c82150922.
=============================================================

This signature is showing up as a topcrash for 43. It first appeared on 2015-06-16. 



Crashing thread:

0 	xul.dll 	js::GCMarker::mark<JSObject>(JSObject*) 	js/src/gc/Marking.cpp
1 	xul.dll 	js::GCMarker::processMarkStackTop(js::SliceBudget&) 	js/src/gc/Marking.cpp
2 	xul.dll 	js::GCMarker::drainMarkStack(js::SliceBudget&) 	js/src/gc/Marking.cpp
3 	xul.dll 	js::gc::GCRuntime::drainMarkStack(js::SliceBudget&, js::gcstats::Phase) 	js/src/jsgc.cpp
4 	xul.dll 	js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason) 	js/src/jsgc.cpp
5 	xul.dll 	js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) 	js/src/jsgc.cpp
6 	xul.dll 	js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) 	js/src/jsgc.cpp
7 	xul.dll 	js::gc::GCRuntime::gcSlice(JS::gcreason::Reason, __int64) 	js/src/jsgc.cpp
8 	xul.dll 	nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, __int64) 	dom/base/nsJSEnvironment.cpp
9 	xul.dll 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp

Comment 1

[Sebastian Zartner [:sebo]]

It happened to me a few minutes ago[1] almost right after the browser start.
While a page was still loading I clicked the 'Restart Nightly to apply the update' button, then it crashed.

Sebastian

https://crash-stats.mozilla.com/report/index/a13fbd26-b87f-479a-996e-e70a22150924

Comment 3

[Liz Henry (:lizzard) (relman/hg->git project)]

Still a top crash for 43.0b3. Naveed, can you help find someone to work on this bug? 
Or, if it doesn't seem actionable, let's wontfix it for 43 at the least.

Comment 4

[Liz Henry (:lizzard) (relman/hg->git project)]

Too late for a fix for 43; this is still showing up in 43 and 44 but at lower volume than a couple of weeks ago.

Comment 5

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

On Beta44, this has occurred only 7 times in the past 4 weeks. Marking this as wontfix for Fx44 given the super low crash volume.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'js::GCMarker::mark<T>':
 - nightly (version 50): 73 crashes from 2016-06-06.
 - aurora  (version 49): 69 crashes from 2016-06-07.
 - beta    (version 48): 1246 crashes from 2016-06-06.
 - release (version 47): 2683 crashes from 2016-05-31.
 - esr     (version 45): 95 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly         12         10          8         11         13          7          6
 - aurora           8          9         13         13         15          8          0
 - beta           110        169        162        366        194        145         41
 - release        424        434        406        377        403        377        121
 - esr              7          7          8         13          8         13          7

Affected platforms: Windows, Linux

Comment 7

[Terrence Cole [:terrence]]

This is not a directly actionable signature.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'js::GCMarker::mark<T>':
 - nightly (version 52): 7 crashes from 2016-09-19.
 - aurora  (version 51): 6 crashes from 2016-09-19.
 - beta    (version 50): 371 crashes from 2016-09-20.
 - release (version 49): 749 crashes from 2016-09-05.
 - esr     (version 45): 161 crashes from 2016-06-01.

Crash volume on the last weeks (Week N is from 10-03 to 10-09):
            W. N-1  W. N-2
 - nightly       4       3
 - aurora        6       0
 - beta        257     114
 - release     595     152
 - esr          10      13

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #290      #364
 - aurora  #639      #244
 - beta    #73       #61
 - release #94       #103
 - esr     #790

Comment 9

[Wayne Mery (:wsmwk)]

(In reply to Terrence Cole [:terrence] from comment #7)
> This is not a directly actionable signature.

indeed most users have many crash signatures, like this user
bp-f59a159f-08c7-4be7-9545-6c3002161201	js::BaseShape::traceChildrenSkipShapeTable   
bp-06e91d14-f7cb-4874-bdc2-1124a2161201	js::GCMarker::mark<T>   
bp-37a1d555-543e-4473-b187-e58be2161201	IsAboutToBeFinalizedInternal<T>   
bp-4c03ff19-515a-4a65-aaea-625e92161029	arena_bin_malloc_hard | moz_xmalloc | GrowStuff  
bp-1e6fd824-5aad-4da4-9532-742ce2161017	FinalizeTypedArenas<T>   

I just crashed a single tab, out of the blue, unattended. 20161114043454 nightly 
bp-8fc87fd3-22bd-4aec-af21-ce22c2161206

Comment 10

[Julien Cristau [:jcristau]]

Too late for firefox 52, mass-wontfix.

Comment 12

[Wayne Mery (:wsmwk)]

• Firefox crash rate dropped suddenly ~75% at end of October 2018 (didn't attempt to find a cause) https://crash-stats.mozilla.com/signature/?product=Firefox&signature=js%3A%3AGCMarker%3A%3Amark<T>&date=>%3D2018-10-06T07%3A42%3A00.000Z&date=<2019-04-06T07%3A42%3A00.000Z#graphs
• Thunderbird crash rate dropped ~60% steadily since early October, perhaps in the transition from TB52 to TB60 https://crash-stats.mozilla.com/signature/?product=Thunderbird&signature=js%3A%3AGCMarker%3A%3Amark<T>&date=>%3D2018-10-06T07%3A42%3A00.000Z&date=<2019-04-06T07%3A42%3A00.000Z#graphs

Comment 13

[Jon Coppeard (:jonco)]

Infrequent GC crashes such as this are not a high impact issue.