Closed Bug 1342556 Opened 8 years ago Closed 8 years ago

Crash in PLDHashTable::Add | TraversalTracer::onChild

Categories

(Core :: XPCOM, defect, P1)

48 Branch
All
Windows
defect

Tracking

()

RESOLVED DUPLICATE of bug 1296631
Tracking Status
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- affected
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 - wontfix
firefox56 + wontfix
firefox57 + fix-optional
firefox58 --- affected
firefox59 --- affected
firefox60 --- affected

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is report bp-f43fdfee-296b-4c17-90f1-1d3992170224. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll PLDHashTable::Add(void const*, mozilla::fallible_t const&) xpcom/glue/PLDHashTable.cpp:571 1 xul.dll TraversalTracer::onChild(JS::GCCellPtr const&) xpcom/base/CycleCollectedJSContext.cpp:358 2 xul.dll JS::CallbackTracer::onObjectEdge(JSObject**) obj-firefox/dist/include/js/TracingAPI.h:142 3 xul.dll DispatchToTracer<JSObject*>(JSTracer*, JSObject**, char const*) js/src/gc/Marking.cpp:676 4 xul.dll mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) xpcom/base/CycleCollectedJSContext.cpp:305 5 xul.dll CCGraphBuilder::BuildGraph(js::SliceBudget&) xpcom/base/nsCycleCollector.cpp:2279 6 xul.dll nsCycleCollector::MarkRoots(js::SliceBudget&) xpcom/base/nsCycleCollector.cpp:2871 7 xul.dll nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) xpcom/base/nsCycleCollector.cpp:3645 8 xul.dll nsCycleCollector_collect(nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:4133 this crash signature was around for a while already, but it first jumped up in the 48 release - 49 was curiously not affected but the signature returned in 50 and 51 with an increasing frequency. it happens across all versions of windows but user comments don't paint a clear picture what may be triggering this. some correlations for Firefox Beta: (96.12% in signature vs 09.76% overall) address = 0x0 (51.16% in signature vs 18.83% overall) "EGL+" in app_notes = true [92.31% vs 07.71% if process_type = null] (100.0% in signature vs 29.26% overall) is_garbage_collecting = null (100.0% in signature vs 33.85% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ (74.42% in signature vs 33.21% overall) ipc_message_name = null (36.43% in signature vs 06.30% overall) contains_memory_report = 1 (31.01% in signature vs 04.24% overall) GFX_ERROR "Failed 2 buffer db=" = true [24.47% vs 04.28% if startup_crash = 0]
Component: DOM → XPCOM
See Also: → 1216776
This could be an OOM while trying to grow the table.
Too late for firefox 52, mass-wontfix.
this is the #9 browser crash on 54 release accounting for 1% of all browser crashes.
(In reply to Andrew McCreight [:mccr8] from comment #1) > This could be an OOM while trying to grow the table. This seems unlikely. Consider https://crash-stats.mozilla.com/report/index/4d25a44e-a0b6-4c91-9b2e-0e3430170722 (crash in Firefox 54) for instance: the associated line 571 is: https://hg.mozilla.org/releases/mozilla-release/annotate/90f18f9c15f7/xpcom/ds/PLDHashTable.cpp#l571 which has nothing to do with memory allocation; we're just searching through the table. Crashes on 52esr and 53 point at the same line as well. I'm not sure what would be dealing with nullptr at that point...Thoughts?
Flags: needinfo?(continuation)
Priority: -- → P1
I don't know what the hashtable is doing here, or why it would have null. We do get the occasional weird hashtable crash in the CC.
Flags: needinfo?(continuation)
Crash Signature: [@ PLDHashTable::Add | TraversalTracer::onChild] → [@ PLDHashTable::Add | TraversalTracer::onChild] [@ PLDHashTable::Add | js::DispatchTyped<T>]
Too late for 55 but tracking for 56 as the volume is pretty high.
This is a P1 bug without an assignee. P1 are bugs which are being worked on for the current release cycle/iteration/sprint. If the bug is not assigned by Monday, 28 August, the bug's priority will be reset to '--'.
Keywords: stale-bug
Keywords: stale-bug
Crash Signature: [@ PLDHashTable::Add | TraversalTracer::onChild] [@ PLDHashTable::Add | js::DispatchTyped<T>] → [@ PLDHashTable::Add | TraversalTracer::onChild] [@ PLDHashTable::Add | js::DispatchTyped<T>] [@ PtrToNodeMatchEntry ]
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Marking this as fix optional/wontfix since we are tracking it in the duplicate bug.
Signature report for PLDHashTable::Add | TraversalTracer::onChild Showing results from 7 days ago Firefox 60.0a1 12 1.0% 16 Firefox 59.0b6 7 0.6% 6 Firefox 59.0b5 33 2.8% 24 Firefox 59.0b4 26 2.2% 34 Firefox 59.0b3 8 0.7% 6 Firefox 58.0b99 4 0.3% 5 Firefox 58.0b16 3 0.3% 3 Firefox 58.0b14 3 0.3% 3 Firefox 58.0 79 6.8% 67 Firefox 57.0b4 1 0.1% 1 Firefox 57.0.4 36 3.1% 35 Firefox 57.0.2 1 0.1% 1
You need to log in before you can comment on or make changes to this bug.