Closed Bug 214911 Opened 22 years ago Closed 13 years ago

Crash [@ js_MarkGCThing] dereferencing 0x4

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

Details

(Keywords: crash)

Crash Data

Attachments

(3 files)

cvs status of mozilla\js\src
151.83 KB, text/plain
Details
tb323098m
42.43 KB, text/html
Details
tb323125q
42.36 KB, text/html
Details
CVS opt profile build from a few weeks ago. very sorry about that, i'll try to get a cvs status for the mozilla/js directory attached. according to the mozilla titlebar the buildid is 2003062401, but i don't think that generally updates so it's probably meaningless. In bug 53123 comment 40 brendan mentioned "remember the prefs JSRuntime nightmare of last year, 0x4 appearing randomly", well... Here are things i have available: List of visited urls (as listed in -console output): Document http://bugzilla.mozilla.org/attachment.cgi?id=129087&action=edit loaded successfully Document http://bugzilla.mozilla.org/attachment.cgi loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=206947 loaded successfully Document http://bugzilla.mozilla.org/attachment.cgi?id=127820&action=edit loaded successfully Document http://bugzilla.mozilla.org/attachment.cgi loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=206947 loaded successfully Document http://lxr.mozilla.org/seamonkey/ident?i=DidBuildModel loaded successfully Document http://lxr.mozilla.org/seamonkey/source/content/xml/document/src/nsXMLContentSink.cpp#394 loaded successfully Document http://lxr.mozilla.org/seamonkey/ident?i=DidBuildModel loaded successfully Document http://lxr.mozilla.org/seamonkey/search?string=DidBuildModel loaded successfully Document http://lxr.mozilla.org/seamonkey/source/htmlparser/src/nsExpatDriver.cpp#1034 loaded successfully Document http://lxr.mozilla.org/seamonkey/search?string=DidBuildModel loaded successfully Document http://lxr.mozilla.org/seamonkey/source/htmlparser/src/nsParser.cpp#1256 loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=49115 loaded successfully Document http://bugs.gentoo.org/query.cgi?help=1 loaded successfully Document http://bugzilla.mozilla.org/ loaded successfully Document http://bugzilla.mozilla.org/buglist.cgi?cmdtype=runnamed&namedcmd=Ready%20%28Locked%29 loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=213543 loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=209664 loaded successfully Document http://bugzilla.mozilla.org/attachment.cgi?id=127487&action=view loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=209664 loaded successfully Document http://bugzilla.mozilla.org/attachment.cgi?id=126856&action=view loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=209664 loaded successfully Document http://bugzilla.mozilla.org/attachment.cgi?id=127487&action=view loaded successfully Document http://bugzilla.mozilla.org/show_bug.cgi?id=209664 loaded successfully Document http://www.google.com/search?q=mks&sourceid=mozilla-search&start=0&start=0 loaded successfully Document http://www.mks.com/ loaded successfully Document http://www.mks.com/products/demos.shtml loaded successfully Document http://www.mkssoftware.com/eval/evalform.asp?product=tkdev loaded successfully Document http://ftp.mkssoftware.com/ loaded successfully There's lots of output between each url load (timeline stuff iirc), but the last document load is the last line in the console. - i was looking for MKS to consider fiddling with an NSPR patch that doesn't work. Stack trace: js_MarkGCThing(JSContext * 0x03790390, void * 0x0de09670, void * 0x00000000) line 859 + 5 bytes js_MarkGCThing(JSContext * 0x03790390, void * 0x00c676d0, void * 0x00000000) line 913 + 18 bytes JS_MarkGCThing(JSContext * 0x03790390, void * 0x00c676d0, const char * 0x00edf7a8, void * 0x00000000) line 1653 + 15 bytes WrappedNativeJSGCThingMarker(JSDHashTable * 0x04320230, JSDHashEntryHdr * 0x0d121834, unsigned long 10491, void * 0x03790390) line 232 + 26 bytes JS_DHashTableEnumerate(JSDHashTable * 0x04320230, int (JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *)* 0x00ecd460 WrappedNativeJSGCThingMarker(JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *), void * 0x03790390) line 593 + 34 bytes XPCWrappedNativeProtoMap::Enumerate(JSDHashOperator (JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *)* 0x00ecd460 WrappedNativeJSGCThingMarker(JSDHashTable *, JSDHashEntryHdr *, unsigned long, void *), void * 0x03790390) line 639 + 27 bytes XPCWrappedNativeScope::FinishedMarkPhaseOfGC(JSContext * 0x03790390, XPCJSRuntime * 0x004a8eb0) line 250 XPCJSRuntime::GCCallback(JSContext * 0x03790390, JSGCStatus JSGC_MARK_END) line 299 + 13 bytes jsds_GCCallbackProc(JSContext * 0x03790390, JSGCStatus JSGC_MARK_END) line 517 + 14 bytes DOMGCCallback(JSContext * 0x03790390, JSGCStatus JSGC_MARK_END) line 1721 + 11 bytes js_GC(JSContext * 0x03790390, unsigned int 0) line 1284 + 12 bytes js_ForceGC(JSContext * 0x03790390, unsigned int 0) line 994 + 13 bytes JS_GC(JSContext * 0x03790390) line 1666 + 11 bytes nsJSContext::Notify(nsJSContext * const 0x03790658, nsITimer * 0x0bbd6700) line 1668 + 13 bytes nsTimerImpl::Fire() line 386 nsTimerManager::FireNextIdleTimer(nsTimerManager * const 0x00448c60) line 616 nsAppShell::Run(nsAppShell * const 0x004655f0) line 143 nsAppShellService::Run(nsAppShellService * const 0x00465ad0) line 471 main1(int 2, char * * 0x004247f0, nsISupports * 0x00436ac0) line 1291 + 32 bytes main(int 2, char * * 0x004247f0) line 1670 + 37 bytes WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x00133988, HINSTANCE__ * 0x00400000) line 1694 + 23 bytes WinMainCRTStartup() line 330 + 54 bytes KERNEL32! SetUnhandledExceptionFilter + 92 bytes crashing code: 848: switch (flags & GCF_TYPEMASK) { 00E0AAB4 mov eax,dword ptr [flags] 00E0AAB7 and eax,0FFh 00E0AABC and eax,7 00E0AABF mov dword ptr [ebp-28h],eax 00E0AAC2 cmp dword ptr [ebp-28h],0 00E0AAC6 je js_MarkGCThing+77h (00e0aad7) 00E0AAC8 cmp dword ptr [ebp-28h],3 00E0AACC je js_MarkGCThing+149h (00e0aba9) 00E0AAD2 jmp out (00e0abd2) 849: case GCX_OBJECT: 850: obj = (JSObject *) thing; 00E0AAD7 mov ecx,dword ptr [thing] 00E0AADA mov dword ptr [obj],ecx 851: vp = obj->slots; 00E0AADD mov edx,dword ptr [obj] 00E0AAE0 mov eax,dword ptr [edx+4] 00E0AAE3 mov dword ptr [vp],eax 852: if (!vp) { 00E0AAE6 cmp dword ptr [vp],0 00E0AAEA jne js_MarkGCThing+91h (00e0aaf1) 853: /* If obj->slots is null, obj must be a newborn. */ 854: JS_ASSERT(!obj->map); 855: goto out; 00E0AAEC jmp out (00e0abd2) 856: } 857: nslots = (obj->map->ops->mark) 858: ? obj->map->ops->mark(cx, obj, arg) 859: : JS_MIN(obj->map->freeslot, obj->map->nslots); 00E0AAF1 mov ecx,dword ptr [obj] 00E0AAF4 mov edx,dword ptr [ecx] 00E0AAF6 mov eax,dword ptr [edx+4] ; Crashed here 00E0AAF9 cmp dword ptr [eax+50h],0 00E0AAFD je js_MarkGCThing+0BEh (00e0ab1e) 00E0AAFF mov ecx,dword ptr [arg] 00E0AB02 push ecx 00E0AB03 mov edx,dword ptr [obj] 00E0AB06 push edx 00E0AB07 mov eax,dword ptr [cx] 00E0AB0A push eax 00E0AB0B mov ecx,dword ptr [obj] 00E0AB0E mov edx,dword ptr [ecx] 00E0AB10 mov eax,dword ptr [edx+4] 00E0AB13 call dword ptr [eax+50h] 00E0AB16 add esp,0Ch 00E0AB19 mov dword ptr [ebp-2Ch],eax 00E0AB1C jmp js_MarkGCThing+0EEh (00e0ab4e) 00E0AB1E mov ecx,dword ptr [obj] 00E0AB21 mov edx,dword ptr [ecx] 00E0AB23 mov eax,dword ptr [obj] 00E0AB26 mov ecx,dword ptr [eax] 00E0AB28 mov edx,dword ptr [edx+0Ch] 00E0AB2B cmp edx,dword ptr [ecx+8] 00E0AB2E jae js_MarkGCThing+0DDh (00e0ab3d) 00E0AB30 mov eax,dword ptr [obj] 00E0AB33 mov ecx,dword ptr [eax] 00E0AB35 mov edx,dword ptr [ecx+0Ch] 00E0AB38 mov dword ptr [ebp-30h],edx 00E0AB3B jmp js_MarkGCThing+0E8h (00e0ab48) 00E0AB3D mov eax,dword ptr [obj] 00E0AB40 mov ecx,dword ptr [eax] 00E0AB42 mov edx,dword ptr [ecx+8] 00E0AB45 mov dword ptr [ebp-30h],edx 00E0AB48 mov eax,dword ptr [ebp-30h] 00E0AB4B mov dword ptr [ebp-2Ch],eax 00E0AB4E mov ecx,dword ptr [ebp-2Ch] 00E0AB51 mov dword ptr [nslots],ecx 860: #ifdef GC_MARK_DEBUG interesting variables: + obj->map 0x00000000 + vp 0x0de08dee Note that if vp were false and this were a debug build, i'd have hit a JS_ASSERT, but it wasn't and it isn't. Local variables: - cx 0x03790390 |+ links {...} | interpLevel 0 | version 0 | jsop_eq 18 '' | jsop_ne 19 '' |+ runtime 0x00b8e7d0 |+ stackPool {...} |+ fp 0x00000000 |+ codePool {...} |+ notePool {...} |+ tempPool {...} |+ globalObject 0x02359ff8 |+ newborn 0x03790420 |+ lastAtom 0x00000000 |+ regExpStatics {...} |+ sharpObjectMap {...} |+ argumentFormatMap 0x03790280 |+ lastMessage 0x0f190e50 "assignment to undeclared variable HM_ZIndex" | branchCallback 0x01ab43f0 nsJSContext::DOMBranchCallback(JSContext *, JSScript *) | errorReporter 0x01ab3a70 NS_ScriptErrorReporter(JSContext *, const char *, JSErrorReport *) | data 0x03790650 |+ dormantFrameChain 0x00000000 | thread 4335376 | requestDepth 0 |+ scopeToShare 0x00000000 | rval2 0 | rval2set 0 '' | creatingException 0 '' | throwing 0 '' | exception 0 | options 9 |+ localeCallbacks 0x00000000 |+ resolvingTable 0x037919e0 \+ stackHeaders 0x00000000 thing 0x0de09670 arg 0x00000000 + vp 0x0de08dee + flagp 0x0de08dee "ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ" + obj 0x0de09670 nslots 13006544 v 0 + end 0x00000004 + rt 0x00b8e7d0 + str 0x0fd8af20 flags 16 '' Unless my system fails this stack should be available in msdev for perhaps two days. it can't last through the week, i'm running out of browser profiles, and each dead mozilla costs about 160mb of vm plus 80mb for msdev. I did a search for js_MarkGCThing and didn't find any recent activity. So i'm going to presume that nothing has changed in this world.
Reassigning -
Assignee: rogerl → khanson
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: [@ js_MarkGCThing] dereferencing 0x4 → Crash [@ js_MarkGCThing] dereferencing 0x4
I think this may be another case of a dead nsJSContext getting a timer event, causing a JS one possibly a dead JSContext. I thought I had detailed this in another bug, but I've searched and searched and cannot find my comment. I really think this is a DOM or timer issue not a JS issue.
Dave: thanks (again!). Reassigning to DOM for further triage -
Assignee: khanson → dom_bugs
Component: JavaScript Engine → DOM Level 0
QA Contact: pschwartau → ashishbhatt
Timeless, that bug is ancient and the GCF_FINAL bit is now 16. This may be a dup. /be
Whiteboard: DUPEME
Attached file tb323098m
Attached file tb323125q
can someone check my talkback reports to see if they really match this bug? i suspect they do, but the stacks aren't as pretty as the one i inlined in comment 0.
Do you have any idea why you're not getting stacks above the XPCJSRuntime::GCCallback? It's the same type of crash, whether its from the same cause, impossible to tell. But then I could never figure out the real source of the original crash.
my guess is that the transition is to another library and something has corrupted something so talkback can't figure out the rest of the addresses. or 'not really' :(
Brendan in comment #5 > Timeless, that bug is ancient and the GCF_FINAL bit is now 16. > > This may be a dup. > > /be still believed to be a dup?
it's fairly reasonable to assume that the gc hazards i hit at that time were fixed between when i reported them and now. We basically had code that exercised the engine fairly heavily, and people since have fixed a number of them. You'd have to ask someone else whether they've actually seen GC crashes of late, as I'm no longer there.
Assignee: general → nobody
QA Contact: ashshbhatt → general
Crash Signature: [@ js_MarkGCThing]
No js_MarkGCThing crashes in the last 4 weeks. Also, such a lot of work has been going into GC that I don't think ancient reports about it are too helpful nowadays.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: