Closed
Bug 1508102
Opened 6 years ago
Closed 5 years ago
Intermittent application crashed [@ js::InternalBarrierMethods<JSObject*>::postBarrier(JSObject**, JSObject*, JSObject*)]
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla66
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | wontfix |
| firefox64 | --- | wontfix |
| firefox65 | --- | fixed |
| firefox66 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: jandem)
References
(Regression)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main65+])
Crash Data
Attachments
(1 file)
|
2.93 KB,
patch
|
mccr8
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
Filed by: ccoroiu [at] mozilla.com https://treeherder.mozilla.org/logviewer.html#?job_id=212453544&repo=mozilla-central https://queue.taskcluster.net/v1/task/DDN2CngSQH2I3yoAnzPiOw/runs/0/artifacts/public/logs/live_backing.log 15:12:34 INFO - TEST-OK | browser/base/content/test/trackingUI/browser_trackingUI_pbmode_exceptions.js | took 2555ms 15:12:34 INFO - checking window state 15:12:35 INFO - GECKO(2435) | [GFX1-]: Receive IPC close with reason=AbnormalShutdown 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:35 INFO - GECKO(2435) | ** Unknown exception behavior: -2147483647 15:12:37 INFO - TEST-INFO | Main app process: exit 1 15:12:37 INFO - Buffered messages finished 15:12:37 ERROR - TEST-UNEXPECTED-FAIL | Last test finished | application terminated with exit code 1 15:12:37 INFO - runtests.py | Application ran for: 0:00:32.599863 15:12:37 INFO - zombiecheck | Reading PID log: /var/folders/55/svhwy2bs7ldd440d_ckhgzqr00000x/T/tmpMKTPZNpidlog 15:12:37 INFO - ==> process 2435 launched child process 2436 15:12:37 INFO - ==> process 2435 launched child process 2437 15:12:37 INFO - ==> process 2435 launched child process 2438 15:12:37 INFO - ==> process 2435 launched child process 2439 15:12:37 INFO - ==> process 2435 launched child process 2440 15:12:37 INFO - ==> process 2435 launched child process 2441 15:12:37 INFO - ==> process 2435 launched child process 2442 15:12:37 INFO - ==> process 2435 launched child process 2443 15:12:37 INFO - ==> process 2435 launched child process 2444 15:12:37 INFO - ==> process 2435 launched child process 2445 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2436 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2437 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2438 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2439 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2440 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2441 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2442 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2443 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2444 15:12:37 INFO - zombiecheck | Checking for orphan process with PID: 2445 15:12:37 INFO - mozcrash Downloading symbols from: https://queue.taskcluster.net/v1/task/UNPa5s9FQAmLvEj2Ss0rzQ/artifacts/public/build/target.crashreporter-symbols.zip 15:12:47 INFO - mozcrash Copy/paste: /Users/cltbld/tasks/task_1542494822/build/macosx64-minidump_stackwalk /var/folders/55/svhwy2bs7ldd440d_ckhgzqr00000x/T/tmp5ZweZM.mozrunner/minidumps/B5EA3390-A9D2-4201-B835-51A884778B3F.dmp /var/folders/55/svhwy2bs7ldd440d_ckhgzqr00000x/T/tmp4SdpeU 15:13:04 INFO - mozcrash Saved minidump as /Users/cltbld/tasks/task_1542494822/build/blobber_upload_dir/B5EA3390-A9D2-4201-B835-51A884778B3F.dmp 15:13:04 INFO - mozcrash Saved app info as /Users/cltbld/tasks/task_1542494822/build/blobber_upload_dir/B5EA3390-A9D2-4201-B835-51A884778B3F.extra 15:13:04 INFO - PROCESS-CRASH | Last test finished | application crashed [@ js::InternalBarrierMethods<JSObject*>::postBarrier(JSObject**, JSObject*, JSObject*)] 15:13:04 INFO - Crash dump filename: /var/folders/55/svhwy2bs7ldd440d_ckhgzqr00000x/T/tmp5ZweZM.mozrunner/minidumps/B5EA3390-A9D2-4201-B835-51A884778B3F.dmp 15:13:04 INFO - Operating system: Mac OS X 15:13:04 INFO - 10.10.5 14F27 15:13:04 INFO - CPU: amd64 15:13:04 INFO - family 6 model 69 stepping 1 15:13:04 INFO - 4 CPUs 15:13:04 INFO - 15:13:04 INFO - GPU: UNKNOWN 15:13:04 INFO - 15:13:04 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 15:13:04 INFO - Crash address: 0x334ffff0 15:13:04 INFO - Process uptime: 30 seconds 15:13:04 INFO - 15:13:04 INFO - Thread 0 (crashed) 15:13:04 INFO - 0 XUL!js::InternalBarrierMethods<JSObject*>::postBarrier(JSObject**, JSObject*, JSObject*) [Cell.h:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 286 + 0x0] 15:13:04 INFO - rax = 0x0000000000000000 rdx = 0x0000000000000000 15:13:04 INFO - rcx = 0x0000000000000000 rbx = 0x000000012b617350 15:13:04 INFO - rsi = 0x0000000133400000 rdi = 0x000000012b617350 15:13:04 INFO - rbp = 0x00007fff5c91d850 rsp = 0x00007fff5c91d820 15:13:04 INFO - r8 = 0x00000001098ccc18 r9 = 0x0000000104195ff0 15:13:04 INFO - r10 = 0x0000000000063de0 r11 = 0x000000008529d7b1 15:13:04 INFO - r12 = 0x00007fff5c91da30 r13 = 0x0000000000000066 15:13:04 INFO - r14 = 0x0000000000000132 r15 = 0x000000012a5ef9a8 15:13:04 INFO - rip = 0x0000000108a5ff07 15:13:04 INFO - Found by: given as instruction pointer in context 15:13:04 INFO - 1 XUL!nsXPCWrappedJS::~nsXPCWrappedJS() [Barrier.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 245 + 0x7] 15:13:04 INFO - rbp = 0x00007fff5c91d870 rsp = 0x00007fff5c91d860 15:13:04 INFO - rip = 0x0000000104e0a84f 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 2 XUL!nsXPCWrappedJS::~nsXPCWrappedJS() [XPCWrappedJS.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 460 + 0x5] 15:13:04 INFO - rbp = 0x00007fff5c91d890 rsp = 0x00007fff5c91d880 15:13:04 INFO - rip = 0x0000000104e0a8ce 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 3 XUL!SnowWhiteKiller::~SnowWhiteKiller() [nsCycleCollector.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 2754 + 0x6] 15:13:04 INFO - rbp = 0x00007fff5c91d8f0 rsp = 0x00007fff5c91d8a0 15:13:04 INFO - rip = 0x00000001041a56bb 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 4 XUL!nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) [nsCycleCollector.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 2737 + 0x9] 15:13:04 INFO - rbp = 0x00007fff5c91daa0 rsp = 0x00007fff5c91d900 15:13:04 INFO - rip = 0x000000010419c900 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 5 XUL!nsCycleCollector_collect(nsICycleCollectorListener*) [nsCycleCollector.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 4411 + 0x10] 15:13:04 INFO - rbp = 0x00007fff5c91db00 rsp = 0x00007fff5c91dab0 15:13:04 INFO - rip = 0x000000010419fbde 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 6 XUL!nsJSContext::CycleCollectNow(nsICycleCollectorListener*) [nsJSEnvironment.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 1526 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91db30 rsp = 0x00007fff5c91db10 15:13:04 INFO - rip = 0x0000000105756acc 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 7 XUL!nsJSEnvironmentObserver::Observe(nsISupports*, char const*, char16_t const*) [nsJSEnvironment.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 342 + 0x7] 15:13:04 INFO - rbp = 0x00007fff5c91dbe0 rsp = 0x00007fff5c91db40 15:13:04 INFO - rip = 0x0000000105756186 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 8 XUL!nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) [nsObserverList.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 111 + 0xf] 15:13:04 INFO - rbp = 0x00007fff5c91dc40 rsp = 0x00007fff5c91dbf0 15:13:04 INFO - rip = 0x00000001041c234f 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 9 XUL!NS_InvokeByIndex + 0x8e 15:13:04 INFO - rbp = 0x00007fff5c91dc80 rsp = 0x00007fff5c91dc50 15:13:04 INFO - rip = 0x000000010397bdee 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 10 XUL!XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) [XPCWrappedNative.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 1735 + 0x5] 15:13:04 INFO - rbp = 0x00007fff5c91dea0 rsp = 0x00007fff5c91dc90 15:13:04 INFO - rip = 0x0000000104e16219 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 11 XUL!XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) [XPCWrappedNativeJSOps.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 1020 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91dfb0 rsp = 0x00007fff5c91deb0 15:13:04 INFO - rip = 0x0000000104e17c08 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 12 XUL!js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 468 + 0x6] 15:13:04 INFO - rbp = 0x00007fff5c91e070 rsp = 0x00007fff5c91dfc0 15:13:04 INFO - rip = 0x0000000108a539fb 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 13 XUL!Interpret(JSContext*, js::RunState&) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 620 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91e530 rsp = 0x00007fff5c91e080 15:13:04 INFO - rip = 0x0000000108a4cb57 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 14 XUL!js::RunScript(JSContext*, js::RunState&) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 447 + 0xb] 15:13:04 INFO - rbp = 0x00007fff5c91e610 rsp = 0x00007fff5c91e540 15:13:04 INFO - rip = 0x0000000108a41539 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 15 XUL!js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 587 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91e6d0 rsp = 0x00007fff5c91e620 15:13:04 INFO - rip = 0x0000000108a53dfc 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 16 XUL!js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 633 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91e7a0 rsp = 0x00007fff5c91e6e0 15:13:04 INFO - rip = 0x0000000108e19b3a 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 17 XUL!js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const [CrossCompartmentWrapper.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 355 + 0x13] 15:13:04 INFO - rbp = 0x00007fff5c91e800 rsp = 0x00007fff5c91e7b0 15:13:04 INFO - rip = 0x0000000108e0394b 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 18 XUL!js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) [Proxy.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 560 + 0x15] 15:13:04 INFO - rbp = 0x00007fff5c91e850 rsp = 0x00007fff5c91e810 15:13:04 INFO - rip = 0x0000000108e0f027 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 19 XUL!js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 535 + 0xe] 15:13:04 INFO - rbp = 0x00007fff5c91e910 rsp = 0x00007fff5c91e860 15:13:04 INFO - rip = 0x0000000108a53f89 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 20 XUL!PromiseReactionJob(JSContext*, unsigned int, JS::Value*) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 633 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91ea40 rsp = 0x00007fff5c91e920 15:13:04 INFO - rip = 0x0000000108acae0d 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 21 XUL!js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 468 + 0x6] 15:13:04 INFO - rbp = 0x00007fff5c91eb00 rsp = 0x00007fff5c91ea50 15:13:04 INFO - rip = 0x0000000108a539fb 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 22 XUL!JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) [Interpreter.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 633 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91ebe0 rsp = 0x00007fff5c91eb10 15:13:04 INFO - rip = 0x0000000108dcf71b 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 23 XUL!mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) [PromiseBinding.cpp: : 26 + 0x16] 15:13:04 INFO - rbp = 0x00007fff5c91ee50 rsp = 0x00007fff5c91ebf0 15:13:04 INFO - rip = 0x00000001041930b6 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 24 XUL!mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) [CycleCollectedJSContext.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 603 + 0xb] 15:13:04 INFO - rbp = 0x00007fff5c91eed0 rsp = 0x00007fff5c91ee60 15:13:04 INFO - rip = 0x000000010418612b 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 25 XUL!mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) [CycleCollectedJSContext.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 428 + 0x7] 15:13:04 INFO - rbp = 0x00007fff5c91ef10 rsp = 0x00007fff5c91eee0 15:13:04 INFO - rip = 0x0000000104186399 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 26 XUL!XPCJSContext::AfterProcessTask(unsigned int) [XPCJSContext.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 1301 + 0xb] 15:13:04 INFO - rbp = 0x00007fff5c91ef30 rsp = 0x00007fff5c91ef20 15:13:04 INFO - rip = 0x0000000104de26bf 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 27 XUL!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 1300 + 0x6] 15:13:04 INFO - rbp = 0x00007fff5c91f470 rsp = 0x00007fff5c91ef40 15:13:04 INFO - rip = 0x000000010423450d 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 28 XUL!NS_ProcessPendingEvents(nsIThread*, unsigned int) [nsThreadUtils.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 472 + 0xf] 15:13:04 INFO - rbp = 0x00007fff5c91f4b0 rsp = 0x00007fff5c91f480 15:13:04 INFO - rip = 0x0000000104231ed2 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 29 XUL!nsBaseAppShell::NativeEventCallback() [nsBaseAppShell.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 99 + 0xa] 15:13:04 INFO - rbp = 0x00007fff5c91f4e0 rsp = 0x00007fff5c91f4c0 15:13:04 INFO - rip = 0x00000001071a3fe7 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 30 XUL!nsAppShell::ProcessGeckoEvents(void*) [nsAppShell.mm:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 463 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c91f530 rsp = 0x00007fff5c91f4f0 15:13:04 INFO - rip = 0x000000010722275e 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 31 CoreFoundation + 0x80a01 15:13:04 INFO - rbp = 0x00007fff5c91f540 rsp = 0x00007fff5c91f540 15:13:04 INFO - rip = 0x00007fff89125a01 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 32 CoreFoundation + 0x72c5c 15:13:04 INFO - rbp = 0x00007fff5c91f5a0 rsp = 0x00007fff5c91f550 15:13:04 INFO - rip = 0x00007fff89117c5c 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 33 CoreFoundation + 0x721bf 15:13:04 INFO - rbp = 0x00007fff5c920280 rsp = 0x00007fff5c91f5b0 15:13:04 INFO - rip = 0x00007fff891171bf 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 34 CoreFoundation + 0x71bd8 15:13:04 INFO - rbp = 0x00007fff5c9202e0 rsp = 0x00007fff5c920290 15:13:04 INFO - rip = 0x00007fff89116bd8 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 35 HIToolbox + 0x3256f 15:13:04 INFO - rbp = 0x00007fff5c920320 rsp = 0x00007fff5c9202f0 15:13:04 INFO - rip = 0x00007fff8c79056f 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 36 HIToolbox + 0x322ea 15:13:04 INFO - rbp = 0x00007fff5c9203a0 rsp = 0x00007fff5c920330 15:13:04 INFO - rip = 0x00007fff8c7902ea 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 37 HIToolbox + 0x3212b 15:13:04 INFO - rbp = 0x00007fff5c9203c0 rsp = 0x00007fff5c9203b0 15:13:04 INFO - rip = 0x00007fff8c79012b 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 38 AppKit + 0x918ab 15:13:04 INFO - rbp = 0x00007fff5c920830 rsp = 0x00007fff5c9203d0 15:13:04 INFO - rip = 0x00007fff93cff8ab 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 39 AppKit + 0x90e58 15:13:04 INFO - rbp = 0x00007fff5c920ad0 rsp = 0x00007fff5c920840 15:13:04 INFO - rip = 0x00007fff93cfee58 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 40 XUL!-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] [nsAppShell.mm:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 179 + 0x2c] 15:13:04 INFO - rbp = 0x00007fff5c920b40 rsp = 0x00007fff5c920ae0 15:13:04 INFO - rip = 0x0000000107221779 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 41 AppKit + 0x86af3 15:13:04 INFO - rbp = 0x00007fff5c920bc0 rsp = 0x00007fff5c920b50 15:13:04 INFO - rip = 0x00007fff93cf4af3 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 42 XUL!nsAppShell::Run() [nsAppShell.mm:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 742 + 0x19] 15:13:04 INFO - rbp = 0x00007fff5c920c00 rsp = 0x00007fff5c920bd0 15:13:04 INFO - rip = 0x0000000107222fbd 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 43 XUL!nsAppStartup::Run() [nsAppStartup.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 290 + 0x6] 15:13:04 INFO - rbp = 0x00007fff5c920c20 rsp = 0x00007fff5c920c10 15:13:04 INFO - rip = 0x0000000108814439 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 44 XUL!XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) [nsAppRunner.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 4791 + 0xa] 15:13:04 INFO - rbp = 0x00007fff5c920d90 rsp = 0x00007fff5c920c30 15:13:04 INFO - rip = 0x000000010895d1f1 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 45 XUL!mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) [nsAppRunner.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 5028 + 0x8] 15:13:04 INFO - rbp = 0x00007fff5c920f20 rsp = 0x00007fff5c920da0 15:13:04 INFO - rip = 0x0000000108969c6f 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 46 firefox!main [nsBrowserApp.cpp:77223bb2fac278373dfcdde11fcda74b4c80aa61 : 233 + 0x13] 15:13:04 INFO - rbp = 0x00007fff5c921370 rsp = 0x00007fff5c920f30 15:13:04 INFO - rip = 0x00000001032df2e2 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 47 libdyld.dylib + 0x35c9 15:13:04 INFO - rbp = 0x00007fff5c921388 rsp = 0x00007fff5c921380 15:13:04 INFO - rip = 0x00007fff978975c9 15:13:04 INFO - Found by: previous frame's frame pointer 15:13:04 INFO - 48 libdyld.dylib + 0x35c9 15:13:04 INFO - rbp = 0x00007fff5c921388 rsp = 0x00007fff5c921388 15:13:04 INFO - rip = 0x00007fff978975c9 15:13:04 INFO - Found by: stack scanning
|
||
Updated•6 years ago
|
Summary: Intermittent Last test finished | application crashed [@ js::InternalBarrierMethods<JSObject*>::postBarrier(JSObject**, JSObject*, JSObject*)] → Intermittent application crashed [@ js::InternalBarrierMethods<JSObject*>::postBarrier(JSObject**, JSObject*, JSObject*)]
|
|
||
Comment 3•6 years ago
|
||
This is frequent since yesterday. First failure: https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunnable&revision=77223bb2fac278373dfcdde11fcda74b4c80aa61&selectedJob=212453544 Jon, please take a look. https://treeherder.mozilla.org/logviewer.html#?job_id=212581800&repo=mozilla-central&lineNumber=1316 11:10:23 INFO - TEST-OK | browser/base/content/test/contextMenu/browser_utilityOverlayPrincipal.js | took 518ms 11:10:23 INFO - checking window state 11:10:23 INFO - GECKO(3652) | ================================================================= 11:10:23 ERROR - GECKO(3652) | ==5944==ERROR: AddressSanitizer: access-violation on unknown address 0x12b4a21ffff0 (pc 0x7ffe2851c831 bp 0x00d552bf6fb0 sp 0x00d552bf6f20 T0) 11:10:23 INFO - GECKO(3652) | ==5944==The signal is caused by a READ memory access. 11:10:24 INFO - GECKO(3652) | #0 0x7ffe2851c830 in js::InternalBarrierMethods<class JSObject *>::postBarrier(class JSObject * *,class JSObject *,class JSObject *) z:\build\build\src\js\src\gc\Barrier.h:269 11:10:24 INFO - GECKO(3652) | #1 0x7ffe1b62ebf4 in nsXPCWrappedJS::~nsXPCWrappedJS(void) z:\build\build\src\js\xpconnect\src\XPCWrappedJS.cpp:462 11:10:24 INFO - GECKO(3652) | #2 0x7ffe1b67b75f in nsXPCWrappedJS::`scalar deleting destructor'(unsigned int) z:\build\build\src\js\xpconnect\src\XPCWrappedJS.cpp:460 11:10:24 INFO - GECKO(3652) | #3 0x7ffe19790a83 in SnowWhiteKiller::~SnowWhiteKiller(void) z:\build\build\src\xpcom\base\nsCycleCollector.cpp:2740 11:10:24 INFO - GECKO(3652) | #4 0x7ffe1979a3a9 in nsCycleCollector::BeginCollection(enum ccType,class nsICycleCollectorListener *) z:\build\build\src\xpcom\base\nsCycleCollector.cpp:3999 11:10:24 INFO - GECKO(3652) | #5 0x7ffe1979950d in nsCycleCollector::Collect(enum ccType,class js::SliceBudget &,class nsICycleCollectorListener *,bool) z:\build\build\src\xpcom\base\nsCycleCollector.cpp:3820 11:10:24 INFO - GECKO(3652) | #6 0x7ffe1979e865 in nsCycleCollector_collect(class nsICycleCollectorListener *) z:\build\build\src\xpcom\base\nsCycleCollector.cpp:4411 11:10:24 INFO - GECKO(3652) | #7 0x7ffe1d63083e in nsJSContext::CycleCollectNow(class nsICycleCollectorListener *) z:\build\build\src\dom\base\nsJSEnvironment.cpp:1526 11:10:24 INFO - GECKO(3652) | #8 0x7ffe1d62fb8c in nsJSEnvironmentObserver::Observe(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\dom\base\nsJSEnvironment.cpp:342 11:10:24 INFO - GECKO(3652) | #9 0x7ffe19803042 in nsObserverList::NotifyObservers(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\ds\nsObserverList.cpp:111 11:10:24 INFO - GECKO(3652) | #10 0x7ffe198071a5 in nsObserverService::NotifyObservers(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\ds\nsObserverService.cpp:295 11:10:24 INFO - GECKO(3652) | #11 0x7ffe2a7f68b1 in XPTC__InvokebyIndex z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcinvoke_asm_x86_64.asm:97 11:10:24 INFO - GECKO(3652) | #12 0x7ffe1b64de99 in XPCWrappedNative::CallMethod(class XPCCallContext &,enum XPCWrappedNative::CallMode) z:\build\build\src\js\xpconnect\src\XPCWrappedNative.cpp:1233 11:10:24 INFO - GECKO(3652) | #13 0x7ffe1b6554d2 in XPC_WN_CallMethod(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:1020 11:10:24 INFO - GECKO(3652) | #14 0x7ffe298b8c71 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:560 11:10:24 INFO - GECKO(3652) | #15 0x7ffe298bbad5 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 11:10:24 INFO - GECKO(3652) | #16 0x7ffe298818d2 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3462 11:10:24 INFO - GECKO(3652) | #17 0x7ffe2987ccbc in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:447 11:10:24 INFO - GECKO(3652) | #18 0x7ffe298b95be in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:587 11:10:24 INFO - GECKO(3652) | #19 0x7ffe298bbad5 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 11:10:24 INFO - GECKO(3652) | #20 0x7ffe298bbd06 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:633 11:10:24 INFO - GECKO(3652) | #21 0x7ffe28e3a940 in js::ForwardingProxyHandler::call(struct JSContext *,class JS::Handle<class JSObject *>,class JS::CallArgs const &)const z:\build\build\src\js\src\proxy\Wrapper.cpp:178 11:10:24 INFO - GECKO(3652) | #22 0x7ffe28de399a in js::CrossCompartmentWrapper::call(struct JSContext *,class JS::Handle<class JSObject *>,class JS::CallArgs const &)const z:\build\build\src\js\src\proxy\CrossCompartmentWrapper.cpp:355 11:10:24 INFO - GECKO(3652) | #23 0x7ffe28e13140 in js::Proxy::call(struct JSContext *,class JS::Handle<class JSObject *>,class JS::CallArgs const &) z:\build\build\src\js\src\proxy\Proxy.cpp:560 11:10:24 INFO - GECKO(3652) | #24 0x7ffe298b9cb3 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:535 11:10:24 INFO - GECKO(3652) | #25 0x7ffe298bbad5 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 11:10:24 INFO - GECKO(3652) | #26 0x7ffe298bbd06 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:633 11:10:24 INFO - GECKO(3652) | #27 0x7ffe28302782 in PromiseReactionJob z:\build\build\src\js\src\builtin\Promise.cpp:1626 11:10:24 INFO - GECKO(3652) | #28 0x7ffe298b8c71 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:560 11:10:24 INFO - GECKO(3652) | #29 0x7ffe298bbad5 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 11:10:24 INFO - GECKO(3652) | #30 0x7ffe298bbd06 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:633 11:10:24 INFO - GECKO(3652) | #31 0x7ffe28cff1ba in JS::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2994 11:10:24 INFO - GECKO(3652) | #32 0x7ffe1e88d958 in mozilla::dom::PromiseJobCallback::Call(struct JSContext *,class JS::Handle<union JS::Value>,class mozilla::ErrorResult &) z:\build\build\src\obj-firefox\dom\bindings\PromiseBinding.cpp:26 11:10:24 INFO - GECKO(3652) | #33 0x7ffe19776031 in mozilla::PromiseJobRunnable::Run(class mozilla::AutoSlowOperation &) z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:247 11:10:24 INFO - GECKO(3652) | #34 0x7ffe197521b1 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:603 11:10:24 INFO - GECKO(3652) | #35 0x7ffe19752c7e in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:428 11:10:24 INFO - GECKO(3652) | #36 0x7ffe1b5c4039 in XPCJSContext::AfterProcessTask(unsigned int) z:\build\build\src\js\xpconnect\src\XPCJSContext.cpp:1301 11:10:24 INFO - GECKO(3652) | #37 0x7ffe19954317 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1300 11:10:24 INFO - GECKO(3652) | #38 0x7ffe1995c038 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:530 11:10:24 INFO - GECKO(3652) | #39 0x7ffe1aa0b3e9 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:97 11:10:24 INFO - GECKO(3652) | #40 0x7ffe1a96e58e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318 11:10:24 INFO - GECKO(3652) | #41 0x7ffe1a96e316 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298 11:10:24 INFO - GECKO(3652) | #42 0x7ffe2376e32a in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:158 11:10:24 INFO - GECKO(3652) | #43 0x7ffe238fea87 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:420 11:10:24 INFO - GECKO(3652) | #44 0x7ffe27c3ca4e in nsAppStartup::Run(void) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:290 11:10:24 INFO - GECKO(3652) | #45 0x7ffe27eeb5e7 in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4791 11:10:24 INFO - GECKO(3652) | #46 0x7ffe27ef002d in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4936 11:10:24 INFO - GECKO(3652) | #47 0x7ffe27ef2326 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:5028 11:10:24 INFO - GECKO(3652) | #48 0x7ff60af51d5d (Z:\task_1542625313\build\application\firefox\firefox.exe+0x140001d5d) 11:10:24 INFO - GECKO(3652) | #49 0x7ff60af514a1 (Z:\task_1542625313\build\application\firefox\firefox.exe+0x1400014a1) 11:10:24 INFO - GECKO(3652) | #50 0x7ff60b02954b (Z:\task_1542625313\build\application\firefox\firefox.exe+0x1400d954b) 11:10:24 INFO - GECKO(3652) | #51 0x7ffe595a2773 (C:\Windows\System32\KERNEL32.DLL+0x180012773) 11:10:24 INFO - GECKO(3652) | #52 0x7ffe5bfe0d60 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60) 11:10:24 INFO - GECKO(3652) | AddressSanitizer can not provide additional info. 11:10:24 INFO - GECKO(3652) | SUMMARY: AddressSanitizer: access-violation z:\build\build\src\js\src\gc\Barrier.h:269 in js::InternalBarrierMethods<class JSObject *>::postBarrier(class JSObject * *,class JSObject *,class JSObject *) 11:10:24 INFO - GECKO(3652) | ==5944==ABORTING
Group: javascript-core-security
Flags: needinfo?(jcoppeard)
|
||
Comment 4•6 years ago
|
||
(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #3) I'm not convinced either of my patches in that push would have caused this. However, feel free to back them out if you think it would help track this down. It looks like we're crashing because one of nsXPCWrappedJS::mJSObj and mJSObjGlobal holds a stale pointer into a chunk that has been freed. I checked and both of these are traced from the TraceJS() method. Jan, I was looking at the changes for bug 1478359. There are a couple of places where we don't treat mJSObj and mJSObjGlobal in the same way - for example where we expose mJSObj but not mJSObjGlobal. In general mJSObj will reference mJSObjGlobal, but is it possible for mJSObj to be a dead wrapper and if so do you think this could cause problems?
Flags: needinfo?(jdemooij)
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #4) > In general mJSObj will > reference mJSObjGlobal, but is it possible for mJSObj to be a dead wrapper > and if so do you think this could cause problems? Root wrappers (nsXPCWrappedJS::IsRootWrapper) always store an unwrapped mJSObj. I think most of the GC complexity like UpdateObjectPointerAfterGC is limited to root wrappers. Non-root wrappers always reference the root wrapper as mRoot but may have a CCW as mJSObj. We should null out mJSObjGlobal whenever we null out mJSObj etc. It would be interesting to know whether the nsXPCWrappedJS here is a root wrapper.
|
||
Comment 6•6 years ago
|
||
If it helps shed any light on this, we also started hitting this on Beta today. https://treeherder.mozilla.org/logviewer.html#?job_id=212631860&repo=mozilla-beta
status-firefox64:
--- → affected
status-firefox65:
--- → affected
|
||
Updated•6 years ago
|
Keywords: regression,
sec-high
|
|
||
Comment 10•6 years ago
|
||
This patch takes account mJSObjGlobal in the CC traverse and CanSkip() methods. Normally this field will be the global of mJSObj and this isn't necessary (I think?) but it's possible that mJSObj is a dead wrapper and mJSObjGlobal is now unrelated to it (and I've confirmed that this does happen). I don't know if this will fix the problem... Andrew what do you think?
Flags: needinfo?(jcoppeard)
Attachment #9026689 -
Flags: review?(continuation)
|
|
||
Comment 11•6 years ago
|
||
Comment on attachment 9026689 [details] [diff] [review] bug1508102-wrapped-js-cc Review of attachment 9026689 [details] [diff] [review]: ----------------------------------------------------------------- Hmm looks like a reasonable change. I don't know if it will fix this or not.
Attachment #9026689 -
Flags: review?(continuation) → review+
|
|
||
Comment 12•6 years ago
|
||
Comment on attachment 9026689 [details] [diff] [review] bug1508102-wrapped-js-cc [Security Approval Request] How easily could an exploit be constructed based on the patch?: Very difficult. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No Which older supported branches are affected by this flaw?: If not all supported branches, which bug introduced the flaw?: Bug 1478359 Do you have backports for the affected branches?: No If not, how different, hard to create, and risky will they be?: Trival. How likely is this patch to cause regressions; how much testing does it need?: I'd say very unlikely.
Attachment #9026689 -
Flags: sec-approval?
|
||
Comment 13•6 years ago
|
||
Does this affect ESR60 and Firefox 63? My guess is that it does not based on bug 1478359.
Flags: needinfo?(jcoppeard)
|
|
||
Comment 14•6 years ago
|
||
(In reply to Al Billings [:abillings] from comment #13) It looks like that bug landed in 63, so I'd say that is affected but esr60 is not.
Flags: needinfo?(jcoppeard)
|
||
Comment 17•6 years ago
|
||
Jon can you also request uplift to beta? Thanks! I'm just assigning you to the bug since you wrote the patch, hope that's ok.
|
|
Assignee | |
Comment 18•6 years ago
|
||
Thanks for fixing this. Not sure how I missed these spots.
Flags: needinfo?(jdemooij)
|
|
||
Comment 20•6 years ago
|
||
Comment on attachment 9026689 [details] [diff] [review] bug1508102-wrapped-js-cc sec-approval+
Attachment #9026689 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 21•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/930054aa138bd32f51bbe2ec84e07267859afa6e
Keywords: leave-open
|
|
||
Comment 22•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/930054aa138b
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
|
||
Updated•6 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 24•6 years ago
|
||
It looks like this is still happening over in bug 1501413 and bug 1503226? Any more ideas, Jon? Thanks.
Flags: needinfo?(jcoppeard)
|
||
Comment 25•6 years ago
|
||
Should we hide those bugs as sec issues? There's a downside to that since they're intermittent failures in automation...
Flags: needinfo?(dveditz)
|
|
||
Comment 26•6 years ago
|
||
I'm wondering whether this is related to bug 1397297. Smaug, is it possible for a cycle collected object to be scheduled for deletion and for the deletion to happen after an intervening GC, without the object being traced in that GC? If so that could explain this.
|
|
||
Updated•6 years ago
|
Flags: needinfo?(jcoppeard) → needinfo?(bugs)
|
|
||
Updated•5 years ago
|
status-firefox66:
--- → affected
|
||
Comment 31•5 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #26) > I'm wondering whether this is related to bug 1397297. > > Smaug, is it possible for a cycle collected object to be scheduled for > deletion and for the deletion to happen after an intervening GC, without the > object being traced in that GC? If so that could explain this. Sorry about delay. bug 1397297 shouldn't really cause that, since it just make already asynchronous operation even more async, and if some C++ is holding a ref to JS, it should be in JSHolders hashtable, and those objects are iterated in CycleCollectedJSRuntime::TraceNativeGrayRoots. But https://searchfox.org/mozilla-central/rev/13788edbabb04d004e4a1ceff41d4de68a8320a2/js/xpconnect/src/XPCWrappedJS.cpp#286,288,295 looks worrisome to me. Why is it ok to call RemoveFromRootSet(); but not clear mJSObj and mJSObjGlobal? https://searchfox.org/mozilla-central/rev/13788edbabb04d004e4a1ceff41d4de68a8320a2/js/xpconnect/src/XPCJSRuntime.cpp#657,664-666 needs to still work. jonco, does that look suspicious to you?
Flags: needinfo?(bugs) → needinfo?(jcoppeard)
|
||
Comment 32•5 years ago
|
||
FWIW, bug 1514778 references a test that's already in the tree that fails reproducibly with this crash on our mac opt infra when run with --verify , if that's helpful in tracking this down.
|
|
||
Comment 34•5 years ago
|
||
(In reply to Olli Pettay [:smaug] (high review load) from comment #31) > if some C++ is holding a ref to > JS, it should be in JSHolders hashtable, and those > objects are iterated in CycleCollectedJSRuntime::TraceNativeGrayRoots. Ah ok, it's not that then. > But > https://searchfox.org/mozilla-central/rev/ > 13788edbabb04d004e4a1ceff41d4de68a8320a2/js/xpconnect/src/XPCWrappedJS. > cpp#286,288,295 looks worrisome to me. Why is it ok to call > RemoveFromRootSet(); but not clear mJSObj and mJSObjGlobal? These still get updated/swept by nsXPCWrappedJS::UpdateObjectPointerAfterGC when the ref count is 1 AIUI. I tried clearing them anyway but this broke a ton of xpcshell tests.
|
|
||
Updated•5 years ago
|
Flags: needinfo?(jcoppeard)
|
|
||
Comment 35•5 years ago
|
||
Hmm, so is UpdateObjectPointerAfterGC not called then in some case?
|
|
||
Comment 36•5 years ago
|
||
(In reply to Olli Pettay [:smaug] (away-ish Dec 21-30) from comment #35) Well it should always be called when the ref count == 1 (from JSObject2WrappedJSMap::UpdateWeakPointersAfterGC). BTW I think jandem is working on a patch that removes mJSObjGlobal so this problem may go away.
|
|
||
Comment 37•5 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #36) > BTW I think jandem is working on a patch that removes mJSObjGlobal so this > problem may go away. According to Aryx, we did indeed see a big drop-off in crashes after bug 1480121 landed on 21-Dec. Jan, is that something we could sanely backport?
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 38•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #37) > According to Aryx, we did indeed see a big drop-off in crashes after bug > 1480121 landed on 21-Dec. Jan, is that something we could sanely backport? Sure, I posted a patch in bug 1480121.
Flags: needinfo?(jdemooij)
|
|
||
Comment 39•5 years ago
|
||
Fixed by bug 1480121.
Assignee: jcoppeard → jdemooij
Group: javascript-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 6 years ago → 5 years ago
Flags: needinfo?(dveditz)
Keywords: leave-open
Priority: P5 → P2
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
|
||
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•5 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65+]
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•