Open Bug 1310926 Opened 9 years ago Updated 2 years ago

Crash in TraversalTracer::onChild

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
REOPENED
Tracking Flags:
Tracking Status
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected
firefox52 --- wontfix
firefox53 --- affected
firefox54 --- affected

People

(Reporter: ting, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, triage-deferred, Whiteboard: qa-not-actionable)

Crash Data

This bug was filed from the Socorro interface and is report bp-ebf44867-8c5f-4dc0-828e-2b90e2161017. ============================================================= #43 of Nightly 20161016030205 on Windows, 3 crashes from 3 installations. There are 10098 crashes in the last 6 months.
Crash traversing the JS heap during cycle collection. Feel free to send it back if you think it's a GC issue.
Component: JavaScript: GC → XPCOM
void TraversalTracer::onChild(const JS::GCCellPtr& aThing) { 00007FF8DD2CB5D0 push rbp 00007FF8DD2CB5D2 push rbx 00007FF8DD2CB5D3 push rsi 00007FF8DD2CB5D4 push rdi 00007FF8DD2CB5D5 push r14 00007FF8DD2CB5D7 lea rbp,[rsp-0D0h] 00007FF8DD2CB5DF sub rsp,1D0h 00007FF8DD2CB5E6 mov rax,qword ptr [__security_cookie (07FF8E007D720h)] 00007FF8DD2CB5ED xor rax,rsp 00007FF8DD2CB5F0 mov qword ptr [rbp+0C0h],rax // Don't traverse non-gray objects, unless we want all traces. if (!JS::GCThingIsMarkedGray(aThing) && !mCb.WantAllTraces()) { 00007FF8DD2CB5F7 mov rbx,qword ptr [rdx] 00007FF8DD2CB5FA mov rsi,rdx 00007FF8DD2CB5FD mov r8,rbx 00007FF8DD2CB600 mov rdi,rcx 00007FF8DD2CB603 and r8,0FFFFFFFFFFFFFFF8h // r8 = aThing.asCell() 00007FF8DD2CB607 je TraversalTracer::onChild+4Fh (07FF8DD2CB61Fh) 00007FF8DD2CB609 mov rax,r8 // rax = r8 00007FF8DD2CB60C and rax,0FFFFFFFFFFFFFFE8h // rax &= ~js::gc::ChunkMask 00007FF8DD2CB610 or rax,0FFFE8h // rax |= js::gc::ChunkLocationOffset 00007FF8DD2CB616 cmp dword ptr [rax],1 // crash, rax=4b4b0101000fffe8 The exception is with reason invalid pointer read in IsInsideNursery() for dereferencing the |addr|: https://dxr.mozilla.org/mozilla-central/rev/01ab78dd98805e150b0311cce2351d5b408f3001/js/public/HeapAPI.h#338 So I assume |aThing| is invalid, which somehow JS heap may be incorrect. The stack is: xul.dll!TraversalTracer::onChild(const JS::GCCellPtr & aThing) Line 341 C++ xul.dll!JS::CallbackTracer::onShapeEdge(js::Shape * * shapep) Line 148 C++ xul.dll!js::TraceEdge<js::Shape * __ptr64>(JSTracer * trc, js::WriteBarrieredBase<js::Shape *> * thingp, const char * name) Line 411 C++ xul.dll!js::Shape::traceChildren(JSTracer * trc) Line 1043 C++ xul.dll!JS::DispatchTraceKindTyped<TraceChildrenFunctor,JSTracer * __ptr64 & __ptr64,void * __ptr64 & __ptr64>(TraceChildrenFunctor f, JS::TraceKind traceKind, JSTracer * & <args_0>, void * & <args_1>) Line 186 C++ xul.dll!js::TraceChildren(JSTracer * trc, void * thing, JS::TraceKind kind) Line 127 C++ xul.dll!mozilla::CycleCollectedJSContext::NoteGCThingJSChildren(JS::GCCellPtr aThing, nsCycleCollectionTraversalCallback & aCb) Line 638 C++ xul.dll!CCGraphBuilder::BuildGraph(js::SliceBudget & aBudget) Line 2282 C++ xul.dll!nsCycleCollector::MarkRoots(js::SliceBudget & aBudget) Line 2881 C++ xul.dll!nsCycleCollector::Collect(ccType aCCType, js::SliceBudget & aBudget, nsICycleCollectorListener * aManualListener, bool aPreferShorterSlices) Line 3663 C++ xul.dll!nsCycleCollector_collectSlice(js::SliceBudget & budget, bool aPreferShorterSlices) Line 4161 C++ xul.dll!nsJSContext::RunCycleCollectorSlice() Line 1479 C++ xul.dll!ICCTimerFired(nsITimer * aTimer, void * aClosure) Line 1535 C++ xul.dll!nsJSContext::NotifyDidPaint() Line 2597 C++ xul.dll!nsRefreshDriver::Tick(__int64 aNowEpoch, mozilla::TimeStamp aNowTime) Line 1956 C++ ...
Component: XPCOM → JavaScript: GC
Crash volume for signature 'TraversalTracer::onChild': - nightly (version 52): 15 crashes from 2016-09-19. - aurora (version 51): 12 crashes from 2016-09-19. - beta (version 50): 192 crashes from 2016-09-20. - release (version 49): 326 crashes from 2016-09-05. - esr (version 45): 94 crashes from 2016-07-25. Crash volume on the last weeks (Week N is from 10-17 to 10-23): W. N-1 W. N-2 W. N-3 W. N-4 - nightly 5 1 1 0 - aurora 6 1 4 0 - beta 74 60 32 7 - release 80 96 89 33 - esr 13 8 13 7 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #258 #62 - aurora #140 - beta #283 #122 - release #911 #351 - esr #615
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox51: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'TraversalTracer::onChild': - nightly (version 53): 52 crashes from 2016-11-14. - aurora (version 52): 28 crashes from 2016-11-14. - beta (version 51): 866 crashes from 2016-11-14. - release (version 50): 2607 crashes from 2016-11-01. - esr (version 45): 340 crashes from 2016-07-22. Crash volume on the last weeks (Week N is from 01-16 to 01-22): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 3 6 5 5 4 6 3 - aurora 2 9 2 3 1 5 1 - beta 100 107 69 92 99 112 75 - release 350 320 260 294 298 270 269 - esr 11 11 4 15 9 13 13 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #621 #110 - aurora #1008 #253 - beta #200 #103 - release #302 #165 - esr #661
status-firefox53: --- → affected
Crash volume for signature 'TraversalTracer::onChild': - nightly (version 54): 11 crashes from 2017-01-23. - aurora (version 53): 2 crashes from 2017-01-23. - beta (version 52): 70 crashes from 2017-01-23. - release (version 51): 254 crashes from 2017-01-16. - esr (version 45): 319 crashes from 2016-08-03. Crash volume on the last weeks (Week N is from 01-30 to 02-05): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 6 - aurora 1 - beta 34 - release 130 0 - esr 12 14 11 11 4 15 9 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #281 #51 - aurora #408 #211 - beta #206 #80 - release #215 #71 - esr #682
status-firefox54: --- → affected
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
Keywords: triage-deferred
Priority: -- → P3
See Also: → 1617806

Reopening bug since there are crash reports in the last 6 months.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Whiteboard: qa-not-actionable
Severity: critical → S2

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.