Open Bug 1280186 Opened 8 years ago Updated 3 years ago

Crash in DoMarking<T> (heap / memory corruption)

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Version:
48 Branch
Platform:
x86
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected
firefox52 --- wontfix

People

(Reporter: marcia, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, triage-deferred, Whiteboard: [tbird crash])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-d62d9b9f-eb78-43ab-aaef-459692160609.
=============================================================

Seen while looking at crash stats. This showed up on the explosive report and didn't have a bug associated with it. Link to crashes: https://crash-stats.mozilla.com/report/list?signature=DoMarking%3CT%3E. Top URL appears to be facebook.com. Currently is #28 top crasher in Beta.

Frame 	Module 	Signature 	Source
0 	xul.dll 	DoMarking<JSObject>(js::GCMarker*, JSObject*) 	js/src/gc/Marking.cpp:772
1 	xul.dll 	DispatchToTracer<JSObject*>(JSTracer*, JSObject**, char const*) 	js/src/gc/Marking.cpp:640
2 	xul.dll 	mozilla::dom::ProtoAndIfaceCache::PageTableCache::Trace(JSTracer*) 	obj-firefox/dist/include/mozilla/dom/BindingUtils.h:383
3 	xul.dll 	xpc::TraceXPCGlobal(JSTracer*, JSObject*) 	js/xpconnect/src/nsXPConnect.cpp:371
4 	xul.dll 	JS_GlobalObjectTraceHook(JSTracer*, JSObject*) 	js/src/jsapi.cpp:1915
5 	xul.dll 	CallTraceHook<TraverseObjectFunctor, js::GCMarker* const, JSObject*&> 	js/src/gc/Marking.cpp:1304
6 	xul.dll 	js::GCMarker::processMarkStackTop(js::SliceBudget&) 	js/src/gc/Marking.cpp:1517
7 	xul.dll 	js::GCMarker::drainMarkStack(js::SliceBudget&) 	js/src/gc/Marking.cpp:1350
8 	xul.dll 	js::gc::GCRuntime::drainMarkStack(js::SliceBudget&, js::gcstats::Phase) 	js/src/jsgc.cpp:5482
9 	ntdll.dll 	ZwQueryPerformanceCounter 	
10 	ntdll.dll 	RtlEnterCriticalSection
Crash volume for signature 'DoMarking<T>':
 - nightly(version 50):20 crashes from 2016-06-06.
 - aurora (version 49):35 crashes from 2016-06-07.
 - beta   (version 48):1998 crashes from 2016-06-06.
 - release(version 47):367 crashes from 2016-05-31.
 - esr    (version 45):28 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       2       2       7       4       0       2       3
 - aurora        8       7       6       0       5       7       2
 - beta         90      71     316     118      92     519     585
 - release      53      54      50      38      53      53      43
 - esr           4       3       6       1       1       4       2

Affected platforms: Windows, Linux
status-firefox47: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'DoMarking<T>':
 - nightly (version 51): 11 crashes from 2016-08-01.
 - aurora  (version 50): 11 crashes from 2016-08-01.
 - beta    (version 49): 162 crashes from 2016-08-02.
 - release (version 48): 78 crashes from 2016-07-25.
 - esr     (version 45): 44 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       2       6       2
 - aurora        3       7       1
 - beta         73      40      13
 - release      26      30       4
 - esr           6       7       3

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #459
 - aurora  #887
 - beta    #292      #555
 - release #697
 - esr     #966
status-firefox51: --- → affected
Crash volume for signature 'DoMarking<T>':
 - nightly (version 52): 4 crashes from 2016-09-19.
 - aurora  (version 51): 6 crashes from 2016-09-19.
 - beta    (version 50): 116 crashes from 2016-09-20.
 - release (version 49): 215 crashes from 2016-09-05.
 - esr     (version 45): 76 crashes from 2016-06-01.

Crash volume on the last weeks (Week N is from 10-03 to 10-09):
            W. N-1  W. N-2
 - nightly       4       0
 - aurora        5       1
 - beta         94      22
 - release     169      46
 - esr           6       9

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly           #165
 - aurora  #372      #353
 - beta    #199      #132
 - release #326      #507
 - esr     #1119
status-firefox52: --- → affected
#45 crash for Thunderbird 45.4.0.  #36 for 50 beta
Whiteboard: [tbird crash]
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
Today's 20170623115718 on Debian Testing x64
bp-66fd43a6-1803-4605-9257-854140170623

I am using
* gpu-process (need it for stability, see bug 1375058 comment 3 if you wanted to say it would be windows-only for the moment)
* webrender + webrendest (continuous testing)
and have enabled and disabled layout.css.servo.enabled multiple times for bug 1375906.

This is the first Nightly with stylo built-in (but disabled). I can't tell you if it was the cause or not.
Keywords: triage-deferred
Priority: -- → P3
Are there still plans to fix this bug?

It does continue to crash the browser:

https://crash-stats.mozilla.com/report/index/52c54b7a-0376-41bc-b5c9-2ac0c0171114
(In reply to User Dderss from comment #7)
This is another unactionable heap / memory corruption crash.
Blocks: GCCrashes
The crash rate of DoMarking<T> doubled since August one which correlates roughly to the release of version 61.0.2
(In reply to User Dderss from comment #7)
> Are there still plans to fix this bug?

The last crash ID you posted has been purged from the system. Please post your crash IDs from the past month.
Flags: needinfo?(zxspectrum3579)
I am not seeing this specific signature among my crash reports in the latest months.
Flags: needinfo?(zxspectrum3579)
(In reply to User Dderss from comment #11)
> I am not seeing this specific signature among my crash reports in the latest months.

OK, but that wasn't my question.  Please post all your your crash IDs.

There are still crashes, but the majority of crashes were ESR, specifically version 68 which is now almost zero. (which happened in late September)
https://crash-stats.mozilla.org/signature/?product=Firefox&release_channel=esr&signature=DoMarking%3CT%3E&date=%3E%3D2020-09-15T05%3A15%3A00.000Z&date=%3C2020-10-26T05%3A15%3A00.000Z#graphs

Overall, very low crash rate

Severity: critical → S3
OS: Windows XP → All
Summary: Crash in DoMarking<T> → Crash in DoMarking<T> (heap / memory corruption)
You need to log in before you can comment on or make changes to this bug.