Open Bug 1216776 Opened 7 years ago Updated 11 months ago

Crash in cycle collector while tracing GC thing (generic JS heap corruption)

Categories

(Core :: XPCOM, defect, P3)

Product:
Core
Component:
XPCOM
Version:
40 Branch
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- wontfix
firefox49 --- wontfix
firefox-esr45 --- wontfix
thunderbird_esr52 --- affected
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- affected
firefox53 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [tbird crash])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-9ee2ab4e-1d12-43ba-84e7-80a512151020.
=============================================================
Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	JSObject::traceChildren(JSTracer*) 	js/src/jsobj.cpp
1 	xul.dll 	js::gc::CallTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) 	js/src/jsgc.h
2 	xul.dll 	mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) 	xpcom/base/CycleCollectedJSRuntime.cpp
3 	xul.dll 	CCGraphBuilder::BuildGraph(js::SliceBudget&) 	xpcom/base/nsCycleCollector.cpp
4 	xul.dll 	nsCycleCollector::MarkRoots(js::SliceBudget&) 	xpcom/base/nsCycleCollector.cpp
5 	xul.dll 	nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) 	xpcom/base/nsCycleCollector.cpp
6 	xul.dll 	nsCycleCollector_collectSlice(js::SliceBudget&, bool) 	xpcom/base/nsCycleCollector.cpp
7 	xul.dll 	mozilla::Vector<js::gcstats::Phase, 0, mozilla::MallocAllocPolicy>::`default constructor closure'() 	
8 		@0x12f70f 	
9 	xul.dll 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp
10 	user32.dll 	GetShellWindow 	
11 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
12 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
13 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
14 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
15 	xul.dll 	nsThreadManager::QueryInterface(nsID const&, void**) 	xpcom/threads/nsThreadManager.cpp
16 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
17 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
18 	xul.dll 	XREMain::XRE_main(int, char** const, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
19 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
20 	kernel32.dll 	GetProcessPriorityBoost 	
21 	kernel32.dll 	GetLocaleInfoA 	
22 	xul.dll 	base::LinearHistogram::FactoryGet(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, unsigned int, base::Histogram::Flags) 	ipc/chromium/src/base/histogram.cc
23 	xul.dll 	`anonymous namespace'::HistogramGet(char const*, char const*, unsigned int, unsigned int, unsigned int, unsigned int, bool, base::Histogram**) 	toolkit/components/telemetry/Telemetry.cpp
24 	xul.dll 	base::Histogram::SampleSet::Accumulate(int, int, unsigned int) 	ipc/chromium/src/base/histogram.cc
25 	xul.dll 	base::Histogram::Add(int) 	ipc/chromium/src/base/histogram.cc
26 	xul.dll 	mozilla::Telemetry::Accumulate(mozilla::Telemetry::ID, unsigned int) 	toolkit/components/telemetry/Telemetry.cpp
27 	firefox.exe 	NS_internal_main(int, char**) 	browser/app/nsBrowserApp.cpp
28 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
29 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt/crtw32/startup/crt0.c:255
30 	kernel32.dll 	BaseProcessStart

this is a cross-platform signature that seems to have been introduced in firefox 40 builds for the first time. it isn't taking up much volume in crash stat data though:
https://crash-stats.mozilla.com/search/?signature=~JSObject%3A%3AtraceChildren&date=%3E2015-01-01&_facets=signature&_facets=version&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-version
Crash volume for signature 'JSObject::traceChildren':
 - nightly(version 50):6 crashes from 2016-06-06.
 - aurora (version 49):20 crashes from 2016-06-07.
 - beta   (version 48):326 crashes from 2016-06-06.
 - release(version 47):96 crashes from 2016-05-31.
 - esr    (version 45):15 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       1       2       2       0       0
 - aurora        3       4       3       2       4       2       2
 - beta         48      55      56      34      51      40      28
 - release      13       9      20       6      25      12       8
 - esr           0       1       1       2       3       3       2

Affected platforms: Windows, Mac OS X, Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'JSObject::traceChildren':
 - nightly (version 51): 5 crashes from 2016-08-01.
 - aurora  (version 50): 6 crashes from 2016-08-01.
 - beta    (version 49): 133 crashes from 2016-08-02.
 - release (version 48): 189 crashes from 2016-07-25.
 - esr     (version 45): 15 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       0       3       1
 - aurora        3       3       0
 - beta         45      45      22
 - release      52      63      36
 - esr           1       0       2

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly           #358
 - aurora  #960      #485
 - beta    #463      #466
 - release #461      #451
 - esr
status-firefox51: --- → affected
Crash volume for signature 'JSObject::traceChildren':
 - nightly (version 52): 1 crash from 2016-09-19.
 - aurora  (version 51): 2 crashes from 2016-09-19.
 - beta    (version 50): 85 crashes from 2016-09-20.
 - release (version 49): 442 crashes from 2016-09-05.
 - esr     (version 45): 7 crashes from 2016-07-25.

Crash volume on the last weeks (Week N is from 10-17 to 10-23):
            W. N-1  W. N-2  W. N-3  W. N-4
 - nightly       0       0       0       1
 - aurora        0       1       0       0
 - beta         17      24      29       7
 - release     136     132     114      27
 - esr           1       0       0       1

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly
 - aurora  #1120     #586
 - beta    #1107     #418
 - release #679      #280
 - esr     #3849
status-firefox52: --- → affected
Andrew/Olli, seems CC-related but a quick look doesn't indicate OOMs. Any thoughts?
Flags: needinfo?(continuation)
Flags: needinfo?(bugs)
Component: General → XPCOM
We're probably touching bad memory in the CC. The crash volume looks really low. #679 for browser crashes? I wouldn't worry about this unless it gets worse. It is not very actionable.
Flags: needinfo?(continuation)
Flags: needinfo?(bugs)
Priority: -- → P3
A present for you when you return, Nathan :)
Flags: needinfo?(nfroyd)
This is a cycle collector issue, so nothing Nathan can really help with. This just looks like a generic JS heap corruption issue.
Flags: needinfo?(nfroyd)
Duplicate of this bug: 1346417
Duplicate of this bug: 1348625
Crash Signature: [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] → [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ]
See Also: → 1342556
Summary: crash in JSObject::traceChildren → Crash in cycle collector while tracing GC thing
Thunderbird crashed @ js::gc::detail::CellIsMarkedGrayIfKnown resuming laptop from sleep bp-00261654-74d0-4ccc-9d63-a6a9b0170707
I do this 1-3 times per day, but never crashed before today.
Thunderbird 52.2.1 is crashing at same rate as Firefox 54.0.1
Whiteboard: [tbird crash]
Looks like around 300 crashes per week on release. 58 is affected but in low volume on nightly.
status-firefox57: affectedwontfix
status-firefox58: --- → affected
Summary: Crash in cycle collector while tracing GC thing → Crash in cycle collector while tracing GC thing (generic JS heap corruption)
Let's stop tracking as a regression since this bug is so old.
status-firefox58: affectedwontfix
Keywords: regression
I forgot to say that mccr8 and I spoke about this and he said "this is a crash where the CC runs and it touches corrupted memory. There's no way to know what corrupted it."
See Also: → 815141
Crash Signature: [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ] → [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ] [@ DoCallback<T> ]
QA Whiteboard: qa-not-actionable
You need to log in before you can comment on or make changes to this bug.