Closed Bug 485799 Opened 15 years ago Closed 14 years ago

crash [@ memmove - nsTArray_base::ShiftData - XPCJSRuntime::GCCallback ]

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: xtc4uall, Unassigned)

Details

(Keywords: crash, Whiteboard: [sg:needinfo])

Crash Data

Attachments

(1 file)

similar to Bug 454626.

Signature	memmove
UUID	c18051b3-0d54-4109-9bca-8977c2090329
Time 	2009-03-29 09:23:33.240263
Uptime	20
Last Crash	1007344 seconds before submission
Product	Firefox
Version	3.6a1pre
Build ID	20090329050451
Branch	1.9.2
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x10a20000
Frame 	Module 	Signature 	Source
0 	mozcrt19.dll 	memmove 	MEMCPY.ASM:188
1 	xul.dll 	nsTArray_base::ShiftData(unsigned int,unsigned int,unsigned int,unsigned int) 	obj-firefox/xpcom/build/nsTArray.cpp:173
2 	xul.dll 	XPCJSRuntime::GCCallback(JSContext*,JSGCStatus) 	js/src/xpconnect/src/xpcjsruntime.cpp:773

i was updating a nightly build and on restart a weave extension update to version 0.2.119 was found and updated. then crash on the ongoing loading of Fx.
similiar reports found via http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.6a1pre&query_search=signature&query_type=contains&query=memmove&date=&range_value=2&range_unit=weeks&do_query=1&signature=memmove

Signature	memmove
UUID	883ba42b-ca4e-4773-8e57-17a282090405
Time 	2009-04-05 05:33:01.769077
Uptime	3542
Last Crash	342761 seconds before submission
Product	Firefox
Version	3.6a1pre
Build ID	20090329050451
Branch	1.9.2
OS	Windows NT
OS Version	6.0.6001 Service Pack 1
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x6edc0000
Frame 	Module 	Signature 	Source
0 	mozcrt19.dll 	memmove 	MEMCPY.ASM:188
1 	xul.dll 	nsTArray_base::ShiftData(unsigned int,unsigned int,unsigned int,unsigned int) 	obj-firefox/xpcom/build/nsTArray.cpp:173
2 	xul.dll 	XPCJSRuntime::GCCallback(JSContext*,JSGCStatus) 	js/src/xpconnect/src/xpcjsruntime.cpp:773
3 	xul.dll 	nsCycleCollector::FinishCollection() 	xpcom/base/nsCycleCollector.cpp:2461
4 	xul.dll 	DOMGCCallback 	dom/base/nsJSEnvironment.cpp:3606
5 	js3250.dll 	js_GC 	js/src/jsgc.cpp:3849

recent trunk builds (win only) still affected. setting NEW for now.
Status: UNCONFIRMED → NEW
Ever confirmed: true
I think this has been around for a while and has moved up in the top crash ranking.   its current ranked #11 for fx3.5b4

It seems like the problem might have a larger visibility amoung international users.
I just filed bug 494617 which seems to have a similar stacktrace as what this bug is about.
http://crash-stats.mozilla.com/report/index/33d5f035-0c9e-41dc-bb8c-14d7a2090720

I just received this which is similar to this bug, but I got the crash while in Private Browsing mode.  I don't have any traces.  I don't even know if I can reproduce this again.
ngamer01: no, please use another bug (there is one)
Summary: crash [@ memmove - nsTArray_base::ShiftData] → crash [@ memmove - nsTArray_base::ShiftData - XPCJSRuntime::GCCallback]
So, is this bug's signature being covered by later on filed bugreports like Bug 507114 or Bug 519771 due to splitting them up by Bug 520678?!
Somehow it's confusing following the chain of reports and moreover some are still marked security sensitive ....

FWIW, there are still low volume crashes for the signature XPCJSRuntime::GCCallback(JSContext*, JSGCStatus), what isn't yet covered by a report.

trunk
http://crash-stats.mozilla.com/report/list?product=Firefox&branch=1.9.3&query_search=signature&query_type=contains&query=XPCJSRuntime%3A%3AGCCallback&date=&range_value=1&range_unit=weeks&do_query=1&signature=XPCJSRuntime%3A%3AGCCallback%28JSContext*%2C%20JSGCStatus%29

1.9.2 branch:
http://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&branch=1.9.2&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=XPCJSRuntime%3A%3AGCCallback&do_query=1
Summary: crash [@ memmove - nsTArray_base::ShiftData - XPCJSRuntime::GCCallback] → crash [@ memmove - nsTArray_base::ShiftData - XPCJSRuntime::GCCallback ]
Whiteboard: [sg:critical?]
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
still seems to be happening, but possible possibly at a lower level

signature list
 133 memmove | nsTArray_base::ShiftData(unsigned int, unsigned int, unsigned int, unsigned int)

Correlation to releases

checking --- memmove...nsTArray_base::ShiftData 20100411-crashdata.csv
found in: 3.6.3 3.5.9 3.1b3 3.5 3.5b99 3.6.2 3.5b4 3.5.4 3.5.3 3.5.2 3.5.6 3.5.5 3.5.1 3.6b1 3.6.3plugin1 3.5.7
release total-crashes
              memmove...nsTArray_base::ShiftData crashes
                         pct.
all     309235  133     0.000430094
3.6.3   212615  53      0.000249277
3.5.9   28010   28      0.000999643
3.1b3   709     16      0.022567
3.5     984     7       0.00711382
3.5b99  146     5       0.0342466
3.6.2   10376   3       0.000289129
3.5b4   584     3       0.00513699
3.5.4   890     6       0.00674157
3.5.3   1158    3       0.00259067
3.5.2   960     3       0.003125
3.5.6   905     2       0.00220994
3.5.5   1650    2       0.00121212
3.5.1   391     2       0.00511509
3.6b1   425     1       0.00235294
3.6.3plugin1    1304    1       0.000766871
3.5.7   1985    1       0.000503778

os breakdown
memmove...nsTArray_base::ShiftDataTotal 133
Win5.1  0.70
Win6.0  0.23
Win6.1  0.07
Crash Signature: [@ memmove - nsTArray_base::ShiftData - XPCJSRuntime::GCCallback ]
Group: core-security
Whiteboard: [sg:critical?] → [sg:needinfo]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: