Closed Bug 542286 Opened 14 years ago Closed 13 years ago

Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ]

Categories

(Core :: XPCOM, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: randall.hand, Unassigned)

References

()

Details

(Keywords: crash, crashreportid, regression)

Crash Data

Attachments

(1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)

At random intervals, the browser crashes upon completing load of a page.  Complete crash to desktop with Access Violation or SEGSEV.



Reproducible: Sometimes

Steps to Reproduce:
1.  Load any page on VizWorld.com
2.  Reload the page
3.  Repeat until Crash.



bpids: 
7b25c8dd-6ef4-44ea-9340-4fe982100126
8e45c72d-fdc9-4222-a013-95ab22100125
e01c74b8-7fe8-42fd-a21b-f39862100126
d5004e82-ced0-43bb-9b5f-608112100126
8b23c052-ddde-410c-b250-8ee472100126
463a642b-f66f-4af5-ad3a-ca4b12100126
64266522-a204-442d-ac5d-711ec2100126
793f418c-d649-4038-8642-ab29c2100126

Tried it in Safe-Mode (no plugins), still crashes.

Confirmed on Mac, Windows, & Linux.

Crash does not occur under 3.5 or 3.5.1
The crash appears to be introduced in 3.5.2. 
Versions 3.5 and 3.5.1 were tested for 1 hour with no crashes. 
All others crashed within 2 minutes.
3.5 ----> OK
3.5.1 --> OK
3.5.2 --> Crash
3.5.3 --> Crash
3.5.4 --> Crash
3.5.5 --> Crash
3.5.6 --> Crash
3.6 ----> Crash
Testing consisted of simply reloading http://www.vizworld.com every 30s.

Also tested in :
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a1pre) Gecko/20100126 Minefield/3.7a1pre

Same problem.
bp-7b25c8dd-6ef4-44ea-9340-4fe982100126
bp-8e45c72d-fdc9-4222-a013-95ab22100125
bp-e01c74b8-7fe8-42fd-a21b-f39862100126
bp-d5004e82-ced0-43bb-9b5f-608112100126
bp-8b23c052-ddde-410c-b250-8ee472100126
bp-463a642b-f66f-4af5-ad3a-ca4b12100126
bp-64266522-a204-442d-ac5d-711ec2100126
bp-793f418c-d649-4038-8642-ab29c2100126
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Summary: FireFox Crash related to Javascript CC → Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ]
Summary: Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ] → Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ]
Assignee: general → nobody
Component: JavaScript Engine → XPCOM
QA Contact: general → xpcom
Ok, new information.

After digging into wordpress I found that the combination of W3 Total Cache & WordPRess.com Stats is to blame.  I edited the Wordpress.com Stats plugin to remove the 'Link: <http://wp.me/asdf>; rel=shortlink' HTTP Header it returned, and remove the <link rel="shortlink"> it added in the HEAD block.  That seems to have eliminated the crash.

Perhaps a conflict in the "X-Powered-By: W3 Total Cache/0.8.5.1" Header and the "Link" header tickled some rare Bug?

If I re-enabled the Link header, the crash returns.
Had this crash on me twice in the past couple of days, with a Firefox 3.6.4 beta on Mac OS X 10.4 (build ID: 20100513134853).

bp-51d52ccb-4502-43fa-b636-5b22e2100518
bp-e254f837-7f99-4fed-bcff-4bb8e2100520

Any progress on getting this fixed? Or any insight as to why it's recently cropped back up?
(To answer my second question, I can only assume this has something to do with the backporting of Lorentz.)

But I also seem to have found a new website that crashes fairly consistently in this build:
http://tvbythenumbers.com/

It's crashed twice more since I last commented. (One of the crash reports I linked to earlier was also from this website.) However, one of the crashes is apparently from [@ nsTimerEvent::Run() ], which isn't mentioned in the bug summary.

bp-a53991ce-c6f8-4658-b866-9e2122100520
bp-5dad8e81-6193-48c1-ab0e-1c0922100520
Gordon: I don't crash following your steps using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100513 Firefox/3.6.4, but I would have to go down to the lab to try 10.4.

(In reply to comment #5)
> (To answer my second question, I can only assume this has something to do with
> the backporting of Lorentz.)
> 
> But I also seem to have found a new website that crashes fairly consistently in
> this build:
> http://tvbythenumbers.com/
> 
> It's crashed twice more since I last commented. (One of the crash reports I
> linked to earlier was also from this website.) However, one of the crashes is
> apparently from [@ nsTimerEvent::Run() ], which isn't mentioned in the bug
> summary.
> 
> bp-a53991ce-c6f8-4658-b866-9e2122100520
> bp-5dad8e81-6193-48c1-ab0e-1c0922100520
Blocks: 567949
One more to show that this is still happening:

http://crash-stats.mozilla.com/report/index/33cc383a-8fde-4310-b7d7-aa7672100616

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4
The lower volume nsXULControllers::cycleCollection::UnmarkPurple.nsISupports.. crash seems to have strangely disappeared or shifted in 3.6.10.  

date     tl crashes at, count build, count build, ...
         nsXULControllers::cycleCollection::UnmarkPurple.nsISupports..
20100920 54  46 3.6.92010082415, 
	     4 3.5.122010082411, 2 3.5.72009122116, 
	     1 3.5.82010020216, 1 3.5.22009072922, 
20100921 46  37 3.6.92010082415, 
	     6 3.5.122010082411, 2 3.5.72009122116, 
	     1 3.5.22009072922, 
20100922 41  35 3.6.92010082415, 
	     2 3.5.72009122116, 2 3.5.22009072922, 
	     2 3.5.122010082411, 
20100923 31  26 3.6.92010082415, 
	     2 3.5.72009122116, 1 3.7a12010020810, 
	     1 3.5.22009072922, 1 3.5.122010082411, 
20100924 16  12 3.6.92010082415, 
	     3 3.5.72009122116, 1 3.5.22009072922, 
20100925 25  21 3.6.92010082415, 
	     2 3.5.82010020216, 1 3.5.72009122116, 
	     1 3.5.22009072922, 
20100926 14  12 3.6.92010082415, 
	     1 3.5.72009122116, 1 3.5.22009072922, 

and nsXULPDGlobalObject::cycleCollection::UnmarkPurple.nsISupports.. is only seen on older 3.5.x releases in small volume.

date     tl crashes at, count build, count build, ...
         nsXULPDGlobalObject::cycleCollection::UnmarkPurple.nsISupports..
20100920 2 3.5.62009120122 2 , 
20100921 3 3.5.32009082410 3 , 
20100922   
20100923 1 3.5.32009082410 1 , 
20100924 1 3.5.32009082410 1 , 
20100925 1 3.5.62009120122 1 , 
20100926 4  2 3.5.32009082410, 
	     1 3.5b992009060516, 1 3.5.62009120122,

looks like at this point this is mostly about nsJSArgArray::cycleCollection::UnmarkPurple.nsISupports..

date     tl crashes at, count build, count build, ...
         nsJSArgArray::cycleCollection::UnmarkPurple.nsISupports..
20100920 675  614 3.6.102010091412, 
	     18 3.6.82010072215, 9 3.6.92010082414, 
	     8 3.5.132010091412, 7 3.6.62010062522, 
	     6 3.6.32010040106, 5 3.5.112010070101, 
	     2 3.62010011513, 1 3.6.82010072214, 
	     1 3.6.22010031605, 1 3.6.10pre2010091503, 
	     1 3.5.92010031508, 1 3.5.72009122115, 
	     1 3.5.122010082410,
This error seems to cause the majority of my crashes on Firefox—which have reached 11 per day at the top end now.

To Randall Hand above, there may be a link with Wordpress Stats, because I use this plug-in, though I don't use the W3 Total Cache.
Noting that I have this same crash on Windows Vista (I typically get it on XP, from which I filed the comment above). It is far more widespread than I believe Mozilla would like to acknowledge.
(In reply to comment #10)
> Noting that I have this same crash on Windows Vista (I typically get it on XP,
> from which I filed the comment above). It is far more widespread than I believe
> Mozilla would like to acknowledge.

Mozilla doesn't take the time to actively not acknowledge something. If it were more "widespread", there would be more than 10 comments here. Comment 8 shows the crash stats as of the end of September. If you have seen a sharp increase of crashes in recent builds, please provide your crash IDs.
Thank you, Gordon.

I would have filed more, but they have disappeared from my about:crashes. On the 9th, for example, I had 11 crashes (http://jackyan.com/blog/2010/1209b4.png). Now it shows only seven. Typically, Firefox crashes four times per day, more often than not with this crash, regardless of the platform I use (XP or Vista).

As requested, here are the most recent ones that about:crashes has not deleted from my XP PC; will have to go on to my Vista laptop to get those separately. I’ve stopped at the last 3.6.12 crash I could find:

bp-ea466628-76ad-42e0-881b-8032e2101217
bp-c28da65d-d843-4ce4-a45f-0ef022101220
bp-9292cae5-6881-4aa9-b365-e7d1a2101215
bp-3121ca66-e15b-4b77-bc58-3c5c02101214
bp-4caf473a-2119-4a3f-97c4-ef7ce2101212
bp-df829354-1f5a-4fb8-b80e-c86922101204

Unlike others, I have seen a sharp increase in crashes since 3.6.10 (no crashes per day to an average of four), but never knew about Bugzilla or about:crashes till fairly recently. I realize everything is relative, and you’ve seen other things that crash Firefox a lot more, but there’s a strong possibility that many netizens don’t even know about this site.
From the Vista laptop:

bp-6271d23b-ae8b-41de-a060-e815b2101220
918e4fa1-806e-4724-a82b-9c5502101219
bp-9a2efd3b-9355-4f1f-82dc-2551b2101128

Again, there were far more on the day (e.g. about:crashes shows three from yesterday; in fact there were five—I hope this means they are either getting solved or consolidated), but these are the only two remaining for 3.6.13 (the last for 3.6.12).
Hmm... you're right. In the past week, there have been over 3600 crashes of this sort in 3.6.13 on Windows. In the past month, ~4900.

It does appear that there is a significant difference between build 2010113000 and build 2010120300, in terms of the number of crashes, though that may be a result of the disparity between number of users of those builds.

Interestingly, there is a large number of crashes for 3.5.15, and significantly smaller for 3.5.16.

I'm not the right person to be looking into this, but that should help whoever is.
Thank you, Gordon—it’s nice to have confirmation of the error, especially from someone who knows more than the average punter.

Do you think I should keep filing here as the crashes recur or will this be annoying for everyone?
extension (amulet-jslib?) 3112ca9c-de6d-4884-a869-9855de68056c frozen.dll

http://spywarefiles.prevx.com/RRFHFG43217130/AMULET-JSLIB.EXE.html

Malware Family: Part of Malware group - Trojan Spyware Perfect Keylogger
Determination: Automatically determined using Prevx centralized heuristics
Malware Form: EXPLOIT

4. PROPAGATION ANALYSIS OF: AMULET-JSLIB.EXE

Malware Group Propagation Rate: Moderate (spreading)Malware Group: Trojan Spyware Perfect Keylogger

Jack: you're using mcafee antivirus? could you please try using MSE2 and see if it complains?

Also, please attach frozen.dll to this bug be sure to mark it as 'suspicious library requested by timeless'
Summary: Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ] → [frozen.dll malware] Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ]
Summary: [frozen.dll malware] Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ] → Crash on vizworld.com [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ][@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ]
Hi Timeless:

Thank you. 

Can I ask what is MSE2? (I have searched but there seems to be many explanations for what that stands for.)

I will attach frozen.dll as soon as I figure out how to do it—thank you for checking it out for me, in advance.

Meanwhile, this is from my laptop: cf19ace1-60e2-4a4a-9f10-dc83b2101228
Attached file Google signed library (frozen.dll) (obsolete) —
Timeless, here is my frozen.dll as requested. Any help would be most welcome.
Comment on attachment 500577 [details]
Google signed library (frozen.dll)

thanks, mse2 doesn't object and there's a digital signature which windows seems to accept as coming from google.
Attachment #500577 - Attachment description: Suspicious library requested by timeless → Google signed library (frozen.dll)
Attachment #500577 - Attachment is obsolete: true
Sorry for disappearing. Ryan, thank you, I will download it.
(In reply to comment #20)
> Comment on attachment 500577 [details]
> Google signed library (frozen.dll)
> 
> thanks, mse2 doesn't object and there's a digital signature which windows seems
> to accept as coming from google.

Timeless, thank you. In other words, my frozen.dll is OK? Or is there something afoot with a Google add-on I might have?
Quick note: this error no longer seems to creep up with my crashes—figuring it could be a plug-in?
Ha ha, spoke too soon!

f46633ac-2d7c-4dcc-a50c-0e52c2110126

Two crashes in half an hour. The first one was not this, but imgCacheExpirationTracker::NotifyExpired(imgCacheEntry*), which has also been coming up a lot.
Crash Signature: [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ] [@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ] [@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ]
So these 3 signatures only appear in 3.5 and 3.6. Since they don't happen in current versions, resolving this bug as works for me. There are other bugs logged for similar signatures already.
Status: NEW → RESOLVED
Crash Signature: [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ] [@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ] [@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ] → [@ nsJSArgArray::cycleCollection::UnmarkPurple(nsISupports*) ] [@ nsXULControllers::cycleCollection::UnmarkPurple(nsISupports*) ] [@ nsXULPDGlobalObject::cycleCollection::UnmarkPurple(nsISupports*) ]
Closed: 13 years ago
Resolution: --- → WORKSFORME
Issue is resolved - clearing old keywords - qa-wanted clean-up
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: