Open Bug 1216776 Opened 10 years ago Updated 6 months ago

Crash in cycle collector while tracing GC thing (generic JS heap corruption)

Categories

(Core :: Cycle Collector, defect, P3)

Product:
Core
Component:
Cycle Collector
Version:
40 Branch
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 --- wontfix
firefox49 --- wontfix
firefox-esr45 --- wontfix
thunderbird_esr52 --- affected
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- affected
firefox53 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash, stalled, Whiteboard: [tbird crash][domcore-bugbash-triaged])

Crash Data

This bug was filed from the Socorro interface and is report bp-9ee2ab4e-1d12-43ba-84e7-80a512151020. ============================================================= Crashing Thread Frame Module Signature Source 0 xul.dll JSObject::traceChildren(JSTracer*) js/src/jsobj.cpp 1 xul.dll js::gc::CallTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) js/src/jsgc.h 2 xul.dll mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) xpcom/base/CycleCollectedJSRuntime.cpp 3 xul.dll CCGraphBuilder::BuildGraph(js::SliceBudget&) xpcom/base/nsCycleCollector.cpp 4 xul.dll nsCycleCollector::MarkRoots(js::SliceBudget&) xpcom/base/nsCycleCollector.cpp 5 xul.dll nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) xpcom/base/nsCycleCollector.cpp 6 xul.dll nsCycleCollector_collectSlice(js::SliceBudget&, bool) xpcom/base/nsCycleCollector.cpp 7 xul.dll mozilla::Vector<js::gcstats::Phase, 0, mozilla::MallocAllocPolicy>::`default constructor closure'() 8 @0x12f70f 9 xul.dll nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp 10 user32.dll GetShellWindow 11 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 12 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 13 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 14 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 15 xul.dll nsThreadManager::QueryInterface(nsID const&, void**) xpcom/threads/nsThreadManager.cpp 16 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 17 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 18 xul.dll XREMain::XRE_main(int, char** const, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp 19 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp 20 kernel32.dll GetProcessPriorityBoost 21 kernel32.dll GetLocaleInfoA 22 xul.dll base::LinearHistogram::FactoryGet(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, int, unsigned int, base::Histogram::Flags) ipc/chromium/src/base/histogram.cc 23 xul.dll `anonymous namespace'::HistogramGet(char const*, char const*, unsigned int, unsigned int, unsigned int, unsigned int, bool, base::Histogram**) toolkit/components/telemetry/Telemetry.cpp 24 xul.dll base::Histogram::SampleSet::Accumulate(int, int, unsigned int) ipc/chromium/src/base/histogram.cc 25 xul.dll base::Histogram::Add(int) ipc/chromium/src/base/histogram.cc 26 xul.dll mozilla::Telemetry::Accumulate(mozilla::Telemetry::ID, unsigned int) toolkit/components/telemetry/Telemetry.cpp 27 firefox.exe NS_internal_main(int, char**) browser/app/nsBrowserApp.cpp 28 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp 29 firefox.exe __tmainCRTStartup f:/dd/vctools/crt/crtw32/startup/crt0.c:255 30 kernel32.dll BaseProcessStart this is a cross-platform signature that seems to have been introduced in firefox 40 builds for the first time. it isn't taking up much volume in crash stat data though: https://crash-stats.mozilla.com/search/?signature=~JSObject%3A%3AtraceChildren&date=%3E2015-01-01&_facets=signature&_facets=version&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-version
Crash volume for signature 'JSObject::traceChildren': - nightly(version 50):6 crashes from 2016-06-06. - aurora (version 49):20 crashes from 2016-06-07. - beta (version 48):326 crashes from 2016-06-06. - release(version 47):96 crashes from 2016-05-31. - esr (version 45):15 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 1 2 2 0 0 - aurora 3 4 3 2 4 2 2 - beta 48 55 56 34 51 40 28 - release 13 9 20 6 25 12 8 - esr 0 1 1 2 3 3 2 Affected platforms: Windows, Mac OS X, Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'JSObject::traceChildren': - nightly (version 51): 5 crashes from 2016-08-01. - aurora (version 50): 6 crashes from 2016-08-01. - beta (version 49): 133 crashes from 2016-08-02. - release (version 48): 189 crashes from 2016-07-25. - esr (version 45): 15 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 0 3 1 - aurora 3 3 0 - beta 45 45 22 - release 52 63 36 - esr 1 0 2 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #358 - aurora #960 #485 - beta #463 #466 - release #461 #451 - esr
status-firefox51: --- → affected
Crash volume for signature 'JSObject::traceChildren': - nightly (version 52): 1 crash from 2016-09-19. - aurora (version 51): 2 crashes from 2016-09-19. - beta (version 50): 85 crashes from 2016-09-20. - release (version 49): 442 crashes from 2016-09-05. - esr (version 45): 7 crashes from 2016-07-25. Crash volume on the last weeks (Week N is from 10-17 to 10-23): W. N-1 W. N-2 W. N-3 W. N-4 - nightly 0 0 0 1 - aurora 0 1 0 0 - beta 17 24 29 7 - release 136 132 114 27 - esr 1 0 0 1 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora #1120 #586 - beta #1107 #418 - release #679 #280 - esr #3849
status-firefox52: --- → affected
Andrew/Olli, seems CC-related but a quick look doesn't indicate OOMs. Any thoughts?
Flags: needinfo?(continuation)
Flags: needinfo?(bugs)
Component: General → XPCOM
We're probably touching bad memory in the CC. The crash volume looks really low. #679 for browser crashes? I wouldn't worry about this unless it gets worse. It is not very actionable.
Flags: needinfo?(continuation)
Flags: needinfo?(bugs)
Priority: -- → P3
A present for you when you return, Nathan :)
Flags: needinfo?(nfroyd)
This is a cycle collector issue, so nothing Nathan can really help with. This just looks like a generic JS heap corruption issue.
Flags: needinfo?(nfroyd)
Crash Signature: [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] → [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ]
See Also: → 1342556
Summary: crash in JSObject::traceChildren → Crash in cycle collector while tracing GC thing
Thunderbird crashed @ js::gc::detail::CellIsMarkedGrayIfKnown resuming laptop from sleep bp-00261654-74d0-4ccc-9d63-a6a9b0170707 I do this 1-3 times per day, but never crashed before today. Thunderbird 52.2.1 is crashing at same rate as Firefox 54.0.1
Whiteboard: [tbird crash]
Looks like around 300 crashes per week on release. 58 is affected but in low volume on nightly.
status-firefox57: affectedwontfix
status-firefox58: --- → affected
Summary: Crash in cycle collector while tracing GC thing → Crash in cycle collector while tracing GC thing (generic JS heap corruption)
Let's stop tracking as a regression since this bug is so old.
status-firefox58: affectedwontfix
Keywords: regression
I forgot to say that mccr8 and I spoke about this and he said "this is a crash where the CC runs and it touches corrupted memory. There's no way to know what corrupted it."
See Also: → 815141
Crash Signature: [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ] → [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ] [@ DoCallback<T> ]
QA Whiteboard: qa-not-actionable
Severity: critical → S2

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3
Component: XPCOM → Cycle Collector
Crash Signature: [@ JSObject::traceChildren] [@ JSObject::traceChildren(JSTracer*)] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ] [@ DoCallback<T> ] → [@ JSObject::traceChildren] [@ JSObject::traceChildren] [@ js::gc::detail::CellIsMarkedGrayIfKnown ] [@ JS::GCCellPtr::is<T> ] [@ DoCallback<T> ]
Keywords: stalled
Whiteboard: [tbird crash] → [tbird crash][domcore-bugbash-triaged]
You need to log in before you can comment on or make changes to this bug.