Open Bug 1310926 Opened 8 years ago Updated 1 year ago

Crash in TraversalTracer::onChild

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
REOPENED
Tracking Flags:
Tracking Status
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected
firefox52 --- wontfix
firefox53 --- affected
firefox54 --- affected

People

(Reporter: ting, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, triage-deferred, Whiteboard: qa-not-actionable)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-ebf44867-8c5f-4dc0-828e-2b90e2161017.
=============================================================
#43 of Nightly 20161016030205 on Windows, 3 crashes from 3 installations. There are 10098 crashes in the last 6 months.
Crash traversing the JS heap during cycle collection.  Feel free to send it back if you think it's a GC issue.
Component: JavaScript: GC → XPCOM
void
TraversalTracer::onChild(const JS::GCCellPtr& aThing)
{
00007FF8DD2CB5D0  push        rbp
00007FF8DD2CB5D2  push        rbx
00007FF8DD2CB5D3  push        rsi
00007FF8DD2CB5D4  push        rdi
00007FF8DD2CB5D5  push        r14
00007FF8DD2CB5D7  lea         rbp,[rsp-0D0h]
00007FF8DD2CB5DF  sub         rsp,1D0h
00007FF8DD2CB5E6  mov         rax,qword ptr [__security_cookie (07FF8E007D720h)]
00007FF8DD2CB5ED  xor         rax,rsp
00007FF8DD2CB5F0  mov         qword ptr [rbp+0C0h],rax
  // Don't traverse non-gray objects, unless we want all traces.
  if (!JS::GCThingIsMarkedGray(aThing) && !mCb.WantAllTraces()) {
00007FF8DD2CB5F7  mov         rbx,qword ptr [rdx]
00007FF8DD2CB5FA  mov         rsi,rdx
00007FF8DD2CB5FD  mov         r8,rbx
00007FF8DD2CB600  mov         rdi,rcx
00007FF8DD2CB603  and         r8,0FFFFFFFFFFFFFFF8h  // r8 = aThing.asCell()
00007FF8DD2CB607  je          TraversalTracer::onChild+4Fh (07FF8DD2CB61Fh)
00007FF8DD2CB609  mov         rax,r8                 // rax = r8
00007FF8DD2CB60C  and         rax,0FFFFFFFFFFFFFFE8h // rax &= ~js::gc::ChunkMask
00007FF8DD2CB610  or          rax,0FFFE8h            // rax |= js::gc::ChunkLocationOffset
00007FF8DD2CB616  cmp         dword ptr [rax],1      // crash, rax=4b4b0101000fffe8

The exception is with reason invalid pointer read in IsInsideNursery() for dereferencing the |addr|:

  https://dxr.mozilla.org/mozilla-central/rev/01ab78dd98805e150b0311cce2351d5b408f3001/js/public/HeapAPI.h#338

So I assume |aThing| is invalid, which somehow JS heap may be incorrect.

The stack is:

  xul.dll!TraversalTracer::onChild(const JS::GCCellPtr & aThing) Line 341	C++
  xul.dll!JS::CallbackTracer::onShapeEdge(js::Shape * * shapep) Line 148	C++
  xul.dll!js::TraceEdge<js::Shape * __ptr64>(JSTracer * trc, js::WriteBarrieredBase<js::Shape *> * thingp, const char * name) Line 411	C++
  xul.dll!js::Shape::traceChildren(JSTracer * trc) Line 1043	C++
  xul.dll!JS::DispatchTraceKindTyped<TraceChildrenFunctor,JSTracer * __ptr64 & __ptr64,void * __ptr64 & __ptr64>(TraceChildrenFunctor f, JS::TraceKind traceKind, JSTracer * & <args_0>, void * & <args_1>) Line 186	C++
  xul.dll!js::TraceChildren(JSTracer * trc, void * thing, JS::TraceKind kind) Line 127	C++
  xul.dll!mozilla::CycleCollectedJSContext::NoteGCThingJSChildren(JS::GCCellPtr aThing, nsCycleCollectionTraversalCallback & aCb) Line 638	C++
  xul.dll!CCGraphBuilder::BuildGraph(js::SliceBudget & aBudget) Line 2282	C++
  xul.dll!nsCycleCollector::MarkRoots(js::SliceBudget & aBudget) Line 2881	C++
  xul.dll!nsCycleCollector::Collect(ccType aCCType, js::SliceBudget & aBudget, nsICycleCollectorListener * aManualListener, bool aPreferShorterSlices) Line 3663	C++
  xul.dll!nsCycleCollector_collectSlice(js::SliceBudget & budget, bool aPreferShorterSlices) Line 4161	C++
  xul.dll!nsJSContext::RunCycleCollectorSlice() Line 1479	C++
  xul.dll!ICCTimerFired(nsITimer * aTimer, void * aClosure) Line 1535	C++
  xul.dll!nsJSContext::NotifyDidPaint() Line 2597	C++
  xul.dll!nsRefreshDriver::Tick(__int64 aNowEpoch, mozilla::TimeStamp aNowTime) Line 1956	C++
  ...
Component: XPCOM → JavaScript: GC
Crash volume for signature 'TraversalTracer::onChild':
 - nightly (version 52): 15 crashes from 2016-09-19.
 - aurora  (version 51): 12 crashes from 2016-09-19.
 - beta    (version 50): 192 crashes from 2016-09-20.
 - release (version 49): 326 crashes from 2016-09-05.
 - esr     (version 45): 94 crashes from 2016-07-25.

Crash volume on the last weeks (Week N is from 10-17 to 10-23):
            W. N-1  W. N-2  W. N-3  W. N-4
 - nightly       5       1       1       0
 - aurora        6       1       4       0
 - beta         74      60      32       7
 - release      80      96      89      33
 - esr          13       8      13       7

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #258      #62
 - aurora            #140
 - beta    #283      #122
 - release #911      #351
 - esr     #615
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox51: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'TraversalTracer::onChild':
 - nightly (version 53): 52 crashes from 2016-11-14.
 - aurora  (version 52): 28 crashes from 2016-11-14.
 - beta    (version 51): 866 crashes from 2016-11-14.
 - release (version 50): 2607 crashes from 2016-11-01.
 - esr     (version 45): 340 crashes from 2016-07-22.

Crash volume on the last weeks (Week N is from 01-16 to 01-22):
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       3       6       5       5       4       6       3
 - aurora        2       9       2       3       1       5       1
 - beta        100     107      69      92      99     112      75
 - release     350     320     260     294     298     270     269
 - esr          11      11       4      15       9      13      13

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content   Plugin
 - nightly #621      #110
 - aurora  #1008     #253
 - beta    #200      #103
 - release #302      #165
 - esr     #661
status-firefox53: --- → affected
Crash volume for signature 'TraversalTracer::onChild':
 - nightly (version 54): 11 crashes from 2017-01-23.
 - aurora  (version 53): 2 crashes from 2017-01-23.
 - beta    (version 52): 70 crashes from 2017-01-23.
 - release (version 51): 254 crashes from 2017-01-16.
 - esr     (version 45): 319 crashes from 2016-08-03.

Crash volume on the last weeks (Week N is from 01-30 to 02-05):
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       6
 - aurora        1
 - beta         34
 - release     130       0
 - esr          12      14      11      11       4      15       9

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content   Plugin
 - nightly #281      #51
 - aurora  #408      #211
 - beta    #206      #80
 - release #215      #71
 - esr     #682
status-firefox54: --- → affected
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
Keywords: triage-deferred
Priority: -- → P3
See Also: → 1617806

Reopening bug since there are crash reports in the last 6 months.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Whiteboard: qa-not-actionable
Severity: critical → S2

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.