Closed
Bug 520554
Opened 15 years ago
Closed 6 years ago
Crash [@ WrappedNativeMarker ]
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
People
(Reporter: cbook, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [crashkill])
Crash Data
From the Topcrash statistics: http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.5.3&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=WrappedNativeMarker seems to be a cross-platform (windows/mac) crash. Linux seems not affected. Can we get a url list for this crash ?
Flags: blocking1.9.2?
Reporter | ||
Updated•15 years ago
|
Whiteboard: [crashkill]
Comment 1•15 years ago
|
||
> Can we get a url list for this crash ?
ping
Updated•15 years ago
|
Summary: Crash [@WrappedNativeMarker ] → Crash [@ WrappedNativeMarker ]
Comment 3•15 years ago
|
||
Here is the steps how to reproduce this on N900 with microb-1.9.2 engine https://bugzilla.mozilla.org/show_bug.cgi?id=526483#c11
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment 5•15 years ago
|
||
Reopen this bug, because bug 526483 was caused by non-mozilla code memory corruption.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Signature WrappedNativeMarker UUID 5ece3449-9fa6-4a59-8413-6542d2091110 Time 2009-11-10 19:26:34.751415 Uptime 310 Product Firefox Version 3.5.3 Build ID 20090824101458 Branch 1.9.1 OS Windows NT OS Version 6.0.6000 CPU x86 CPU Info AuthenticAMD family 15 model 127 stepping 1 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x10 User Comments Processor Notes Related Bugs Crashing Thread Frame Module Signature [Expand] Source 0 xul.dll WrappedNativeMarker js/src/xpconnect/src/xpcwrappednativescope.cpp:506 1 js3250.dll JS_DHashTableEnumerate js/src/jsdhash.cpp:724 2 xul.dll XPCWrappedNativeScope::MarkAllWrappedNativesAndProtos js/src/xpconnect/src/xpcwrappednativescope.cpp:526 3 xul.dll XPCJSRuntime::GCCallback js/src/xpconnect/src/xpcjsruntime.cpp:573 4 mozcrt19.dll arena_dalloc obj-firefox/memory/jemalloc/src/jemalloc.c:4568 5 js3250.dll js_GC js/src/jsgc.cpp:3698 6 js3250.dll JS_TriggerOperationCallback 7 xul.dll nsDocShell::QueryInterface docshell/base/nsDocShell.cpp:445 8 @0x4f6fff 503 WrappedNativeMarker(JSDHashTable *table, JSDHashEntryHdr *hdr, uint32 number, void *arg) 506 ((Native2WrappedNativeMap::Entry*)hdr)->value->Mark(); class Native2WrappedNativeMap { public: struct Entry : public JSDHashEntryHdr { nsISupports* key; XPCWrappedNative* value; }; This probably means hdr is 0x0, although i'm having some minor trouble convincing myself that i like this form of the math
Comment 7•15 years ago
|
||
Need a blocking decision for mozilla-1.9.2
Comment 8•15 years ago
|
||
floating between 270-344 crashes per day for oct/nov. mostly on big releases. distribution of all versions where the WrappedNativeMarker crash was found on 20091119-crashdata.csv 198 Firefox 3.5.5 79 Firefox 3.0.15 12 Firefox 3.6b2 8 Firefox 3.5.3 5 Firefox 3.6b3 5 Firefox 3.0.7 4 Firefox 3.6b1 no regression visible here.
Comment 9•15 years ago
|
||
Marking blocking1.9.2- to explicitly mark [CrashKill] bugs as either blocking or not. If we can get a patch before RC, we should really consider taking it.
blocking2.0: --- → ?
Flags: blocking1.9.2? → blocking1.9.2-
Comment 10•14 years ago
|
||
This is currently top crash #68, we should attempt to investigate this a bit deeper. Peter, wanna pull some minidumps and see what your shiny new IDA Pro has to say? :) And based on timeless' comment, my thoughts are that it's more likely that "value" is null here than hdr, but I didn't dig too deep...
Assignee: nobody → peterv
blocking2.0: ? → beta1
Comment 11•14 years ago
|
||
Happens with latest 3.7a5pre and the development version of the Vimperator addon, if you use Vimperator to do a text search and then move to the next search match ("/" to search and "n" to go to next match). May need to hold down "n" for a little while for it to happen. Example crashes: bp-69ab503b-f4e2-4833-974a-473df2100506 bp-9477a3a2-99d3-4d56-9df0-0e9cf2100506 bp-b4b20b0c-5ffa-42fd-8929-e92712100506
Updated•14 years ago
|
blocking2.0: beta1+ → beta2+
Comment 12•14 years ago
|
||
This still a beta2 blocker, or more betaN?
Comment 13•14 years ago
|
||
Pushing out to betaN, but given the limited knowledge that we have about what's going on here we may not get to this for Firefox 4.
blocking2.0: beta2+ → betaN+
Comment 15•14 years ago
|
||
During GC: ((Native2WrappedNativeMap::Entry*)hdr)->value->Mark(); in Mark, we call if(HasProto()) GetProto()->Mark(); The XPCNativeWrapper is: - value 0x0747c4c0 {mRefCnt={...} mMaybeScope=0x00000000 mMaybeProto=0x00000000 ...} XPCWrappedNative * + nsIXPConnectWrappedNative {mIdentity=0x00000000 } nsIXPConnectWrappedNative + mRefCnt {mValue=0x00000001 } nsAutoRefCnt + _cycleCollectorGlobal {...} XPCWrappedNative::cycleCollection + mMaybeScope 0x00000000 {gScopes=0x05a8b380 gDyingScopes=0x02bba500 mRuntime=??? ...} XPCWrappedNativeScope * + mMaybeProto 0x00000000 {mScope=??? mJSProtoObject=??? mClassInfo={...} ...} XPCWrappedNativeProto * - mSet 0x07dcd720 {mMemberCount=0x003e mInterfaceCount=0x8005 mInterfaces=0x07dcd724 } XPCNativeSet * mMemberCount 0x003e unsigned short mInterfaceCount 0x8005 unsigned short - mInterfaces 0x07dcd724 XPCNativeInterface * [1] + [0x0] 0x020e75e0 {mInfo={...} mName=0x020e63bc mMemberCount=0x8001 ...} XPCNativeInterface * + mFlatJSObject 0x00000000 {map=??? classword=??? fslots=0x00000008 ...} JSObject * + mScriptableInfo 0x05b4afc0 {mCallback={...} mShared=0x067c1660 } XPCNativeScriptableInfo * + mFirstChunk {mTearOffs=0x0747c4dc mNextChunk=0x07de9ba0 } XPCWrappedNativeTearOffChunk mWrapperWord 0x00000000 long So it's a !IsValid XPCNativeWrapper: are we only supposed to be marking valid wrappers? mMaybeScope is null, so IsTaggedScope is false, so HasProto is true (but mMaybeProto is NULL).
Comment 16•14 years ago
|
||
Earlier in the same GC, we're hitting XPCWrappedNative::FlatJSObjectFinalized for this object, which nulls out mMaybeScope. Earlier in that function it calls GetScope()->GetWrapperMap()->Remove(mFlatJSObject), but I'm stepping through JS_DHashTableOperate and I think that the entry is not found.
Comment 17•14 years ago
|
||
Benjamin: if you take a bug that's assigned to me please at least CC me (though I'd prefer if you'd check with me first before taking). I have a similar crash in recording. It looks like the wrapper is removed from the hash correctly, but we somehow hit it during enumeration of the hash. (GetScope()->GetWrapperMap() is not the Native2WrappedNativeMap)
Comment 24•14 years ago
|
||
I don't see any crashes for WrappedNativeMarker in the top 300 for b4 or early b5, and only this one crash for this signature in the last 3 weeks. It was on 4.0b6pre on build 20100903040836 http://crash-stats.mozilla.com/report/index/afc1b43c-4089-4122-b994-bda072100907
Comment 25•14 years ago
|
||
http://crash-stats.mozilla.com/report/index/222c1bc4-1911-4074-b1bb-975782101016
Comment 26•14 years ago
|
||
http://crash-stats.mozilla.com/report/index/df48eb48-f037-44db-aa89-666da2101117
Comment 27•14 years ago
|
||
This is still around, but on the order of 2-4 crashes per day on trunk, which places it at #162 atm. I'm not convinced this needs to be a 2.0 blocker.
Need steps to reproduce. Can't block until we have more info.
blocking2.0: betaN+ → -
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ WrappedNativeMarker ]
Comment 29•12 years ago
|
||
It's #46 top browser crasher w/o hangs in 17.0.1, #12 in 18.0b4, and #24 in 19.0a2. More reports at: https://crash-stats.mozilla.com/report/list?signature=WrappedNativeMarker
status-firefox17:
--- → affected
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
tracking-firefox18:
--- → ?
Keywords: topcrash
Version: 1.9.1 Branch → Trunk
Comment 30•12 years ago
|
||
(In reply to Scoobidiver from comment #29) > It's #46 top browser crasher w/o hangs in 17.0.1, #12 in 18.0b4, and #24 in > 19.0a2. > > More reports at: > https://crash-stats.mozilla.com/report/list?signature=WrappedNativeMarker Since this is spiking across multiple versions, Scoobidiver/KaiRo - can you look for actionable leads (correlations, URLs, etc.)? Thanks!
Flags: needinfo?(kairo)
Comment 31•12 years ago
|
||
(In reply to Alex Keybl [:akeybl] from comment #30) > Scoobidiver/KaiRo - can you look for actionable leads (correlations, URLs, etc.)? I had already checked correlations in the three channels for the last two days and there were no obvious correlations.
Keywords: needURLs
Comment 32•12 years ago
|
||
Also nothing obvious in correlations: 137 http://www.facebook.com/ 101 https://www.facebook.com/ 79 about:blank 22 about:sessionrestore 19 http://www.facebook.com/?ref=tn_tnmn 17 about:home
Flags: needinfo?(kairo)
Keywords: needURLs
Comment 34•12 years ago
|
||
Longstanding crash, no actionable leads, nothing to do here unless peterv or jst know of any good next steps on the egr side.
Updated•12 years ago
|
Flags: needinfo?(jst)
Comment 35•11 years ago
|
||
It's #20 browser crasher in 20.0.1, #53 in 21.0b5, and #55 in 22.0a2.
Comment 36•11 years ago
|
||
It's #50 browser crasher in 22.0, #71 in 23.0b1, and #117 in 24.0a2 so no longer a top crash.
Keywords: topcrash
Comment 37•11 years ago
|
||
Cc:ing mccr8 here so he can keep his eyes out for this one too. Not much to go on here tho :(
Flags: needinfo?(peterv)
Flags: needinfo?(jst)
Updated•11 years ago
|
Assignee: peterv → continuation
Comment 39•6 years ago
|
||
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: REOPENED → RESOLVED
Closed: 15 years ago → 6 years ago
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•