Closed Bug 1342556 Opened 4 years ago Closed 4 years ago

Crash in PLDHashTable::Add | TraversalTracer::onChild

Categories

(Core :: XPCOM, defect, P1)

48 Branch
All
Windows
defect

Tracking

()

RESOLVED DUPLICATE of bug 1296631
Tracking Status
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- affected
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 - wontfix
firefox56 + wontfix
firefox57 + fix-optional
firefox58 --- affected
firefox59 --- affected
firefox60 --- affected

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-f43fdfee-296b-4c17-90f1-1d3992170224.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	PLDHashTable::Add(void const*, mozilla::fallible_t const&) 	xpcom/glue/PLDHashTable.cpp:571
1 	xul.dll 	TraversalTracer::onChild(JS::GCCellPtr const&) 	xpcom/base/CycleCollectedJSContext.cpp:358
2 	xul.dll 	JS::CallbackTracer::onObjectEdge(JSObject**) 	obj-firefox/dist/include/js/TracingAPI.h:142
3 	xul.dll 	DispatchToTracer<JSObject*>(JSTracer*, JSObject**, char const*) 	js/src/gc/Marking.cpp:676
4 	xul.dll 	mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) 	xpcom/base/CycleCollectedJSContext.cpp:305
5 	xul.dll 	CCGraphBuilder::BuildGraph(js::SliceBudget&) 	xpcom/base/nsCycleCollector.cpp:2279
6 	xul.dll 	nsCycleCollector::MarkRoots(js::SliceBudget&) 	xpcom/base/nsCycleCollector.cpp:2871
7 	xul.dll 	nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) 	xpcom/base/nsCycleCollector.cpp:3645
8 	xul.dll 	nsCycleCollector_collect(nsICycleCollectorListener*) 	xpcom/base/nsCycleCollector.cpp:4133

this crash signature was around for a while already, but it first jumped up in the 48 release - 49 was curiously not affected but the signature returned in 50 and 51 with an increasing frequency.
it happens across all versions of windows but user comments don't paint a clear picture what may be triggering this.

some correlations for Firefox Beta:
(96.12% in signature vs 09.76% overall) address = 0x0
(51.16% in signature vs 18.83% overall) "EGL+" in app_notes = true [92.31% vs 07.71% if process_type = null]
(100.0% in signature vs 29.26% overall) is_garbage_collecting = null
(100.0% in signature vs 33.85% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(74.42% in signature vs 33.21% overall) ipc_message_name = null
(36.43% in signature vs 06.30% overall) contains_memory_report = 1
(31.01% in signature vs 04.24% overall) GFX_ERROR "Failed 2 buffer db=" = true [24.47% vs 04.28% if startup_crash = 0]
Component: Untriaged → DOM
See Also: → 1240234
Component: DOM → XPCOM
See Also: → 1216776
This could be an OOM while trying to grow the table.
Too late for firefox 52, mass-wontfix.
this is the #9 browser crash on 54 release accounting for 1% of all browser crashes.
(In reply to Andrew McCreight [:mccr8] from comment #1)
> This could be an OOM while trying to grow the table.

This seems unlikely.  Consider https://crash-stats.mozilla.com/report/index/4d25a44e-a0b6-4c91-9b2e-0e3430170722 (crash in Firefox 54) for instance: the associated line 571 is:

https://hg.mozilla.org/releases/mozilla-release/annotate/90f18f9c15f7/xpcom/ds/PLDHashTable.cpp#l571

which has nothing to do with memory allocation; we're just searching through the table.  Crashes on 52esr and 53 point at the same line as well.  I'm not sure what would be dealing with nullptr at that point...Thoughts?
Flags: needinfo?(continuation)
Priority: -- → P1
I don't know what the hashtable is doing here, or why it would have null. We do get the occasional weird hashtable crash in the CC.
Flags: needinfo?(continuation)
Crash Signature: [@ PLDHashTable::Add | TraversalTracer::onChild] → [@ PLDHashTable::Add | TraversalTracer::onChild] [@ PLDHashTable::Add | js::DispatchTyped<T>]
Too late for 55 but tracking for 56 as the volume is pretty high.
This is a P1 bug without an assignee. 

P1 are bugs which are being worked on for the current release cycle/iteration/sprint. 

If the bug is not assigned by Monday, 28 August, the bug's priority will be reset to '--'.
Keywords: stale-bug
Keywords: stale-bug
Duplicate of this bug: 1396374
Crash Signature: [@ PLDHashTable::Add | TraversalTracer::onChild] [@ PLDHashTable::Add | js::DispatchTyped<T>] → [@ PLDHashTable::Add | TraversalTracer::onChild] [@ PLDHashTable::Add | js::DispatchTyped<T>] [@ PtrToNodeMatchEntry ]
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1296631
Marking this as fix optional/wontfix since we are tracking it in the duplicate bug.
Duplicate of this bug: 1378896
Signature report for PLDHashTable::Add | TraversalTracer::onChild

Showing results from 7 days ago

Firefox 	60.0a1 	12 	1.0% 	16
Firefox 	59.0b6 	7 	0.6% 	6
Firefox 	59.0b5 	33 	2.8% 	24
Firefox 	59.0b4 	26 	2.2% 	34
Firefox 	59.0b3 	8 	0.7% 	6
Firefox 	58.0b99 	4 	0.3% 	5
Firefox 	58.0b16 	3 	0.3% 	3
Firefox 	58.0b14 	3 	0.3% 	3
Firefox 	58.0 	79 	6.8% 	67
Firefox 	57.0b4 	1 	0.1% 	1
Firefox 	57.0.4 	36 	3.1% 	35
Firefox 	57.0.2 	1 	0.1% 	1
You need to log in before you can comment on or make changes to this bug.