Open Bug 1838277 Opened 2 years ago Updated 14 hours ago

Crash in [@ js::gc::TenuredCell::zoneFromAnyThread]

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Version:
Firefox 116
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox116 --- wontfix

People

(Reporter: diannaS, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, stalled)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/1e3e4fd5-7444-422a-8e5d-8f3370230613

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  js::gc::TenuredCell::zoneFromAnyThread const  js/src/gc/Cell.h:521
0  xul.dll  js::gc::SweepingTracer::onEdge  js/src/gc/Marking.cpp:2474
0  xul.dll  js::GenericTracerImpl<js::gc::SweepingTracer>::onBaseShapeEdge  js/public/TracingAPI.h:219
0  xul.dll  js::gc::TraceEdgeInternal  js/src/gc/Tracer.h:106
0  xul.dll  js::TraceWeakEdge  js/src/gc/Tracer.h:294
0  xul.dll  JS::GCPolicy<js::WeakHeapPtr<js::BaseShape*> >::traceWeak  js/src/gc/Policy.h:75
0  xul.dll  JS::GCHashSet<js::WeakHeapPtr<js::BaseShape*>, js::BaseShapeHasher, js::SystemAllocPolicy>::traceWeakEntries  js/public/GCHashTable.h:264
0  xul.dll  JS::WeakCache<JS::GCHashSet<js::WeakHeapPtr<js::BaseShape*>, js::BaseShapeHasher, js::SystemAllocPolicy> >::traceWeak  js/public/GCHashTable.h:604
1  xul.dll  IncrementalSweepWeakCache  js/src/gc/Sweeping.cpp:1853
2  xul.dll  js::gc::ParallelWorker<js::gc::WeakCacheToSweep, js::gc::WeakCacheSweepIterator>::run  js/src/gc/ParallelWork.h:56
See Also: → 1378068

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 content process crashes on release

For more information, please visit BugBot documentation.

Keywords: topcrash

This signature strikes me as a catch-all un-actionable signature, which will crash due to any memory corruption in our garbage collected heap, since we are masking bits off and then de-referencing.

The top ten frames are inconsistent across reports I've looked at.

I don't think we can really action this; marking it as stalled here.

Needinfo'ing Jon, just to make sure he concurs.

Severity: -- → S2
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(jcoppeard)
Keywords: stalled
Priority: -- → P3

The crash in comment 0 looks like it is related to off-main-thread tracing of a weak cache, so there might be something more interesting here than the run-of-the-mill GC crash.

As far as I can tell this is just another memory corruption crash.

Blocks: GCCrashes
Flags: needinfo?(jcoppeard)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 20 desktop browser crashes on release (startup)

For more information, please visit BugBot documentation.

Keywords: topcrash-startup

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash-startup

Sorry for removing the keyword earlier but there is a recent change in the ranking, so the bug is again linked to a topcrash signature, which matches the following criteria:

  • Top 20 desktop browser crashes on release (startup)
  • Top 10 content process crashes on release

For more information, please visit BugBot documentation.

Keywords: topcrash-startup

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash-startup

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

Moving to S3 since this is no longer a top crash.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.