Closed Bug 1224185 Opened 5 years ago Closed 5 years ago
Crash at xul!JSCompartment::trace
Incoming Cross Compartment Edges For Zone GC+c9
found via bughunter on http://www.ref4bux.com/index.php?view=ads Steps to reproduce: -> http://www.ref4bux.com/index.php?view=ads reload this site a few times --> Crash Windbg shows EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) so marking as s-s bug
I can reproduce GC crashes with a debug build on OS X after reloading that page a number of times. Maybe we can bisect it or something.
So far I've managed to get it down to: 83:05.93 LOG: MainThread Bisector INFO Last good revision: 6256ec9113c115141aab089c45ee69438884b680 (2015-09-28) 83:05.93 LOG: MainThread Bisector INFO First bad revision: ccee6614fd9d18a31f263fbcfe9676b224d851aa (2015-09-29) 83:05.93 LOG: MainThread Bisector INFO Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6256ec9113c115141aab089c45ee69438884b680&tochange=ccee6614fd9d18a31f263fbcfe9676b224d851aa Will keep churning on m-i, but bustage ahoy.
Reduced it to: 129:59.72 LOG: MainThread Bisector INFO Narrowed inbound regression window from [3797b7f3, 649f934c] (4 revisions) to [bd4a6ddd, 649f934c] (2 revisions) (~1 steps left) 129:59.73 LOG: MainThread main INFO Oh noes, no (more) inbound revisions :( 129:59.73 LOG: MainThread Bisector INFO Last good revision: bd4a6ddd01a049ebf846a0e4b5a795596e65508e 129:59.73 LOG: MainThread Bisector INFO First bad revision: 649f934c48e639a9d52e8da665b06a733f2e590d 129:59.73 LOG: MainThread Bisector INFO Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=bd4a6ddd01a049ebf846a0e4b5a795596e65508e&tochange=649f934c48e639a9d52e8da665b06a733f2e590d That is: 649f934c48e6 Seth Fowler — Bug 1207378 (Part 2) - Use Downscaler to remove first-frame padding when downscaling GIFs. r=tn 3d603de6ef4b Seth Fowler — Bug 1207378 (Part 1) - Add support for a frame rect to Downscaler. r=tn Passing the ni to firstname.lastname@example.org.
This may be the same issue as in Bug 1223465 - AddressSanitizer: heap-buffer-overflow in mozilla::image::nsGIFDecoder2::DoLzw and Bug 1224100 - AddressSanitizer: heap-buffer-overflow - Wheel of crashes [@ js::jit::EnterBaselineMethod ] | [@ nsDisplayList::SortByZOrder ] | [@ AddRule ] I've seen the mozilla::image::nsGIFDecoder2::DoLzw heap error in both bugs and terrence's bisection points to Gifs.
Presumably Firefox 42 is unaffected if bug 1207378 is the regressor
Seth is this something you can work on, or can you help us find an owner for this bug? Looks like we will release 43 with it, if not.
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > Seth is this something you can work on, or can you help us find an owner for > this bug? > Looks like we will release 43 with it, if not. I'm fairly certain this bug is the same as bug 1223465, which is waiting on beta approval.
Marking fixed based on comment 7. Cornel, can someone on your team could verify the fix?
Assigning to Alexandra for verification.
Flags: needinfo?(cornel.ionce) → needinfo?(alexandra.lucinet)
QA Contact: alexandra.lucinet
Crashed 43.0b7, under Windows 7 64-bit, with STR from comment 0: > bp-fea36c2d-26a9-47ef-a997-4ea9b2151208 > bp-e136b3d2-fb25-4475-98ed-021752151208 Unable to reproduce the crash with 43.0b9 (Build ID: 20151203163240), across platforms .  Ubuntu 14.04 32-bit, Windows 7 64-bit and Mac OS X 10.11
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1223465
You need to log in before you can comment on or make changes to this bug.