Open
Bug 1310926
Opened 8 years ago
Updated 1 year ago
Crash in TraversalTracer::onChild
Categories
(Core :: JavaScript: GC, defect, P3)
Tracking
()
People
(Reporter: ting, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, triage-deferred, Whiteboard: qa-not-actionable)
Crash Data
This bug was filed from the Socorro interface and is report bp-ebf44867-8c5f-4dc0-828e-2b90e2161017. ============================================================= #43 of Nightly 20161016030205 on Windows, 3 crashes from 3 installations. There are 10098 crashes in the last 6 months.
Comment 1•8 years ago
|
||
Crash traversing the JS heap during cycle collection. Feel free to send it back if you think it's a GC issue.
Component: JavaScript: GC → XPCOM
Reporter | ||
Comment 2•8 years ago
|
||
void TraversalTracer::onChild(const JS::GCCellPtr& aThing) { 00007FF8DD2CB5D0 push rbp 00007FF8DD2CB5D2 push rbx 00007FF8DD2CB5D3 push rsi 00007FF8DD2CB5D4 push rdi 00007FF8DD2CB5D5 push r14 00007FF8DD2CB5D7 lea rbp,[rsp-0D0h] 00007FF8DD2CB5DF sub rsp,1D0h 00007FF8DD2CB5E6 mov rax,qword ptr [__security_cookie (07FF8E007D720h)] 00007FF8DD2CB5ED xor rax,rsp 00007FF8DD2CB5F0 mov qword ptr [rbp+0C0h],rax // Don't traverse non-gray objects, unless we want all traces. if (!JS::GCThingIsMarkedGray(aThing) && !mCb.WantAllTraces()) { 00007FF8DD2CB5F7 mov rbx,qword ptr [rdx] 00007FF8DD2CB5FA mov rsi,rdx 00007FF8DD2CB5FD mov r8,rbx 00007FF8DD2CB600 mov rdi,rcx 00007FF8DD2CB603 and r8,0FFFFFFFFFFFFFFF8h // r8 = aThing.asCell() 00007FF8DD2CB607 je TraversalTracer::onChild+4Fh (07FF8DD2CB61Fh) 00007FF8DD2CB609 mov rax,r8 // rax = r8 00007FF8DD2CB60C and rax,0FFFFFFFFFFFFFFE8h // rax &= ~js::gc::ChunkMask 00007FF8DD2CB610 or rax,0FFFE8h // rax |= js::gc::ChunkLocationOffset 00007FF8DD2CB616 cmp dword ptr [rax],1 // crash, rax=4b4b0101000fffe8 The exception is with reason invalid pointer read in IsInsideNursery() for dereferencing the |addr|: https://dxr.mozilla.org/mozilla-central/rev/01ab78dd98805e150b0311cce2351d5b408f3001/js/public/HeapAPI.h#338 So I assume |aThing| is invalid, which somehow JS heap may be incorrect. The stack is: xul.dll!TraversalTracer::onChild(const JS::GCCellPtr & aThing) Line 341 C++ xul.dll!JS::CallbackTracer::onShapeEdge(js::Shape * * shapep) Line 148 C++ xul.dll!js::TraceEdge<js::Shape * __ptr64>(JSTracer * trc, js::WriteBarrieredBase<js::Shape *> * thingp, const char * name) Line 411 C++ xul.dll!js::Shape::traceChildren(JSTracer * trc) Line 1043 C++ xul.dll!JS::DispatchTraceKindTyped<TraceChildrenFunctor,JSTracer * __ptr64 & __ptr64,void * __ptr64 & __ptr64>(TraceChildrenFunctor f, JS::TraceKind traceKind, JSTracer * & <args_0>, void * & <args_1>) Line 186 C++ xul.dll!js::TraceChildren(JSTracer * trc, void * thing, JS::TraceKind kind) Line 127 C++ xul.dll!mozilla::CycleCollectedJSContext::NoteGCThingJSChildren(JS::GCCellPtr aThing, nsCycleCollectionTraversalCallback & aCb) Line 638 C++ xul.dll!CCGraphBuilder::BuildGraph(js::SliceBudget & aBudget) Line 2282 C++ xul.dll!nsCycleCollector::MarkRoots(js::SliceBudget & aBudget) Line 2881 C++ xul.dll!nsCycleCollector::Collect(ccType aCCType, js::SliceBudget & aBudget, nsICycleCollectorListener * aManualListener, bool aPreferShorterSlices) Line 3663 C++ xul.dll!nsCycleCollector_collectSlice(js::SliceBudget & budget, bool aPreferShorterSlices) Line 4161 C++ xul.dll!nsJSContext::RunCycleCollectorSlice() Line 1479 C++ xul.dll!ICCTimerFired(nsITimer * aTimer, void * aClosure) Line 1535 C++ xul.dll!nsJSContext::NotifyDidPaint() Line 2597 C++ xul.dll!nsRefreshDriver::Tick(__int64 aNowEpoch, mozilla::TimeStamp aNowTime) Line 1956 C++ ...
Reporter | ||
Updated•8 years ago
|
Component: XPCOM → JavaScript: GC
Comment 3•8 years ago
|
||
Crash volume for signature 'TraversalTracer::onChild': - nightly (version 52): 15 crashes from 2016-09-19. - aurora (version 51): 12 crashes from 2016-09-19. - beta (version 50): 192 crashes from 2016-09-20. - release (version 49): 326 crashes from 2016-09-05. - esr (version 45): 94 crashes from 2016-07-25. Crash volume on the last weeks (Week N is from 10-17 to 10-23): W. N-1 W. N-2 W. N-3 W. N-4 - nightly 5 1 1 0 - aurora 6 1 4 0 - beta 74 60 32 7 - release 80 96 89 33 - esr 13 8 13 7 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #258 #62 - aurora #140 - beta #283 #122 - release #911 #351 - esr #615
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox51:
--- → affected
status-firefox-esr45:
--- → affected
Comment 4•7 years ago
|
||
Crash volume for signature 'TraversalTracer::onChild': - nightly (version 53): 52 crashes from 2016-11-14. - aurora (version 52): 28 crashes from 2016-11-14. - beta (version 51): 866 crashes from 2016-11-14. - release (version 50): 2607 crashes from 2016-11-01. - esr (version 45): 340 crashes from 2016-07-22. Crash volume on the last weeks (Week N is from 01-16 to 01-22): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 3 6 5 5 4 6 3 - aurora 2 9 2 3 1 5 1 - beta 100 107 69 92 99 112 75 - release 350 320 260 294 298 270 269 - esr 11 11 4 15 9 13 13 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #621 #110 - aurora #1008 #253 - beta #200 #103 - release #302 #165 - esr #661
status-firefox53:
--- → affected
Comment 5•7 years ago
|
||
Crash volume for signature 'TraversalTracer::onChild': - nightly (version 54): 11 crashes from 2017-01-23. - aurora (version 53): 2 crashes from 2017-01-23. - beta (version 52): 70 crashes from 2017-01-23. - release (version 51): 254 crashes from 2017-01-16. - esr (version 45): 319 crashes from 2016-08-03. Crash volume on the last weeks (Week N is from 01-30 to 02-05): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 6 - aurora 1 - beta 34 - release 130 0 - esr 12 14 11 11 4 15 9 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #281 #51 - aurora #408 #211 - beta #206 #80 - release #215 #71 - esr #682
status-firefox54:
--- → affected
Comment 6•7 years ago
|
||
Too late for firefox 52, mass-wontfix.
Comment hidden (Intermittent Failures Robot) |
Updated•7 years ago
|
Keywords: triage-deferred
Priority: -- → P3
Comment 10•3 years ago
•
|
||
Reopening bug since there are crash reports in the last 6 months.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Whiteboard: qa-not-actionable
Updated•3 years ago
|
Blocks: sm-defects-crashes
Updated•2 years ago
|
Severity: critical → S2
Comment 11•1 year ago
|
||
Since the crash volume is low (less than 15 per week), the severity is downgraded to S3
. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
Severity: S2 → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•