Closed Bug 317815 Opened 15 years ago Closed 11 years ago

Crash [@ js_NewGCThing() line 586 ] scrollbar and url bar

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: bc, Unassigned)

References

()

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(3 files)

This crash appeared in js test suite testing in the browser only. In opt builds it happens right away. In debug builds you have to click around in the url bar, outside of the window, back inside etc until you get this crash. 

Rough regression window is approximately the last two days. 

+	cx	0x01830400
	flags	0x00000004
	nbytes	0x00000020
	nflags	0x00000004
+	flagp	0x006e0061 ""
	tried_gc	0x00000000
	i	0x00000003
+	flp	0x00c4e120
+	lrs	0x00640065
+	bytesptr	0x004d0000
+	rt	0x00c4dff8
+	thing	0x00000002


js_NewGCThing(JSContext * 0x01830400, unsigned int 0x00000004, unsigned int 0x00000020) line 586 + 6 bytes
js_NewFunction(JSContext * 0x01830400, JSObject * 0x00000000, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00d01edd XPC_WN_CallMethod(struct JSContext *,struct JSObject *,unsigned int,long *,long *), unsigned int 0x00000001, unsigned int 0x00000000, JSObject * 0x00000000, JSAtom * 0x027e3d78) line 1973 + 13 bytes
JS_NewFunction(JSContext * 0x01830400, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00d01edd XPC_WN_CallMethod(struct JSContext *,struct JSObject *,unsigned int,long *,long *), unsigned int 0x00000001, unsigned int 0x00000000, JSObject * 0x00000000, const char * 0x03034410) line 3390 + 31 bytes
XPCNativeMember::Resolve(XPCCallContext & {...}, XPCNativeInterface * 0x029de880) line 181 + 41 bytes
XPCNativeMember::GetValue(XPCCallContext & {...}, XPCNativeInterface * 0x029de880, long * 0x0012b1a4) line 1138 + 35 bytes
DefinePropertyIfFound(XPCCallContext & {...}, JSObject * 0x017c3bf8, long 0x0173b604, XPCNativeSet * 0x03460270, XPCNativeInterface * 0x029de880, XPCNativeMember * 0x029de898, XPCWrappedNativeScope * 0x027a9858, int 0x00000001, XPCWrappedNative * 0x032792f0, XPCWrappedNative * 0x032792f0, XPCNativeScriptableInfo * 0x00000000, unsigned int 0x00000007, int * 0x00000000) line 448 + 23
XPC_WN_NoHelper_Resolve(JSContext * 0x027b64d0, JSObject * 0x017c3bf8, long 0x0173b604) line 736 + 53 bytes
js_LookupPropertyWithFlags(JSContext * 0x027b64d0, JSObject * 0x017c3bf8, long 0x027e3d78, unsigned int 0x00000000, JSObject * * 0x0012b480, JSProperty * * 0x0012b470) line 2734 + 70 bytes
js_LookupProperty(JSContext * 0x027b64d0, JSObject * 0x017c3bf8, long 0x027e3d78, JSObject * * 0x0012b480, JSProperty * * 0x0012b470) line 2592 + 27 bytes
js_GetProperty(JSContext * 0x027b64d0, JSObject * 0x017c3bf8, long 0x027e3d78, long * 0x0012bd34) line 2877 + 25 bytes
js_Interpret(JSContext * 0x027b64d0, unsigned char * 0x027e4ef6, long * 0x0012bee0) line 5479 + 1349 bytes
js_Invoke(JSContext * 0x027b64d0, unsigned int 0x00000001, unsigned int 0x00000002) line 1231 + 19 bytes
js_InternalInvoke(JSContext * 0x027b64d0, JSObject * 0x0173a518, long 0x0173ad98, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012c0dc, long * 0x0012c0d8) line 1308 + 20 bytes
JS_CallFunctionValue(JSContext * 0x027b64d0, JSObject * 0x0173a518, long 0x0173ad98, unsigned int 0x00000001, long * 0x0012c0dc, long * 0x0012c0d8) line 4157 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x0173a518, JSObject * 0x0173ad98, unsigned int 0x00000001, long * 0x0012c0dc, long * 0x0012c0d8) line 1422 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x02a62700, nsIDOMEvent * 0x033b3028) line 186 + 54 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02a627b0, nsIDOMEvent * 0x033b3028, nsIDOMEventTarget * 0x028a5680, unsigned int 0x00000020, unsigned int 0x00000007) line 1687 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02a626a8, nsPresContext * 0x027cff80, nsEvent * 0x0012c540, nsIDOMEvent * * 0x0012c4d8, nsIDOMEventTarget * 0x028a5680, unsigned int 0x00000007, nsEventStatus * 0x0012c560) line 1791
nsXULElement::HandleDOMEvent(nsPresContext * 0x027cff80, nsEvent * 0x0012c540, nsIDOMEvent * * 0x0012c4d8, unsigned int 0x00000007, nsEventStatus * 0x0012c560) line 1927
nsXULCommandDispatcher::UpdateCommands(nsXULCommandDispatcher * const 0x02776498, const nsAString_internal & {...}) line 415
nsGlobalWindow::UpdateCommands(nsGlobalWindow * const 0x027a9348, const nsAString_internal & {...}) line 4660
nsTextInputListener::UpdateTextInputCommands(const nsAString_internal & {...}) line 500 + 30 bytes
nsTextInputListener::NotifySelectionChanged(nsTextInputListener * const 0x02fb4dc8, nsIDOMDocument * 0x0277ac3c, nsISelection * 0x02fb4930, short 0x0000) line 297 + 24 bytes
nsTypedSelection::NotifySelectionListeners() line 7352
nsSelection::NotifySelectionListeners(short 0x0001) line 3054 + 16 bytes
nsTypedSelection::AddRange(nsTypedSelection * const 0x02fb4930, nsIDOMRange * 0x03e2adc8) line 5630 + 20 bytes
nsTextControlFrame::SetSelectionInternal(nsIDOMNode * 0x02f9f3ec, int 0x00000000, nsIDOMNode * 0x02f9f3ec, int 0x00000001) line 2408 + 32 bytes
nsTextControlFrame::SelectAllContents() line 2436 + 32 bytes
nsTextControlFrame::SetProperty(nsTextControlFrame * const 0x02fb206c, nsPresContext * 0x027cff80, nsIAtom * 0x00be4b10, const nsAString_internal & {...}) line 2332
nsHTMLInputElement::SelectAll(nsPresContext * 0x027cff80) line 1178
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x02f84298) line 1164
XPTC_InvokeByIndex(nsISupports * 0x02f84298, unsigned int 0x0000005b, unsigned int 0x00000000, nsXPTCVariant * 0x0012ca70) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2139 + 43 bytes
XPC_WN_CallMethod(JSContext * 0x027b64d0, JSObject * 0x017eda60, unsigned int 0x00000000, long * 0x02852888, long * 0x0012cd44) line 1444 + 14 bytes
js_Invoke(JSContext * 0x027b64d0, unsigned int 0x00000000, unsigned int 0x00000000) line 1211 + 23 bytes
js_Interpret(JSContext * 0x027b64d0, unsigned char * 0x028ca7fe, long * 0x0012d804) line 3754 + 15 bytes
js_Invoke(JSContext * 0x027b64d0, unsigned int 0x00000001, unsigned int 0x00000002) line 1231 + 19 bytes
js_InternalInvoke(JSContext * 0x027b64d0, JSObject * 0x017eda60, long 0x0179c310, unsigned int 0x00000000, unsigned int 0x00000001, long * 0x0012da00, long * 0x0012d9fc) line 1308 + 20 bytes
JS_CallFunctionValue(JSContext * 0x027b64d0, JSObject * 0x017eda60, long 0x0179c310, unsigned int 0x00000001, long * 0x0012da00, long * 0x0012d9fc) line 4157 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x017eda60, JSObject * 0x0179c310, unsigned int 0x00000001, long * 0x0012da00, long * 0x0012d9fc) line 1422 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x02f92b58, nsIDOMEvent * 0x03025fc8) line 186 + 54 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02f92c08, nsIDOMEvent * 0x03025fc8, nsIDOMEventTarget * 0x03aecc00, unsigned int 0x00000001, unsigned int 0x00000007) line 1687 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02f92b00, nsPresContext * 0x027cff80, nsEvent * 0x0012e258, nsIDOMEvent * * 0x0012dd0c, nsIDOMEventTarget * 0x03aecc00, unsigned int 0x00000007, nsEventStatus * 0x0012e27c) line 1791
nsGenericElement::HandleDOMEvent(nsPresContext * 0x027cff80, nsEvent * 0x0012e258, nsIDOMEvent * * 0x0012dd0c, unsigned int 0x00000007, nsEventStatus * 0x0012e27c) line 2158
nsHTMLInputElement::HandleDOMEvent(nsPresContext * 0x027cff80, nsEvent * 0x0012e258, nsIDOMEvent * * 0x00000000, unsigned int 0x00000001, nsEventStatus * 0x0012e27c) line 1362 + 31 bytes
nsEventStateManager::SendFocusBlur(nsPresContext * 0x027cff80, nsIContent * 0x02f84258, int 0x00000001) line 4268
nsEventStateManager::SetContentState(nsIContent * 0x02f84258, int 0x00000002) line 3842
nsHTMLInputElement::SetFocus(nsPresContext * 0x027cff80) line 1075 + 17 bytes
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x027d0318, nsPresContext * 0x027cff80, nsEvent * 0x0012eaa0, nsIFrame * 0x02a3e75c, nsEventStatus * 0x0012e874, nsIView * 0x027a8f68) line 816
PresShell::HandleEventInternal(nsEvent * 0x0012eaa0, nsIView * 0x027a8f68, unsigned int 0x00000001, nsEventStatus * 0x0012e874) line 6012 + 52 bytes
PresShell::HandleEvent(PresShell * const 0x01883d10, nsIView * 0x027a8f68, nsGUIEvent * 0x0012eaa0, nsEventStatus * 0x0012e874, int 0x00000001, int & 0x00000000) line 5857 + 25 bytes
nsViewManager::HandleEvent(nsView * 0x027a8f68, nsPoint {...}, nsGUIEvent * 0x0012eaa0, int 0x00000000) line 2504
nsViewManager::DispatchEvent(nsViewManager * const 0x027a8ec0, nsGUIEvent * 0x0012eaa0, nsEventStatus * 0x0012e9f0) line 2237 + 37 bytes
HandleEvent(nsGUIEvent * 0x0012eaa0) line 176
nsWindow::DispatchEvent(nsWindow * const 0x027a903c, nsGUIEvent * 0x0012eaa0, nsEventStatus & nsEventStatus_eIgnore) line 1141 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012eaa0) line 1162
nsWindow::DispatchFocus(unsigned int 0x0000006b, int 0x00000001) line 6147 + 15 bytes
nsWindow::ProcessMessage(unsigned int 0x00000007, unsigned int 0x0031013e, long 0x00000000, long * 0x0012ef2c) line 4682 + 23 bytes
nsWindow::WindowProc(HWND__ * 0x00170102, unsigned int 0x00000007, unsigned int 0x0031013e, long 0x00000000) line 1330 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d4b4c0()
USER32! 77d4b50c()
NTDLL! 7c90eae3()
nsGlobalWindow::Focus(nsGlobalWindow * const 0x027b61b0) line 3472 + 37 bytes
nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012f32c) line 501
nsWindow::DispatchEvent(nsWindow * const 0x027c80e4, nsGUIEvent * 0x0012f32c, nsEventStatus & nsEventStatus_eIgnore) line 1141 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f32c) line 1162
nsWindow::DispatchFocus(unsigned int 0x00000069, int 0x00000001) line 6147 + 15 bytes
nsWindow::ProcessMessage(unsigned int 0x00000007, unsigned int 0x00000000, long 0x00000000, long * 0x0012f7b8) line 4678 + 23 bytes
nsWindow::WindowProc(HWND__ * 0x0031013e, unsigned int 0x00000007, unsigned int 0x00000000, long 0x00000000) line 1330 + 27 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d4b4c0()
USER32! 77d4b50c()
NTDLL! 7c90eae3()
USER32! 77d4b3f9()
USER32! 77d4b393()
nsWindow::DefaultWindowProc(HWND__ * 0x0031013e, unsigned int 0x00000006, unsigned int 0x00000002, long 0x00000000) line 1356
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d4c63f()
USER32! 77d4c665()
nsWindow::WindowProc(HWND__ * 0x0031013e, unsigned int 0x00000006, unsigned int 0x00000002, long 0x00000000) line 1337 + 31 bytes
USER32! 77d48734()
USER32! 77d48816()
USER32! 77d4b4c0()
USER32! 77d4b50c()
NTDLL! 7c90eae3()
USER32! 77d49402()
nsAppShell::Run(nsAppShell * const 0x00c7c4f0) line 128 + 42 bytes
nsAppStartup::Run(nsAppStartup * const 0x00c7c450) line 161 + 26 bytes
XRE_main(int 0x00000004, char * * 0x003f7a30, const nsXREAppData * 0x0040301c kAppData) line 2289 + 35 bytes
main(int 0x00000004, char * * 0x003f7a30) line 61 + 19 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 7c816d4f()
(In reply to comment #0)
> Rough regression window is approximately the last two days. 

Forget this regression range. It goes back much farther and exits on the 1.8 branch as well as trunk. It appears the crash does not reliably appear in the automation tests but requires some additional interactiion. The stack is variable depending on when/how you get the crash to occur.
(In reply to comment #0)
>... 
> Rough regression window is approximately the last two days. 
> 
> js_NewGCThing(JSContext * 0x01830400, unsigned int 0x00000004, unsigned int
> 0x00000020) line 586 + 6 bytes

bug 208678 comment 24 cites Build ID 2005110908  (plus I have other crashes in GC)

so line 586 callout goes back at least that far.
make that bug 308678 comment c24

my GC problems go back to at least mid-sept builds
*** Bug 320942 has been marked as a duplicate of this bug. ***
js_NewGCThing() is a Firefox 1.5 topcrasher:

http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=js_NewGCThing&vendor=MozillaOrg&product=Firefox15&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

Bug 308678 is related topcrasher and affects the same Stack Signature.

Overall, 2.32% of Firefox 1.5 bugs involve js_NewGCThing(), making it the #5 topcrasher.

This is also #30 for Firefox Trunk builds.
Keywords: topcrash
Another stack with a 1.5 debug build from 12/29

js_NewGCThing(JSContext * 0x025fc868, unsigned int 0x00000004, unsigned int 0x00000020) line 586 + 6 bytes
js_NewFunction(JSContext * 0x025fc868, JSObject * 0x00000000, int (JSContext *, JSObject *, unsigned int, long *, long *)* 0x00000000, unsigned int 0x00000001, unsigned int 0x00000000, JSObject * 0x00000000, JSAtom * 0x02eb5c60) line 1972 + 13 bytes
JS_CompileUCFunctionForPrincipals(JSContext * 0x025fc868, JSObject * 0x00000000, JSPrincipals * 0x00ba3604, const char * 0x02ef079c, unsigned int 0x00000001, const char * * 0x0012d060, const unsigned short * 0x02c7b628, unsigned int 0x0000004b, const char * 0x02c558f0, unsigned int 0x000000fa) line 3892 + 27 bytes
nsJSContext::CompileEventHandler(void * 0x0293d6a8, nsIAtom * 0x02ef0790, const char * 0x01ec05d4 gEventName, const nsAString_internal & {...}, const char * 0x02c558f0, unsigned int 0x000000fa, int 0x00000001, void * * 0x0012d5dc) line 1319 + 82 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * 0x02eb5c18, nsIDOMEvent * 0x02fdc848) line 485 + 75 bytes
nsXBLEventHandler::HandleEvent(nsXBLEventHandler * const 0x02c94de8, nsIDOMEvent * 0x02fdc848) line 86
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x02c94e30, nsIDOMEvent * 0x02fdc848, nsIDOMEventTarget * 0x02eb5c18, unsigned int 0x00000004, unsigned int 0x00000007) line 1685 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x02c94a88, nsPresContext * 0x02904d90, nsEvent * 0x0012db98, nsIDOMEvent * * 0x0012db34, nsIDOMEventTarget * 0x02eb5c18, unsigned int 0x00000007, nsEventStatus * 0x0012dbec) line 1789
nsXULElement::HandleDOMEvent(nsPresContext * 0x02904d90, nsEvent * 0x0012db98, nsIDOMEvent * * 0x0012db34, unsigned int 0x00000007, nsEventStatus * 0x0012dbec) line 2153
PresShell::HandleDOMEventWithTarget(PresShell * const 0x016706b8, nsIContent * 0x02c55880, nsEvent * 0x0012db98, nsEventStatus * 0x0012dbec) line 6473
nsPopupSetFrame::OnDestroy(nsIContent * 0x02c55880) line 697 + 27 bytes
nsPopupSetFrame::OpenPopup(nsPopupFrameList * 0x02c845a8, int 0x00000000) line 516 + 33 bytes
nsPopupSetFrame::DestroyPopup(nsPopupSetFrame * const 0x0290f258, nsIFrame * 0x0290f474, int 0x00000001) line 442
nsPopupBoxObject::HidePopup(nsPopupBoxObject * const 0x02eb3c98) line 131
nsXULTooltipListener::HideTooltip() line 536
nsXULTooltipListener::MouseOut(nsXULTooltipListener * const 0x02deda70, nsIDOMEvent * 0x014dfdf8) line 158
DispatchToInterface(nsIDOMEvent * 0x014dfdf8, nsIDOMEventListener * 0x02deda70, unsigned int (nsIDOMEvent *)* 0x01ad67a0 `vcall'(nsIDOMEvent *), const nsID & {...}, int * 0x0012ddcc) line 141 + 11 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x029102d0, nsPresContext * 0x02904d90, nsEvent * 0x0012ee48, nsIDOMEvent * * 0x0012ee0c, nsIDOMEventTarget * 0x02619b28, unsigned int 0x00000004, nsEventStatus * 0x0012ee98) line 1779 + 35 bytes
nsXULDocument::HandleDOMEvent(nsPresContext * 0x02904d90, nsEvent * 0x0012ee48, nsIDOMEvent * * 0x0012ee0c, unsigned int 0x00000004, nsEventStatus * 0x0012ee98) line 1243
nsXULElement::HandleDOMEvent(nsPresContext * 0x02904d90, nsEvent * 0x0012ee48, nsIDOMEvent * * 0x0012ee0c, unsigned int 0x00000004, nsEventStatus * 0x0012ee98) line 2135 + 40 bytes
nsXULElement::HandleDOMEvent(nsPresContext * 0x02904d90, nsEvent * 0x0012ee48, nsIDOMEvent * * 0x0012ee0c, unsigned int 0x00000004, nsEventStatus * 0x0012ee98) line 2132
nsXULElement::HandleDOMEvent(nsPresContext * 0x02904d90, nsEvent * 0x0012ee48, nsIDOMEvent * * 0x0012ee0c, unsigned int 0x00000004, nsEventStatus * 0x0012ee98) line 2132
nsXULElement::HandleDOMEvent(nsPresContext * 0x02904d90, nsEvent * 0x0012ee48, nsIDOMEvent * * 0x0012ee0c, unsigned int 0x00000004, nsEventStatus * 0x0012ee98) line 2132
nsXULElement::HandleDOMEvent(nsPresContext * 0x02904d90, nsEvent * 0x0012ee48, nsIDOMEvent * * 0x0012ee0c, unsigned int 0x00000007, nsEventStatus * 0x0012ee98) line 2132
nsEventStateManager::DispatchMouseEvent(nsGUIEvent * 0x0012f64c, unsigned int 0x0000014c, nsIContent * 0x02d42af8, nsIContent * 0x02c00048) line 2628
nsEventStateManager::NotifyMouseOut(nsGUIEvent * 0x0012f64c, nsIContent * 0x02c00048) line 2697
nsEventStateManager::NotifyMouseOver(nsGUIEvent * 0x0012f64c, nsIContent * 0x02c00048) line 2747
nsEventStateManager::GenerateMouseEnterExit(nsGUIEvent * 0x0012f64c) line 2786
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x028ff068, nsPresContext * 0x02904d90, nsEvent * 0x0012f64c, nsIFrame * 0x02c6bd00, nsEventStatus * 0x0012f3dc, nsIView * 0x028fff58) line 523
PresShell::HandleEventInternal(nsEvent * 0x0012f64c, nsIView * 0x028fff58, unsigned int 0x00000001, nsEventStatus * 0x0012f3dc) line 6365 + 67 bytes
PresShell::HandleEvent(PresShell * const 0x01670730, nsIView * 0x028fff58, nsGUIEvent * 0x0012f64c, nsEventStatus * 0x0012f3dc, int 0x00000001, int & 0x00000001) line 6210 + 25 bytes
nsViewManager::HandleEvent(nsView * 0x028fff58, nsGUIEvent * 0x0012f64c, int 0x00000000) line 2559
nsViewManager::DispatchEvent(nsViewManager * const 0x028ffeb0, nsGUIEvent * 0x0012f64c, nsEventStatus * 0x0012f528) line 2246 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f64c) line 174
nsWindow::DispatchEvent(nsWindow * const 0x0290002c, nsGUIEvent * 0x0012f64c, nsEventStatus & nsEventStatus_eIgnore) line 1252 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f64c) line 1273
nsWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int 0x00000000, nsPoint * 0x00000000) line 5980 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 0x0000012c, unsigned int 0x00000000, nsPoint * 0x00000000) line 6234
nsWindow::ProcessMessage(unsigned int 0x00000200, unsigned int 0x00000000, long 0x0014001a, long * 0x0012fb58) line 4543 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x00090206, unsigned int 0x00000200, unsigned int 0x00000000, long 0x0014001a) line 1434 + 27 bytes

*** Bug 318636 has been marked as a duplicate of this bug. ***
We've been tracking the "freelist entry turns into a small integer" elsewhere. mrbkap probably knows the bug by heart.

/be
bump to critical for crash and topcrash.

is bug 318633 dup?
Severity: major → critical
Summary: Crash [@ js_NewGCThing() line 586 ] → Crash [@ js_NewGCThing() line 586 ] scrollbar and url bar
The stack trace shows that free list was damaged during GCX_PRIVATE allocation of JSFunction, which is on 32-bits CPU is 8 words or 32 bytes. AFAICS the only other place that can allocate 8 words is AllocSlots in jsobj.c. Now a probable scenario for that small integer problem is that either slots array or JSFunction was modified after the object was marked as free, but not any other GC thing.

The 2 initial slot array entries that can interfere with free-list link are number of slots in the array and proto jsval. The number of slots in the array does not change after array creation and proto jsval also stays constant, so slot array mishandling should not cause the bug. On the other hand JSFunction->nrefs changes through JSFunction lifetime and can be that small number causing all the troubles.

(In reply to comment #10)
> On the other hand
> JSFunction->nrefs changes through JSFunction lifetime and can be that small
> number causing all the troubles.

Igor pointed out in an e-mail that the debugger API object hook could cause a GC after the newborn root protecting the JSFunction has been displaced by initial slots vector for the function object.  That shouldn't happen unless people seeing this crash are running Venkman (or unless we have a bad situation where the jsd layer is allocating and possibly GC'ing even when Venkman is off or disabled).

Is anyone seeing this crash running Venkman actively, or in particular at the time of the crash?

/be
If anyone who see the bug could apply a patch from bug 322001 and it would change stack trace/register content during the crash, then it would proove that a bug is caused by improper access to JSFunction.
> Is anyone seeing this crash running Venkman actively, or in particular at the
> time of the crash?

I don't see the crash with Venkman uninstalled, but do see it with Venkman installed even though it is not active.

Before and after stacks comming up.
correction: with venkman installed the crashed occured immediately, without venkman, the crashed occured when I closed the browser.
Depends on: 322045
(In reply to comment #16)
> Created an attachment (id=207293) [edit]
> stack from patched trunk build/winxp without venkman installed.
> 
> correction: with venkman installed the crashed occured immediately, without
> venkman, the crashed occured when I closed the browser.

This still reproducing on the latest trunk builds?

/be
(In reply to comment #17)

I don't crash with today's trunk, but the browser becomes pretty useless in that it is not possible to switch tabs, open menu items, etc. But it doesn't crash.
(In reply to comment #18)
> (In reply to comment #17)

I can crash using a debug winxp trunk build from yesterday, but the original stacks are gone. The crash appears related to failure to cope with out of memory issues. 

Depending on the run, and your actions after the pages loads (if it does), you can get a variety of stacks. Should I mark this fixed due to bug 322045? How to deal with the out of memory related crashes?

For future search reference using start from command line with url, help->about

WARNING: Global is not an nsISupports.: file c:/work/mozilla/builds/ff/trunk/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1525
JavaScript error: , line 0: out of memory
###!!! ASSERTION: This is not supposed to fail!: 'Error', file c:/work/mozilla/builds/ff/trunk/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 409
###!!! ASSERTION: This is not supposed to fail!: 'Error', file c:/work/mozilla/builds/ff/trunk/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 409
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/dom/src/base/nsJSEnvironment.cpp, lin
e 1619
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/dom/src/base/nsJSEnvironment.cpp, lin
e 2421
WARNING: NS_ENSURE_TRUE(context) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/docshell/base/nsDocShell.cpp, line 8145
###!!! ASSERTION: Couldn't get DOM window.: 'domWindow', file c:/work/mozilla/builds/ff/trunk/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 472
WARNING: NS_ENSURE_TRUE(scx) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/dom/src/base/nsGlobalWindow.cpp, line 916
WARNING: window not set for document!: file c:/work/mozilla/builds/ff/trunk/mozilla/layout/base/nsDocumentViewer.cpp, line 1090
frame: MenuPopup(menupopup)(0) (035BAAF8) style: 02C74AB4 {}
Wrong parent style context:  style: 02C747E0 {}
should be using:  style: 03384B98 {}

###!!! ASSERTION: window not set for document!: 'Error', file c:/work/mozilla/builds/ff/trunk/mozilla/layout/base/nsDocumentViewer.c
pp, line 1197
WARNING: NS_ENSURE_TRUE(scx) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/dom/src/base/nsGlobalWindow.cpp, line 916
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/content/base/src/nsGenericElement.cpp
, line 3451
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/content/base/src/nsGenericElement.cpp
, line 3451
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/content/base/src/nsGenericElement.cpp
, line 3451
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file c:/work/mozilla/builds/ff/trunk/mozilla/content/base/src/nsGenericElement.cpp
, line 3451
###!!! ASSERTION: no script global object: 'mScriptGlobalObject != nsnull', file c:/work/mozilla/builds/ff/trunk/mozilla/content/xul
/document/src/nsXULDocument.cpp, line 3295
++WEBSHELL 11AF8888 == 5
++DOMWINDOW == 8
###!!! ASSERTION: Can't get globalObject.Object.prototype: 'Error', file c:/work/mozilla/builds/ff/trunk/mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 223
JavaScript error: , line 0: out of memory
JavaScript error: , line 0: out of memory
JavaScript error: , line 0: out of memory
Assertion failure: (cx)->tempValueRooters == (&tvr), at c:/work/mozilla/builds/ff/trunk/mozilla/js/src/jsapi.c:2096

browser hung.

Another case results in a crash with stack found in bug 324533. 
(In reply to comment #19)
[...]
> Depending on the run, and your actions after the pages loads (if it does), you
> can get a variety of stacks. Should I mark this fixed due to bug 322045? How to
> deal with the out of memory related crashes?
[...]

IIUC, if you get a crash with the latest nightly, it is not "fixed", at least not on the code branch (or trunk) you're using. ;-)


-- 
Best regards,
Tony.
(In reply to comment #20)
> IIUC, if you get a crash with the latest nightly, it is not "fixed", at least
> not on the code branch (or trunk) you're using. ;-)

The original crash and bug can be fixed even if other crashes occur on the same testcase.
(In reply to comment #21)
[...]
> The original crash and bug can be fixed even if other crashes occur on the same
> testcase.
> 

Shouldn't it be either "reopened" then (meaning the fix isn't working), or else filed under a new bug? If crashes keep happening (on the latest nightlies, remember), I don't call them "fixed", not on this code tree anyway.
erm. the bug you're spamming *is* a new bug. if a checkin for a bug fixed a specific codepath that was implicated as bad by a specific bug, then that bug can and should remain resolved fixed as long as that checkin remains in cvs. if that checkin is backed out because of some problem with it, then someone may reopen the bug. otherwise, a new bug, such as this one, should be opened for similar issues.
(In reply to comment #23)
> erm. the bug you're spamming *is* a new bug. [...]

Ah. Uh. Sorry for the bugspam, er, low morning blood sugar and all that: not really up to speed yet.
Sounds like all the non-OOM crashes here went away.  For OOM outside of the JavaScript Engine, see bug 427099.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Crash Signature: [@ js_NewGCThing() line 586 ]
You need to log in before you can comment on or make changes to this bug.