Open Bug 1288952 Opened 8 years ago Updated 3 years ago

Crash in UnmarkGrayTracer::onChild

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected
firefox52 --- wontfix
firefox57 --- affected

People

(Reporter: baffclan, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, stalled, Whiteboard: [tbird crash])

Crash Data

When I was scrolling on twitter, crashed.

This bug was filed from the Socorro interface and is 
report bp-e4ae2b1f-6f18-440a-aa38-d8f5c2160724.
=============================================================

Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	UnmarkGrayTracer::onChild(JS::GCCellPtr const&) 	js/src/gc/Marking.cpp:2745
1 	xul.dll 	JS::CallbackTracer::onShapeEdge(js::Shape**) 	obj-firefox/dist/include/js/TracingAPI.h:146
2 	xul.dll 	DispatchToTracer<js::Shape*>(JSTracer*, js::Shape**, char const*) 	js/src/gc/Marking.cpp:655
3 	xul.dll 	JS::DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) 	obj-firefox/dist/include/js/TraceKind.h:182
4 	xul.dll 	js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&>(DoCallbackFunctor<JS::Value>, JS::Value const&, JS::CallbackTracer*&, char const*&) 	obj-firefox/dist/include/js/Value.h:1914
5 	xul.dll 	DispatchToTracer<JS::Value>(JSTracer*, JS::Value*, char const*) 	js/src/gc/Marking.cpp:655
6 	xul.dll 	JS::DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) 	obj-firefox/dist/include/js/TraceKind.h:182
7 	xul.dll 	js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&>(DoCallbackFunctor<JS::Value>, JS::Value const&, JS::CallbackTracer*&, char const*&) 	obj-firefox/dist/include/js/Value.h:1914
8 	xul.dll 	DispatchToTracer<JS::Value>(JSTracer*, JS::Value*, char const*) 	js/src/gc/Marking.cpp:655
9 	xul.dll 	JS::DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) 	obj-firefox/dist/include/js/TraceKind.h:182
10 	xul.dll 	js::DispatchTyped<DoCallbackFunctor<JS::Value>, JS::CallbackTracer*&, char const*&>(DoCallbackFunctor<JS::Value>, JS::Value const&, JS::CallbackTracer*&, char const*&) 	obj-firefox/dist/include/js/Value.h:1914
11 	xul.dll 	DispatchToTracer<JS::Value>(JSTracer*, JS::Value*, char const*) 	js/src/gc/Marking.cpp:655
12 	xul.dll 	JS::DispatchTraceKindTyped<TraceChildrenFunctor, JSTracer*&, void*&>(TraceChildrenFunctor, JS::TraceKind, JSTracer*&, void*&) 	obj-firefox/dist/include/js/TraceKind.h:182
13 	xul.dll 	UnmarkGrayTracer::onChild(JS::GCCellPtr const&) 	js/src/gc/Marking.cpp:2748
14 	xul.dll 	JS::CallbackTracer::onObjectEdge(JSObject**) 	obj-firefox/dist/include/js/TracingAPI.h:141
15 	xul.dll 	DoCallback<JSObject*>(JS::CallbackTracer*, JSObject**, char const*) 	js/src/gc/Tracer.cpp:51
16 	xul.dll 	JSFunction::trace(JSTracer*) 	js/src/jsfun.cpp:779
17 	xul.dll 	JSObject::traceChildren(JSTracer*) 	js/src/jsobj.cpp:3883
18 	xul.dll 	TypedUnmarkGrayCellRecursively<JSObject> 	js/src/gc/Marking.cpp:2792
19 	xul.dll 	JS::UnmarkGrayGCThingRecursively(JS::GCCellPtr) 	js/src/gc/Marking.cpp:2816
20 	xul.dll 	mozilla::dom::CallbackObject::MarkForCC() 	obj-firefox/dist/include/mozilla/dom/CallbackObject.h:100
21 	xul.dll 	mozilla::EventListenerManager::MarkForCC() 	dom/events/EventListenerManager.cpp:1629
22 	xul.dll 	nsContentUtils::UnmarkGrayJSListenersInCCGenerationDocuments() 	dom/base/nsContentUtils.cpp:4234
23 	xul.dll 	nsCCUncollectableMarker::Observe(nsISupports*, char const*, char16_t const*) 	dom/base/nsCCUncollectableMarker.cpp:444
24 	xul.dll 	nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) 	xpcom/ds/nsObserverList.cpp:112
25 	xul.dll 	nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) 	xpcom/ds/nsObserverService.cpp:305
26 	xul.dll 	XPCJSRuntime::PrepareForForgetSkippable() 	js/xpconnect/src/XPCJSRuntime.cpp:665
27 	xul.dll 	nsCycleCollector::ForgetSkippable(bool, bool) 	xpcom/base/nsCycleCollector.cpp:2879
28 	xul.dll 	FireForgetSkippable 	dom/base/nsJSEnvironment.cpp:1245
29 	xul.dll 	CCTimerFired 	dom/base/nsJSEnvironment.cpp:1793
30 	xul.dll 	nsTimerImpl::Fire() 	xpcom/threads/nsTimerImpl.cpp:524
31 	xul.dll 	nsTimerEvent::Run() 	xpcom/threads/TimerThread.cpp:286
32 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1068
33 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp:290
34 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:132
35 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:225
36 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:205
37 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp:156
38 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp:262
39 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp:284
40 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp:4214
41 	xul.dll 	XREMain::XRE_main(int, char** const, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp:4341
42 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:4432
43 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp:247
44 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:115
45 	firefox.exe 	__scrt_common_main_seh 	f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:255
46 	kernel32.dll 	BaseThreadInitThunk 	
47 	ntdll.dll 	RtlUserThreadStart 	


Application Basics
Name: Firefox
Version: 50.0a1
Build ID: 20160723030206
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
OS: Windows_NT 6.1
Crash volume for signature 'UnmarkGrayTracer::onChild':
 - nightly (version 50): 6 crashes from 2016-06-06.
 - aurora  (version 49): 19 crashes from 2016-06-07.
 - beta    (version 48): 533 crashes from 2016-06-06.
 - release (version 47): 981 crashes from 2016-05-31.
 - esr     (version 45): 32 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       1       1       1       2       0       0       0
 - aurora        5       1       2       1       4       5       1
 - beta         64      80      88      68      69      60      71
 - release     121     131     140     132     129     119     123
 - esr           0       2       3       6       3       4       2

Affected platforms: Windows, Mac OS X, Linux
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'UnmarkGrayTracer::onChild':
 - nightly (version 51): 7 crashes from 2016-08-01.
 - aurora  (version 50): 6 crashes from 2016-08-01.
 - beta    (version 49): 165 crashes from 2016-08-02.
 - release (version 48): 197 crashes from 2016-07-25.
 - esr     (version 45): 34 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       1       2       3
 - aurora        1       2       1
 - beta         55      50      22
 - release      65      58      34
 - esr           0       1       6

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #582
 - aurora            #281
 - beta    #300      #246
 - release #392      #582
 - esr     #1657
status-firefox51: --- → affected
Crash volume for signature 'UnmarkGrayTracer::onChild':
 - nightly (version 52): 4 crashes from 2016-09-19.
 - aurora  (version 51): 3 crashes from 2016-09-19.
 - beta    (version 50): 51 crashes from 2016-09-20.
 - release (version 49): 149 crashes from 2016-09-05.
 - esr     (version 45): 41 crashes from 2016-06-01.

Crash volume on the last weeks (Week N is from 10-03 to 10-09):
            W. N-1  W. N-2
 - nightly       3       1
 - aurora        3       0
 - beta         41      10
 - release     115      33
 - esr           2       1

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #751      #305
 - aurora  #1180     #376
 - beta    #466      #258
 - release #535      #352
 - esr     #1915
status-firefox52: --- → affected
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
Thunderbird user bp-93cc6bdb-67f7-4348-988c-194530170608 ... also crashes with js::GCMarker::markAndPush<T> (bug 1374742) bp-39664a43-9e90-428e-b29d-584f70170610

The overall crash rate quadrupled early March, then dropped considerably mid-April https://crash-stats.mozilla.com/signature/?signature=UnmarkGrayTracer%3A%3AonChild&date=%3E%3D2017-01-07T16%3A05%3A47.000Z&date=%3C2017-07-07T16%3A05%3A47.000Z#graphs
See Also: → 1374742
Whiteboard: [tbird crash]
Jon please take a look
status-firefox57: --- → affected
Flags: needinfo?(jcoppeard)
Priority: -- → P2
This isn't actionable as it is, but I'm going to investigate how we can track down crashes like this in bug 1399944.
Flags: needinfo?(jcoppeard)
Blocks: GCCrashes
See Also: → 815141

Jon, do you think you could help answer Wayne's question in comment 8?

Flags: needinfo?(sdetar) → needinfo?(jcoppeard)

This is most likely memory corruption.

Flags: needinfo?(jcoppeard)
Keywords: stalled
Priority: P2 → P5

Hey Jon,
Could this crash still be worth keeping or should we close it?

Flags: needinfo?(jcoppeard)

Generally we keep these bugs open and mark them as stalled.

Flags: needinfo?(jcoppeard)
QA Whiteboard: qa-not-actionable
You need to log in before you can comment on or make changes to this bug.