Closed Bug 1359231 Opened 8 years ago Closed 4 years ago

Crashes when cycle collector traces JS

Categories

(Core :: XPCOM, defect, P3)

Product:
Core
Component:
XPCOM
Version:
54 Branch
Platform:
x86
Windows
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- affected
firefox55 --- ?

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-dbe7acae-68c7-470a-9cb3-34f7d0170424. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll CanCheckGrayBits js/src/jsgc.cpp:7882 1 xul.dll CheckParticipatesInCycleCollection xpcom/base/CycleCollectedJSContext.cpp:295 2 xul.dll TraceCallbackFunc::Trace(JSObject**, char const*, void*) xpcom/base/nsCycleCollectorTraceJSHelpers.cpp:68 3 xul.dll mozilla::dom::FragmentOrElement::cycleCollection::Trace(void*, TraceCallbacks const&, void*) dom/base/FragmentOrElement.cpp:1432 4 xul.dll mozilla::CycleCollectedJSContext::TraverseNativeRoots(nsCycleCollectionNoteRootCallback&) xpcom/base/CycleCollectedJSContext.cpp:775 5 xul.dll mozilla::CycleCollectedJSContext::TraverseRoots(nsCycleCollectionNoteRootCallback&) xpcom/base/CycleCollectedJSContext.cpp:1234 6 xul.dll nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:3863 7 xul.dll nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) xpcom/base/nsCycleCollector.cpp:3661 8 xul.dll nsCycleCollector_collectSlice(js::SliceBudget&, bool) xpcom/base/nsCycleCollector.cpp:4170 9 xul.dll nsJSContext::RunCycleCollectorSlice() dom/base/nsJSEnvironment.cpp:1487 10 xul.dll CCTimerFired dom/base/nsJSEnvironment.cpp:1822 11 xul.dll nsTimerImpl::Fire(int) xpcom/threads/nsTimerImpl.cpp:498 12 xul.dll nsTimerEvent::Run() xpcom/threads/TimerThread.cpp:288 13 xul.dll mozilla::ValidatingDispatcher::Runnable::Run() xpcom/threads/Dispatcher.cpp:257 14 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1264 15 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96 16 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:301 17 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:231 18 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211 19 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156 20 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:269 21 xul.dll XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:869 22 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:269 23 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:231 24 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211 25 xul.dll XRE_InitChildProcess(int, char** const, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:693 26 xul.dll mozilla::BootstrapImpl::XRE_InitChildProcess(int, char** const, XREChildData const*) toolkit/xre/Bootstrap.cpp:65 27 firefox.exe content_process_main(mozilla::Bootstrap*, int, char** const) ipc/contentproc/plugin-container.cpp:64 28 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:115 29 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253 30 kernel32.dll BaseThreadInitThunk 31 ntdll.dll __RtlUserThreadStart 32 ntdll.dll _RtlUserThreadStart this crash signature is newly showing up in firefox 54 - though in rather low volume in 54.0b1 so far.
This looks like a bad pointer being passed into JS::ObjectIsMarkedGray from the cycle collector.
Component: JavaScript: GC → XPCOM
Andrew, do you have insight here?
Flags: needinfo?(continuation)
This is just a signature change.
Flags: needinfo?(continuation)
Crash Signature: [@ CanCheckGrayBits] → [@ CanCheckGrayBits] [@ JS::GCCellPtr::mayBeOwnedByOtherRuntime ]
Summary: Crash in CanCheckGrayBits → Crashes when cycle collector traces JS
Andrew, this is still a regression, right? Is this something actionable?
Flags: needinfo?(continuation)
(In reply to Kan-Ru Chen [:kanru] (UTC+8) from comment #5) > Andrew, this is still a regression, right? Is this something actionable? This isn't a regression. We've had crashes in CC Trace methods for quite a while. Jon just recently added a new method CanCheckGrayBits that changed the signature.
Flags: needinfo?(continuation)
Keywords: regression
Severity: critical → normal
Priority: -- → P3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.