Closed Bug 1359231 Opened 5 years ago Closed 2 months ago

Crashes when cycle collector traces JS

Categories

(Core :: XPCOM, defect, P3)

Product:
Core
Component:
XPCOM
Version:
54 Branch
Platform:
x86
Windows
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- affected
firefox55 --- ?

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-dbe7acae-68c7-470a-9cb3-34f7d0170424.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	CanCheckGrayBits 	js/src/jsgc.cpp:7882
1 	xul.dll 	CheckParticipatesInCycleCollection 	xpcom/base/CycleCollectedJSContext.cpp:295
2 	xul.dll 	TraceCallbackFunc::Trace(JSObject**, char const*, void*) 	xpcom/base/nsCycleCollectorTraceJSHelpers.cpp:68
3 	xul.dll 	mozilla::dom::FragmentOrElement::cycleCollection::Trace(void*, TraceCallbacks const&, void*) 	dom/base/FragmentOrElement.cpp:1432
4 	xul.dll 	mozilla::CycleCollectedJSContext::TraverseNativeRoots(nsCycleCollectionNoteRootCallback&) 	xpcom/base/CycleCollectedJSContext.cpp:775
5 	xul.dll 	mozilla::CycleCollectedJSContext::TraverseRoots(nsCycleCollectionNoteRootCallback&) 	xpcom/base/CycleCollectedJSContext.cpp:1234
6 	xul.dll 	nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) 	xpcom/base/nsCycleCollector.cpp:3863
7 	xul.dll 	nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) 	xpcom/base/nsCycleCollector.cpp:3661
8 	xul.dll 	nsCycleCollector_collectSlice(js::SliceBudget&, bool) 	xpcom/base/nsCycleCollector.cpp:4170
9 	xul.dll 	nsJSContext::RunCycleCollectorSlice() 	dom/base/nsJSEnvironment.cpp:1487
10 	xul.dll 	CCTimerFired 	dom/base/nsJSEnvironment.cpp:1822
11 	xul.dll 	nsTimerImpl::Fire(int) 	xpcom/threads/nsTimerImpl.cpp:498
12 	xul.dll 	nsTimerEvent::Run() 	xpcom/threads/TimerThread.cpp:288
13 	xul.dll 	mozilla::ValidatingDispatcher::Runnable::Run() 	xpcom/threads/Dispatcher.cpp:257
14 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1264
15 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:96
16 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:301
17 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:231
18 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:211
19 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp:156
20 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp:269
21 	xul.dll 	XRE_RunAppShell() 	toolkit/xre/nsEmbedFunctions.cpp:869
22 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:269
23 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:231
24 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:211
25 	xul.dll 	XRE_InitChildProcess(int, char** const, XREChildData const*) 	toolkit/xre/nsEmbedFunctions.cpp:693
26 	xul.dll 	mozilla::BootstrapImpl::XRE_InitChildProcess(int, char** const, XREChildData const*) 	toolkit/xre/Bootstrap.cpp:65
27 	firefox.exe 	content_process_main(mozilla::Bootstrap*, int, char** const) 	ipc/contentproc/plugin-container.cpp:64
28 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:115
29 	firefox.exe 	__scrt_common_main_seh 	f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253
30 	kernel32.dll 	BaseThreadInitThunk 	
31 	ntdll.dll 	__RtlUserThreadStart 	
32 	ntdll.dll 	_RtlUserThreadStart

this crash signature is newly showing up in firefox 54 - though in rather low volume in 54.0b1 so far.
This looks like a bad pointer being passed into JS::ObjectIsMarkedGray from the cycle collector.
Component: JavaScript: GC → XPCOM
Andrew, do you have insight here?
Flags: needinfo?(continuation)
This is just a signature change.
Flags: needinfo?(continuation)
Duplicate of this bug: 1358845
Crash Signature: [@ CanCheckGrayBits] → [@ CanCheckGrayBits] [@ JS::GCCellPtr::mayBeOwnedByOtherRuntime ]
Summary: Crash in CanCheckGrayBits → Crashes when cycle collector traces JS
Andrew, this is still a regression, right? Is this something actionable?
Flags: needinfo?(continuation)
(In reply to Kan-Ru Chen [:kanru] (UTC+8) from comment #5)
> Andrew, this is still a regression, right? Is this something actionable?

This isn't a regression. We've had crashes in CC Trace methods for quite a while. Jon just recently added a new method CanCheckGrayBits that changed the signature.
Flags: needinfo?(continuation)
Keywords: regression
Severity: critical → normal
Priority: -- → P3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.