Closed Bug 347053 Opened 14 years ago Closed 14 years ago

Firefox on 1.8 branch topcrash [@ 0xffffff4d] [@ js_GC]

Categories

(Core :: JavaScript Engine, defect)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
mozilla1.8.1

People

(Reporter: dbaron, Unassigned)

Details

(Keywords: crash, fixed1.8.1, topcrash, Whiteboard: rcinvestigate)

Crash Data

Attachments

(2 files)

This bug is almost exactly like bug 314484, but brendan suggested I file a new bug rather than reopen since that bug was rather long already, and it does really seem to have disappeared (I don't see it in 1.5.0.x talkback data).

We're seeing a lot of crashes with this signature:
http://talkback-public.mozilla.org/search/start.jsp?search=1&searchby=stacksig&match=contains&searchfor=0xffffff4d&vendor=MozillaOrg&product=Firefox2&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid

the stacks are generally:

Most of the stacks are:

0xffffff4d
0x011?????  (????? == varies)
js_GC
js_ForceGC
nsAppStartup::Run
main

Some stack traces stop at js_ForceGC (so they're only four frames long) or js_GC (only three frames long).

They're all on Windows, and the comments don't appear very useful.
Flags: blocking1.8.1?
Keywords: crash, topcrash
Severity: normal → critical
Note that this doesn't appear in Fx 2.0b1 topcrash data, so either:
 * it's a regression since then
 * it's something that only appears in nightlies (e.g., related to zip builds or some particular testing)
Flags: blocking1.8.1? → blocking1.8.1+
This appears to have gone away around a week ago.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Back in 2006081104, with reports from 3 users.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
TB22040324E looks similar, but is slightly longer.

The user reports from http://forums.mozillazine.org/viewtopic.php?p=2428658#2428658 :

"on http://mindfactory.de/ I just clicked through the categories on the left side and clicked on some articles... I sorted articles by price and scrolled up/down.... then it crashed.

I also saw these both entries in errorconsole:

Error: uncaught exception: A script from "http://www.mindfactory.de" was denied UniversalXPConnect privileges.

Error: uncaught exception: Permission denied to get property HTMLDocument.referrer"
Steve England, thanks for adding my comment.

Here's another crash report... I just got it, but I can't remember what I did :)

TB22073206Z
I had problems with this too. I updated to new versions every day via automatic updates. I tried to remove directory with Firefox, download full version from FTP (FF 2.0 Branch - 20060813) and now all works fine. No crash. Problem with some automatic update?
Any idea why this crash wouldn't have occured at all between  MozillaOrgFirefox2Win322006073104 and MozillaOrgFirefox2Win322006081104?
Target Milestone: --- → mozilla1.8.1
(In reply to comment #7)
> Any idea why this crash wouldn't have occured at all between 
> MozillaOrgFirefox2Win322006073104 and MozillaOrgFirefox2Win322006081104?

Could it be just that the guys who run the builds do not update every day? I do not see what changes around those days can prevent the bug from happening. 
Target Milestone: mozilla1.8.1 → ---
Target Milestone: --- → mozilla1.8.1
Attached file analysis of TB22112461
Analysis of the only 1 of the 10 incidents that I looked at that had a usable raw stack in talkback -- presumably because EBP was still good in this incident whereas in most it is 0.
(In reply to comment #9)
> Created an attachment (id=233883) [edit]
> analysis of TB22112461
> 
> Analysis of the only 1 of the 10 incidents that I looked at that had a usable
> raw stack in talkback -- presumably because EBP was still good in this incident
> whereas in most it is 0.

Is it possible to know from a talkback how much memory the browser is using when the crash happens?
(In reply to comment #9)
> Created an attachment (id=233883) [edit]
> analysis of TB22112461

One more thing, does that implies that the crash happened when js_GC was trying to call js_SweepAtomState which failed due to a damaged C stack?
Has this bug disappeared as mysteriously as it re-appeared? I see no reports of crashing with yesterday's 20060815 build or today's 20060816 builds. And personally, this bug used to crash me a lot, but hasn't yesterday or so far today.
Yep.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → WORKSFORME
It's back in 20060831 (1.8 branch).
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Disappearance / reappearance may be related to bug 346494 and bug 350312, somehow.
Any sign on trunk?  I need to land patch for lexical catch vars (bug 336379) on the 1.8 branch still, and soon.  That may have a good effect, but I'd like to know for sure.

/be
For what it's worth, this seems to have come back only in a single build (although for multiple users) and then gone away again.
But then a bunch more reports in 2006-09-04-04-1.8 Firefox.
It went away, came back, and went away again.  The last time it went away corresponds to the checkin of bug 350787, which I suppose could be related.
OK, worksforme again, since it's been gone since my last comment.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → WORKSFORME
Since this isn't showing up in recent TB reports anymore - removing it from 1.8.1 blocker list...
Flags: blocking1.8.1+ → blocking1.8.1-
This crash popped up for one day on the trunk. (2006091304)
This may be back based on a few reports on mozillazine...here are two TBIDs:
TB23488602W
TB23489597X

Leaving resolved though to wait a day just to see if this isn't just one person with a screwed profile or something.
This bug appears to have returned, so I am reopening this topcrasher and requesting blocking for 2.0 (previously minused because the bug mysteriously disappeared).
Status: RESOLVED → REOPENED
Flags: blocking1.8.1- → blocking1.8.1?
Resolution: WORKSFORME → ---
I've lots of crashes in the last two days. Some are: TB23491217Y, TB23493454Q, TB23523508H, TB23522365Y

They happen if I click on any link on different pages... or if I close firefox.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20060920 BonEcho/2.0 ID:2006092004

Console² 0.3.6
Disable Targets For Downloads 1.0.1
DOM Inspector 1.8.1
DownThemAll! 0.9.9.6.5
Flashblock 1.5.1
Image Zoom 0.2.7
Nightly Tester Tools 1.1
Password Save [de] 0.5
Popup Count 0.3.4
ProxyButton 0.2.5
Talkback 2.0
Update Channel Selector 1.0.1
VideoDownloader 1.1 
Brian C/Brendan can you take a look and see if we know what's going on?
Flags: blocking1.8.1? → blocking1.8.1+
Whiteboard: rcinvestigate
That address is -179.  It doesn't ring a bell.

Igor, any thoughts?

/be
(In reply to comment #27)
> That address is -179.  It doesn't ring a bell.
> 
> Igor, any thoughts?

No. But it does not look for me like an integer that overwrote  function pointer. It looks more like a bit pattern or a hash value. The later is probable since the crashes are around hash enumeration functions.
TB23690203X
TB23686072H
People who are seeing this:

 * does disabling extensions make it go away?  Is there a particular extension triggering it?
 * if you have some crash logging tool other than talkback that includes a raw stack dump, a report from that tool would be useful (but just one or two -- not more).  However, to be useful, I need to know *exactly* which build you were using when you crashed (and be able to get that build).
There are a bunch of crashes reported as being in js_SweepScopeProperties:  either at line 1587 or 1563 of jsscope.c (line numbers on 1.8 branch, post JS 1.7 landing).  I can't get more details, though, since spike is down.  (Only one of them was this month, though.)
Except the one report this month was marked as line 1585.
It looks like this may have gone away on the branch with the fix to bug 353227 (and it started around the same time, too).
re: comment 30, I have crashed at 0xffffff4d with a new profile; so the only extensions installed were Talkback and Domi.
Marking worksforme, since there have been no crashes with 2006-09-26 builds and none so far with 2006-09-27 builds.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → WORKSFORME
ive been hgavikng this crash on latest trunk nightly
TB23869554Y
TB23869061M

seems too still affect trunk 
Looks like it is back in the RC1 top crash reports...  
Ranked as #2 with 19% of the early crashes

Windows Build 091818

http://talkback-public.mozilla.org/reports/firefox/FF2rc1/FF2rc1-topcrashers.html

#2 	0xffffff4d 	19.2% 	2350 		149109 	2350 2350


http://talkback-public.mozilla.org/reports/firefox/FF2rc1/smart-analysis.win

2   0xffffff4d   2350 
 
====================================================================================================
     Count   Offset    Real Signature
[ 17   0xffffff4d da2edacf - js_GC ]
[ 15   0xffffff4d 5e24c79e - js_GC ]
[ 14   0xffffff4d 9b02f666 - js_GC ]
[ 11   0xffffff4d b303d2b0 - js_GC ]
[ 11   0xffffff4d a173024d - js_GC ]
[ 11   0xffffff4d 87279285 - js_GC ]
[ 11   0xffffff4d 0eaa4b1a - js_GC ]
[ 10   0xffffff4d fc9e44e1 - js_GC ]
[ 10   0xffffff4d 92585901 - js_GC ]
[ 10   0xffffff4d 098ad2ce - js_GC ]
[ 9   0xffffff4d f36210e8 - js_GC ]
[ 9   0xffffff4d aba387a8 - js_GC ]
[ 9   0xffffff4d a6539b99 - js_GC ]
[ 9   0xffffff4d 72f4b34c - js_GC ]
[ 9   0xffffff4d 598980e1 - js_GC ]
 
     Crash date range: 20-SEP-06 to 29-SEP-06
     Min/Max Seconds since last crash: 28 - 191376
     Min/Max Runtime: 228 - 221381
 
     Count   Platform List 
     165   Windows XP [Windows NT 5.1 build 2600] 
 
     Count   Build Id List 
     165   2006091818
 
     No of Unique Users       58
 
 Stack trace(Frame) 

	 0xffffff4d  
	 0x01183008  
	 js_GC	[c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsgc.c  line 2873] 
	 JS_GC	[c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/js/src/jsapi.c  line 1944] 
	 nsAppStartup::Run	[c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp  line 152] 
	 main	[c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp  line 61] 
	 kernel32.dll + 0x16fd7 (0x7c816fd7)   
 
     (23903190)	URL: www.bild.de
     (23903190)	Comments: Reading article
     (23898263)	URL: basketball.fantasysports.yahoo.com/nba
     (23898236)	URL: basketball.fantasysports.yahoo.com/nba
     (23897503)	URL: basketball.fantasysports.yahoo.com/nba
     (23897028)	URL: basketball.fantasysports.yahoo.com/nba
     (23897028)	Comments: Checking on my fantasy basketball team
     (23889330)	URL: www.circles99.com
     (23883054)	URL: http://www.youtube.com/watch?v=FFf7AtAOagw&mode=related&search=
     (23883054)	Comments: Using a Jump feature on a forum to go from one room to the next.
     (23879931)	URL: www.gmail.com
     (23879931)	Comments: When i started to look an profile on orkut  browser crashes.
     (23873710)	URL: http://www.youtube.com/watch?v=FFf7AtAOagw&mode=related&search=
     (23873710)	Comments: Again clicking on a link. This is getting annoying
     (23867799)	URL: www.free-mobile.net
     (23867799)	Comments: page had just loaded  was not loading anything new
     (23852764)	URL: www.studivz.net
     (23852764)	Comments: Browsing and downloading a 35MB program (iTunes)
     (23851244)	URL: www.pcinpact.com
     (23851244)	Comments: I wasn't in front of my screen
     (23850211)	Comments: I closed som tabs
     (23827857)	URL: www.loveandseek.com
     (23827857)	Comments: clicking the back button
     (23827592)	URL: www.torncity.com
     (23827275)	URL: www.torncity.com
     (23827215)	URL: www.torncity.com
     (23816197)	URL: www.torncity.com
     (23813189)	URL: www.torncity.com
     (23811726)	URL: http://www.miacrew.com/forums/viewtopic.php?t=61
     (23811726)	Comments: I was just reading forum posts when the browser crashed this is the 3rd time 
     (23810538)	URL: www.graysonline.com.au
     (23799330)	URL: www.circles99.com
     (23690456)	URL: endless-fantasy.de
     (23677770)	URL: endless-fantasy.de
     (23675159)	URL: endless-fantasy.de
     (23664320)	URL: endless-fantasy.de
     (23645524)	URL: endless-fantasy.de
     (23640634)	URL: endless-fantasy.de
     (23640150)	URL: endless-fantasy.de
     (23639717)	URL: endless-fantasy.de
     (23587780)	URL: endless-fantasy.de
     (23584356)	URL: endless-fantasy.de
     (23571123)	URL: endless-fantasy.de

Right. RC1 is still going to show this crash because it wasn't fixed until after we built RC1.
Seems to have gone away on the trunk with the fix to bug 352520 (between the 2006-09-28 and 2006-09-29 builds).
Then again, that could just be insufficient data volume.  In any case, if it's still around on the trunk, that should probably be a separate bug.
Crash Signature: [@ 0xffffff4d] [@ js_GC]
You need to log in before you can comment on or make changes to this bug.