1224185 - Crash at xul!JSCompartment::traceIncomingCrossCompartmentEdgesForZoneGC+c9

Status: RESOLVED DUPLICATE of bug 1223465

(Core :: Graphics: ImageLib, defect)

Description

[Carsten Book [:Tomcat]]

Attachment: windbg information

found via bughunter on http://www.ref4bux.com/index.php?view=ads 

Steps to reproduce:
-> http://www.ref4bux.com/index.php?view=ads

reload this site a few times 

--> Crash

Windbg shows EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff) so marking as s-s bug

Comment 1

[Jan de Mooij [:jandem]]

I can reproduce GC crashes with a debug build on OS X after reloading that page a number of times.

Maybe we can bisect it or something.

Comment 2

[Terrence Cole [:terrence]]

So far I've managed to get it down to:

83:05.93 LOG: MainThread Bisector INFO Last good revision: 6256ec9113c115141aab089c45ee69438884b680 (2015-09-28)
83:05.93 LOG: MainThread Bisector INFO First bad revision: ccee6614fd9d18a31f263fbcfe9676b224d851aa (2015-09-29)
83:05.93 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6256ec9113c115141aab089c45ee69438884b680&tochange=ccee6614fd9d18a31f263fbcfe9676b224d851aa

Will keep churning on m-i, but bustage ahoy.

Comment 3

[Terrence Cole [:terrence]]

Reduced it to:

129:59.72 LOG: MainThread Bisector INFO Narrowed inbound regression window from [3797b7f3, 649f934c] (4 revisions) to [bd4a6ddd, 649f934c] (2 revisions) (~1 steps left)
129:59.73 LOG: MainThread main INFO Oh noes, no (more) inbound revisions :(
129:59.73 LOG: MainThread Bisector INFO Last good revision: bd4a6ddd01a049ebf846a0e4b5a795596e65508e
129:59.73 LOG: MainThread Bisector INFO First bad revision: 649f934c48e639a9d52e8da665b06a733f2e590d
129:59.73 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=bd4a6ddd01a049ebf846a0e4b5a795596e65508e&tochange=649f934c48e639a9d52e8da665b06a733f2e590d

That is:

649f934c48e6	Seth Fowler — Bug 1207378 (Part 2) - Use Downscaler to remove first-frame padding when downscaling GIFs. r=tn
3d603de6ef4b	Seth Fowler — Bug 1207378 (Part 1) - Add support for a frame rect to Downscaler. r=tn

Passing the ni to seth@mozilla.com.

Comment 4

[Bob Clary [:bc] (inactive)]

This may be the same issue as in Bug 1223465 - AddressSanitizer: heap-buffer-overflow in mozilla::image::nsGIFDecoder2::DoLzw and Bug 1224100 - AddressSanitizer: heap-buffer-overflow - Wheel of crashes [@ js::jit::EnterBaselineMethod ] | [@ nsDisplayList::SortByZOrder ] | [@ AddRule ]

I've seen the mozilla::image::nsGIFDecoder2::DoLzw heap error in both bugs and terrence's bisection points to Gifs.

Comment 5

[Daniel Veditz [:dveditz]]

Presumably Firefox 42 is unaffected if bug 1207378 is the regressor

Comment 6

[Liz Henry (:lizzard) (relman/hg->git project)]

Seth is this something you can work on, or can you help us find an owner for this bug?
Looks like we will release 43 with it, if not.

Comment 7

[Edwin Flores [inactive from 2016-12-01] [:eflores] [:edwin]]

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6)
> Seth is this something you can work on, or can you help us find an owner for
> this bug?
> Looks like we will release 43 with it, if not.

I'm fairly certain this bug is the same as bug 1223465, which is waiting on beta approval.

Comment 8

[Liz Henry (:lizzard) (relman/hg->git project)]

Marking fixed based on comment 7. 
Cornel, can someone on your team could verify the fix?

Comment 9

[Cornel Ionce [:noni] [Hubs QA]]

Assigning to Alexandra for verification.

Comment 10

[Ada [:adalucinet]]

Crashed 43.0b7, under Windows 7 64-bit, with STR from comment 0:
> bp-fea36c2d-26a9-47ef-a997-4ea9b2151208
> bp-e136b3d2-fb25-4475-98ed-021752151208

Unable to reproduce the crash with 43.0b9 (Build ID: 20151203163240), across platforms [1].

[1] Ubuntu 14.04 32-bit, Windows 7 64-bit and Mac OS X 10.11