Open Bug 1277280 Opened 9 years ago Updated 2 years ago

Crash in CCGraphBuilder::DescribeRefCountedNode in MOZ_RELEASE_ASSERT(aRefCount != 0, "CCed refcounted object has zero refcount");

Categories

(Core :: Cycle Collector, defect, P3)

Product:
Core
Component:
Cycle Collector
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: crash, stalled)

Crash Data

This bug was filed from the Socorro interface and is report bp-4550322f-2bf0-46e2-96ee-255b32160530. ============================================================= We're hitting this assertion somewhat frequently. Mostly the stacks are not useful, but I found some that had class names. https://crash-stats.mozilla.com/report/index/b8757191-d174-4bdd-a6f4-dd1da2160531 https://crash-stats.mozilla.com/report/index/4a06154f-1c4c-4579-99b9-f00bd2160525 https://crash-stats.mozilla.com/report/index/041e182a-d0a9-446e-83c9-2a1c62160531 https://crash-stats.mozilla.com/report/index/42fc2c73-68aa-466f-beb7-f2aea2160601 https://crash-stats.mozilla.com/report/index/6c523533-4dd3-4222-a9f7-022ea2160527 https://crash-stats.mozilla.com/report/index/0b4ef824-dad3-451d-bba8-ce3ef2160527 https://crash-stats.mozilla.com/report/index/5cd16fc7-a719-4c5c-b349-d620e2160529 https://crash-stats.mozilla.com/report/index/b464457b-96aa-4ae2-8d9d-3df3a2160531 https://crash-stats.mozilla.com/report/index/9dedb186-819b-4aa2-a557-1a3ab2160531 https://crash-stats.mozilla.com/report/index/8ea5a15d-b558-46e6-abb3-bd7ef2160530 https://crash-stats.mozilla.com/report/index/b62b897a-4279-4d9b-b215-668f42160528 https://crash-stats.mozilla.com/report/index/6745a734-1b0d-4c44-ba49-be1492160531 https://crash-stats.mozilla.com/report/index/a8eeded8-dcd4-4e17-affa-e3ecb2160526 https://crash-stats.mozilla.com/report/index/0757cef7-6dbb-4268-802c-af1a62160527 Mostly but not entirely FragmentOrElement.
Crash volume for signature 'CCGraphBuilder::DescribeRefCountedNode': - nightly (version 50): 0 crash from 2016-06-06. - aurora (version 49): 11 crashes from 2016-06-07. - beta (version 48): 190 crashes from 2016-06-06. - release (version 47): 560 crashes from 2016-05-31. - esr (version 45): 39 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 0 0 0 0 0 0 0 - aurora 1 0 3 4 1 1 0 - beta 33 20 18 40 29 27 12 - release 86 75 88 86 93 75 25 - esr 3 4 4 4 1 5 2 Affected platforms: Windows, Mac OS X, Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'CCGraphBuilder::DescribeRefCountedNode': - nightly (version 51): 0 crashes from 2016-08-01. - aurora (version 50): 3 crashes from 2016-08-01. - beta (version 49): 63 crashes from 2016-08-02. - release (version 48): 106 crashes from 2016-07-25. - esr (version 45): 57 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 0 0 0 - aurora 1 2 0 - beta 15 27 4 - release 37 24 17 - esr 4 10 6 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora #843 - beta #954 #688 - release #618 - esr #1109
status-firefox50: --- → affected
I got this crash now 2 times in last week with Firefox 56 Beta: https://crash-stats.mozilla.com/report/index/256464d3-4834-47bb-bd9e-333c50170830
I can fairly regularly reproduce this issue when I have large GitHub issue pages open.
(In reply to Josh Triplett from comment #4) > I can fairly regularly reproduce this issue when I have large GitHub issue > pages open. Can you provide example pages, and what you're doing to trigger the crash? Or is loading the page sufficient?
Flags: needinfo?(josh)
Priority: -- → P3
Loading a github issue page and waiting, that's it. Often, I'll use the session restore mechanism after the crash, and a minute or so later it'll crash again, without interacting with it at all. In case it matters, I'm logged into Github. (Which changes some of the UI elements present on the page.)
Flags: needinfo?(josh)
Thanks for the information. I'll try leaving the Github issues pages for Angular and Bootstrap open and see if it crashes.
I'm still encountering this, dozens of times every day, on two different systems. I've submitted numerous crash reports; look for those that have github.com URLs.
(In reply to Josh Triplett from comment #8) > I'm still encountering this, dozens of times every day, on two different > systems. I've submitted numerous crash reports; look for those that have > github.com URLs. I only see 3 crash reports with this signature that have Github URLs in them. A NodeJS pull request, one that 404s (presumably from a private repo) and some .md file. I'll leave those two open, along with the other ones. Could you post the crash id from about:crashes? Also, does this reproduce in safe mode (maybe an addon is causing this somehow)? Thanks. Hmm, I thought I'd added an annotation for the object that is crashing, but I guess that's for another place. I'll file a bug for that.
I'm not sure, but I think I might have a hypothesis here. I disabled the It's All Text extension, and I have yet to reproduce this issue again. Github issue pages have a huge number of "hidden" textareas, all of which trigger some handling from It's All Text. I'm wondering if something It's All Text is doing makes the problem much more likely to occur. And that would be consistent with longer issues (more comments) seeming to trigger this more often. Perhaps installing It's All Text and then waiting around on a large GitHub issue page (hundreds of comments) might reproduce the issue more quickly?
I left It's All Text disabled, and I still haven't reproduced this problem. Considering that it previously happened many times per day, that seems rather definitive.
(In reply to Josh Triplett from comment #12) > I left It's All Text disabled, and I still haven't reproduced this problem. > Considering that it previously happened many times per day, that seems > rather definitive. Thanks for checking. Olli, could you take a look at this? I'm going on PTO for a few weeks and I won't have a chance to look at this before that. It would be good to understand what is going wrong here.
Flags: needinfo?(bugs)
Hmm, "It's All Text" is not compatible with current beta/nightly releases. I guess I'll need to build FF56. Unfortunately the crash reports in comment 10 don't seem to have symbols
(In reply to Olli Pettay [:smaug] from comment #14) > Hmm, "It's All Text" is not compatible with current beta/nightly releases. > I guess I'll need to build FF56. Note that I'm seeing this on FF55.
oh, the addon is up to FF49 only. But ok, I'll force enable it.
In case it helps, I'm using the version packaged in Debian's "xul-ext-itsalltext" package, version 1.9.3-1, which seems compatible with Firefox 55.
Josh, any example links where this has happened most often? So far I haven't managed to reproduce with It's All Text
Wait, are you not using Firefox from Mozilla, but Debian version of it?
Flags: needinfo?(bugs) → needinfo?(josh)
(In reply to Olli Pettay [:smaug] from comment #18) > Josh, any example links where this has happened most often? > So far I haven't managed to reproduce with It's All Text https://github.com/rust-lang/rfcs/pull/2052 https://github.com/rust-lang/rfcs/pull/2137 https://github.com/rust-lang/rfcs/pull/2102 While logged in, in particular. (In reply to Olli Pettay [:smaug] from comment #19) > Wait, are you not using Firefox from Mozilla, but Debian version of it? Correct.
Flags: needinfo?(josh)
Ok, can you test mozilla provided build. I don't know what all changes Debian has made to their release.
Crash Signature: [@ CCGraphBuilder::DescribeRefCountedNode] → [@ CCGraphBuilder::DescribeRefCountedNode] [@ PtrInfo::AnnotatedReleaseAssert ]
QA Whiteboard: qa-not-actionable
Severity: critical → S2
Component: XPCOM → Cycle Collector

The crash volume isn't very high here, and it will be difficult to fix without steps to reproduce.

Severity: S2 → S3
Keywords: stalled
You need to log in before you can comment on or make changes to this bug.