Closed
Bug 1359231
Opened 7 years ago
Closed 3 years ago
Crashes when cycle collector traces JS
Categories
(Core :: XPCOM, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | affected |
| firefox55 | --- | ? |
People
(Reporter: philipp, Unassigned)
References
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is report bp-dbe7acae-68c7-470a-9cb3-34f7d0170424. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll CanCheckGrayBits js/src/jsgc.cpp:7882 1 xul.dll CheckParticipatesInCycleCollection xpcom/base/CycleCollectedJSContext.cpp:295 2 xul.dll TraceCallbackFunc::Trace(JSObject**, char const*, void*) xpcom/base/nsCycleCollectorTraceJSHelpers.cpp:68 3 xul.dll mozilla::dom::FragmentOrElement::cycleCollection::Trace(void*, TraceCallbacks const&, void*) dom/base/FragmentOrElement.cpp:1432 4 xul.dll mozilla::CycleCollectedJSContext::TraverseNativeRoots(nsCycleCollectionNoteRootCallback&) xpcom/base/CycleCollectedJSContext.cpp:775 5 xul.dll mozilla::CycleCollectedJSContext::TraverseRoots(nsCycleCollectionNoteRootCallback&) xpcom/base/CycleCollectedJSContext.cpp:1234 6 xul.dll nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:3863 7 xul.dll nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) xpcom/base/nsCycleCollector.cpp:3661 8 xul.dll nsCycleCollector_collectSlice(js::SliceBudget&, bool) xpcom/base/nsCycleCollector.cpp:4170 9 xul.dll nsJSContext::RunCycleCollectorSlice() dom/base/nsJSEnvironment.cpp:1487 10 xul.dll CCTimerFired dom/base/nsJSEnvironment.cpp:1822 11 xul.dll nsTimerImpl::Fire(int) xpcom/threads/nsTimerImpl.cpp:498 12 xul.dll nsTimerEvent::Run() xpcom/threads/TimerThread.cpp:288 13 xul.dll mozilla::ValidatingDispatcher::Runnable::Run() xpcom/threads/Dispatcher.cpp:257 14 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1264 15 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:96 16 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:301 17 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:231 18 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211 19 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156 20 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:269 21 xul.dll XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:869 22 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:269 23 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:231 24 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:211 25 xul.dll XRE_InitChildProcess(int, char** const, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:693 26 xul.dll mozilla::BootstrapImpl::XRE_InitChildProcess(int, char** const, XREChildData const*) toolkit/xre/Bootstrap.cpp:65 27 firefox.exe content_process_main(mozilla::Bootstrap*, int, char** const) ipc/contentproc/plugin-container.cpp:64 28 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:115 29 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253 30 kernel32.dll BaseThreadInitThunk 31 ntdll.dll __RtlUserThreadStart 32 ntdll.dll _RtlUserThreadStart this crash signature is newly showing up in firefox 54 - though in rather low volume in 54.0b1 so far.
|
||
Comment 1•7 years ago
|
||
This looks like a bad pointer being passed into JS::ObjectIsMarkedGray from the cycle collector.
Component: JavaScript: GC → XPCOM
|
||
Updated•7 years ago
|
Crash Signature: [@ CanCheckGrayBits] → [@ CanCheckGrayBits] [@ JS::GCCellPtr::mayBeOwnedByOtherRuntime ]
|
|
||
Updated•7 years ago
|
Summary: Crash in CanCheckGrayBits → Crashes when cycle collector traces JS
|
||
Comment 5•7 years ago
|
||
Andrew, this is still a regression, right? Is this something actionable?
Flags: needinfo?(continuation)
|
|
||
Comment 6•7 years ago
|
||
(In reply to Kan-Ru Chen [:kanru] (UTC+8) from comment #5) > Andrew, this is still a regression, right? Is this something actionable? This isn't a regression. We've had crashes in CC Trace methods for quite a while. Jon just recently added a new method CanCheckGrayBits that changed the signature.
Flags: needinfo?(continuation)
Keywords: regression
|
||
Updated•7 years ago
|
Severity: critical → normal
Priority: -- → P3
|
||
Comment 7•3 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•