Closed Bug 491604 Opened 13 years ago Closed 13 years ago

top crash [@ js_NewGCThing]

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 492693

People

(Reporter: samuel.sidler+old, Unassigned)

References

()

Details

(Keywords: crash, topcrash)

Crash Data

(I didn't see this filed, feel free to dupe if it is.)

In Firefox 3.5b4, there's a new topcrash [@ js_NewGCThing] that's currently #6 (about 1/5 the crashes as the #1 topcrash). This crash still occurs in trunk builds and 1.9.1 builds.

There's actually two crashes with this signature on Mac, but the remainder are on Windows and I'm going to guess there's a couple smaller crashes mixed into this bucket.

This bug is specifically about the following stack (taken from bp-9b7637db-a1e8-4fef-9020-0f61e2090501):

Crashing Thread
Frame 	Module 	Signature 	Source
0 	js3250.dll 	js_NewGCThing 	js/src/jsgc.cpp:2071
1 	js3250.dll 	js_NewObjectWithGivenProto 	js/src/jsobj.cpp:3131
2 	js3250.dll 	js_InitClass 	js/src/jsobj.cpp:2805
3 	js3250.dll 	js_InitFunctionClass 	js/src/jsfun.cpp:2081
4 	js3250.dll 	js_InitFunctionAndObjectClasses 	js/src/jsapi.cpp:1266
5 	js3250.dll 	js_GetClassObject 	js/src/jsobj.cpp:3302
6 	js3250.dll 	js_FindClassObject 	js/src/jsobj.cpp:3366
7 	js3250.dll 	js_GetClassPrototype 	js/src/jsobj.cpp:5389
8 	js3250.dll 	js_InitClass 	js/src/jsobj.cpp:2769
9 	js3250.dll 	JS_InitClass 	js/src/jsapi.cpp:2721
10 	xul.dll 	nsXBLBinding::DoInitJSClass(JSContext*,JSObject*,JSObject*,nsCString const&,nsXBLPrototypeBinding*,void**) 	content/xbl/src/nsXBLBinding.cpp:1318
11 	xul.dll 	nsXBLProtoImpl::CompilePrototypeMembers(nsXBLPrototypeBinding*) 	content/xbl/src/nsXBLProtoImpl.cpp:179
12 	xul.dll 	nsXBLProtoImpl::InitTargetObjects(nsXBLPrototypeBinding*,nsIScriptContext*,nsIContent*,nsIXPConnectJSObjectHolder**,void**) 	content/xbl/src/nsXBLProtoImpl.cpp:112
13 	xul.dll 	nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding*,nsIContent*) 	content/xbl/src/nsXBLProtoImpl.cpp:80
14 	xul.dll 	nsXBLBinding::InstallImplementation() 	content/xbl/src/nsXBLBinding.cpp:941
15 	xul.dll 	nsXBLBinding::InstallImplementation() 	content/xbl/src/nsXBLBinding.cpp:935
16 	xul.dll 	nsXBLService::LoadBindings(nsIContent*,nsIURI*,nsIPrincipal*,int,nsXBLBinding**,int*) 	content/xbl/src/nsXBLService.cpp:669
17 	xul.dll 	nsElementSH::PostCreate(nsIXPConnectWrappedNative*,JSContext*,JSObject*) 	dom/src/base/nsDOMClassInfo.cpp:7556
18 	xul.dll 	XPCWrappedNative::GetNewOrUsed(XPCCallContext&,nsISupports*,XPCWrappedNativeScope*,XPCNativeInterface*,int,XPCWrappedNative**) 	js/src/xpconnect/src/xpcwrappednative.cpp:548 

Also potentially related is the following crash stack, taken from bp-e80ead6a-caf4-4a43-872f-f3ac12090501:

  Frame  	Module  	Signature [Expand]  	Source
0 	js3250.dll 	js_NewGCThing 	js/src/jsgc.cpp:2071
1 	js3250.dll 	js_NewObjectWithGivenProto 	js/src/jsobj.cpp:3131


I'm not sure if this should block, but requesting it anyway.
Flags: blocking1.9.2?
Flags: blocking1.9.1?
no clear pattern or site that seems to trigger the crash.

             #crashes   url

Firefox 3.5b4   741 [no url]        js_NewGCThing
Firefox 3.5b4   48  \N-url-edited-by-user?  js_NewGCThing
Firefox 3.5b4   15  about:sessionrestore    js_NewGCThing
Firefox 3.5b4   6   about:blank             js_NewGCThing
Firefox 3.5b4   1   http://www.mozilla.com/en-US/firefox/3.5b4/whatsnew/    js_NewGCThing

and about 88 other sites including  

http://www.facebook.com/profile.php? (s) many
http://www.java.com/en/download/ 
google search result pages
https://addons.mozilla.org/en-US/firefox/browse/type:7
https://addons.mozilla.org/fi/firefox/browse/type:7
Do we see this on trunk?
Flags: blocking1.9.1? → blocking1.9.1+
I am not getting line number links for the crash reports. Its hard to tell where exactly we crash.
(In reply to comment #2)
> Do we see this on trunk?

It's #99 on trunk and has moved down to #28 in beta 4. I don't see it at all in 3.5b5pre builds though...
http://hg.mozilla.org/tracemonkey/rev/ed70badf19d7
Andreas Gal <gal@mozilla.com> - Tue, 12 May 2009 20:55:50 -0700 - rev 28176
Clear temporary rooting area after native calls on trace (492693, r=jwalden). 

I fixed the GC bug on 5/12. I think we can dup this against 492693. Please split and re-open if this is observed again.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 492693
Flags: blocking1.9.2?
Crash Signature: [@ js_NewGCThing]
You need to log in before you can comment on or make changes to this bug.