1212063 - crash in js::GCMarker::mark<T>(JSObject*)

Status: RESOLVED DUPLICATE of bug 1207620

(Core :: JavaScript: GC, defect)

Description

[Liz Henry (:lizzard) (relman/hg->git project)]

+++ This bug was initially created as a clone of Bug #1207620 +++

This bug was filed from the Socorro interface and is 
report bp-768c2eb6-2937-4bbc-aef4-402c82150922.
=============================================================

This signature is showing up as a topcrash for 43. It first appeared on 2015-06-16. 

I just noticed on looking over crashes for 43 that are marked "high", that this is often marked as such, though the report I filed in bug 1207620 is "low exploitability". Though maybe this isn't actionable, I thought it worth filing a new bug to see if there's anything useful here. 

Here's a link to a list of the high exploitability crash reports with this signature:

https://crash-stats.mozilla.com/signature/?product=Firefox&version=43.0a2&exploitability=high&signature=js%3A%3AGCMarker%3A%3Amark%3CT%3E%28JSObject*%29&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1#reports

Comment 1

[Daniel Veditz [:dveditz]]

This is a pretty generic signature for memory corruption that happened at some point and doesn't cause problems until GC tries to clean up. There might be one new bug, or it could be just that signatures in the GC code changed making it _look_ like a new crash when it's really just a catch-all for the same many different memory corruptions that just trips us up in a slightly different place.

Comment 2

[Andrew McCreight [:mccr8]]

I don't think it is too useful to have this here and hidden, given that we know that it is known that this is a possible sign of memory corruptions. I'm just going to dupe this to the public bug.