Closed Bug 615098 Opened 14 years ago Closed 11 years ago

crash [@ js::gc::MarkId ] with TestPilot (Mac, Windows) or Firebug or AdBlock plus (Mac) or Kikin (Windows)

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
blocking2.0 --- .x+

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [softblocker])

Crash Data

This is a new crash signature that exist in 4.0b7 and 4.0b8pre builds.
It is #280 top crasher in 4.0b8pre for the last week.

Signature	js::gc::MarkId
UUID	0cd8485f-91fa-4df2-90a9-c32992101127
Time 	2010-11-27 21:37:05.751414
Uptime	47900
Last Crash	461141 seconds (5.3 days) before submission
Install Age	47900 seconds (13.3 hours) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101127030319
Branch	2.0
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0xafc00c
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0322
MSAFD Tcpip [TCP/IP] : 2 : 1 :
MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll
RSVP UDP Service Provider : 6 : 2 : %SystemRoot%\system32\rsvpsp.dll
RSVP TCP Service Provider : 6 : 1 : %SystemRoot%\system32\rsvpsp.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{06F03DD6-853B-40AE-9562-BA55BA51D8E7}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{06F03DD6-853B-40AE-9562-BA55BA51D8E7}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{60AFFCC2-DE5D-498D-BADD-A109D06BA9CF}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{60AFFCC2-DE5D-498D-BADD-A109D06BA9CF}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{6402FFE3-9500-43F2-A899-3BE8D640F226}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\syste

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::gc::MarkId 	js/src/jsgcinlines.h:403
1 	mozjs.dll 	js::Shape::trace 	js/src/jsscope.cpp:1460
2 	mozjs.dll 	JSObject::trace 	js/src/jsscopeinlines.h:163
3 	mozjs.dll 	js_TraceObject 	js/src/jsobj.cpp:6169
4 	mozjs.dll 	js::gc::MarkChildren 	js/src/jsgcinlines.h:266
5 	mozjs.dll 	js::gc::MarkObject 	js/src/jsgcinlines.h:240
6 	mozjs.dll 	js::gc::MarkChildren 	js/src/jsgcinlines.h:252
7 	mozjs.dll 	js::gc::MarkObject 	js/src/jsgcinlines.h:240
8 	mozjs.dll 	js::gc::MarkChildren 	js/src/jsgcinlines.h:254
9 	mozjs.dll 	js::gc::MarkObject 	js/src/jsgcinlines.h:240
10 	mozjs.dll 	JSWrapper::trace 	js/src/jswrapper.cpp:284
11 	mozjs.dll 	js::proxy_TraceObject 	js/src/jsproxy.cpp:924

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3Agc%3A%3AMarkId
It is #35 top crasher in 4.0b9pre for the last week.
blocking2.0: --- → ?
Blocks: 613650
blocking2.0: ? → -
It is #9 top crasher in 4.0b9 for the last week.
blocking2.0: - → ?
Keywords: topcrash
These are very obscure--there's no way we can hold a release for them unless they are a disaster. We will try to look at them if we have time, though.
blocking2.0: ? → .x
#9 is pretty scary. We should try to reproduce and capture on a replay box. David, do you mind if we track this as a softblocker? (overrule me if you do)
blocking2.0: .x → final+
Whiteboard: [softblocker]
Adding chofmann to the bug. Should we get some URLs for this one?
(In reply to comment #5)
> Adding chofmann to the bug. Should we get some URLs for this one?

You could try but I doubt you will find much. See bug 613650. I think Bill did have some ideas for investigating these.
(In reply to comment #6)
> (In reply to comment #5)
> > Adding chofmann to the bug. Should we get some URLs for this one?
> 
> You could try but I doubt you will find much. See bug 613650. I think Bill did
> have some ideas for investigating these.

yeah, not much of interest in the url list or other correlations that might help to reproduce. in general, it looks like just general purpose browsing, and this particular signature was introduced sometime during beta8 development

Correlation to startup or time of session
250 total crashes for js::gc::MarkId on 20110120-crashdata.csv
25 startup crashes inside 30 sec.
79 startup crashes inside 3 min.
40 repeated crashes inside 3 min. of last crash


checking --- js::gc::MarkId 20110120-crashdata.csv
found in: 4.0b9 4.0b10pre 4.0b8 4.0b9pre
release total-crashes
              js::gc::MarkId crashes
                         pct.
all     286249   250     0.000873365
4.0b9    45733   230     0.00502919
4.0b10pre 2333    11     0.00471496
4.0b8     5579     8     0.00143395
4.0b9pre   233     1     0.00429185

os breakdown
js::gc::MarkIdTotal 250
Win5.1  0.68
Win6.0  0.02
Win6.1  0.26


flash versions around at time of crash
 249 [blank]  -- not loaded?
   1 10.0.45.2

addon compatibility checks
  22 [unknown or unchecked]
 228 checked

most frequent url is

   14 http://ubactest.com:5000/?auth_id= XXXX someone's id

and some youtube and adult video urls

   1 http://www.youtube.com/watch?v=oohCQPABS7I&feature=related
   1 http://www.youtube.com/watch?v=j850dqa-nTs&feature=related
   1 http://www.youtube.com/watch?v=fWcFc2Bm7JE&feature=related
   1 http://www.youtube.com/watch?v=ZwN9aqwQ2x4
   1 http://www.youtube.com/watch?v=RYVm0qbWIZU
   1 http://www.youtube.com/watch?v=R0_lZU8hye0&NR=1
   1 http://www.youtube.com/watch?v=DtRhfqbp9MU
   1 http://www.youtube.com/results?search_query=the%20time%20-%20black%20eyed%20peas&search=Search&sa=X&oi=spell&resnum=0&spell=1

  many wyciwyg:// urls with google talk gaget and gmail around.
that combination of facebook and zynga, and yet hardly any flash version reported is an interesting one.   maybe a lot of users don't have flash or have it turned off when hitting those.
(In reply to comment #6)
> I think Bill did
> have some ideas for investigating these.

I was just thinking of poisoning objects after they're GCed in opt builds. That way we'd have a better chance of catching mark errors earlier.
Depends on: 629974
It is currently #20 top crasher in 4.0b11 and #22 top crasher in 4.0b12pre over the last week.
It still happens in today's build.
OS: Windows XP → All
Keywords: topcrash
that could also explain why we don't see flash version info or flash in module list.
comment 12 is worth investigating, although just not part of this bug AFAICT, so I openned Bug 637532 - input shows problems with flash games on fx4 for more investigation.
#10 top crasher in 4.0b12.
Keywords: topcrash
** PRODUCT DRIVERS PLEASE NOTE **

This bug is one of 7 automatically changed from blocking2.0:final+ to blocking2.0:.x during the endgame of Firefox 4 for the following reasons:

 - it was marked as a soft blocking issue without a requirement for beta coverage
blocking2.0: final+ → .x+
Severity: normal → critical
This spiked very significantly on FF4 release day (yesterday), together with bug 601102 and bug 643746 (all three are in JS and started spiking on 4.0* the day before, so at least the spike cause might be related), which together account for 2800 crashes in a million 4.0* ADU on that day or about 7.4% of all 4.0* crashes on that day, all three are in the top ten top crashers for 4.0* for this day.
4.0 correlations by add-on gives:
Mac OS X:     85% (736/869) vs.  26% (3180/12045) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
Windows:      72% (252/352) vs.  26% (3180/12045) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
Summary: crash [@ js::gc::MarkId ] → crash [@ js::gc::MarkId ] mainly with TestPilot 1.1 and below
This crash has been around for longer than this recent spike, and the correlation with testpilot is a lot weaker than for e.g. bug 601102 and bug 643746.
I *hypothesize* that there is some deeper problem in GC or so that we are just triggering a lot more likely when testpilot is installed.
Summary: crash [@ js::gc::MarkId ] mainly with TestPilot 1.1 and below → crash [@ js::gc::MarkId ] with TestPilot (Mac, Windows) or Firebug or AdBlock plus (Mac) or Kikin (Windows)
Blocks: 646745
It is #2 (#1 unsolved) top crasher on Mac OS X and #6 on Windows in 4.0.
Assignee: general → wmccloskey
I think I have a fix for this and related id crashes.
Andreas, where are we with this. Any chance we can get a fix in so we can nominate for Macaw?
(In reply to comment #23)
> Andreas, where are we with this. Any chance we can get a fix in so we can
> nominate for Macaw?

IIUC, Andreas's fix is for a class of id crashes that is distinct from the Kikin crashes. We're making good progress on those in bug 637304.
Crash Signature: [@ js::gc::MarkId ]
There have been only one crash in 7.0.1 8.0.1 for the last four weeks
The stack trace looks like:
Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	js::gc::MarkId 	js/src/vm/String.h:405
1 	XUL 	js::gc::MarkChildren 	js/src/jsgcmark.cpp:308
2 	XUL 	js::gc::MarkChildren 	js/src/jsgcmark.cpp:130
3 	XUL 	nsXPConnect::Traverse 	js/src/xpconnect/src/nsXPConnect.cpp:881
4 	XUL 	nsCycleCollector::BeginCollection 	xpcom/base/nsCycleCollector.cpp:1618
5 	XUL 	nsCycleCollectorRunner::Run 	xpcom/base/nsCycleCollector.cpp:3481
6 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
7 	XUL 	NS_ProcessNextEvent_P 	obj-firefox/i386/xpcom/build/nsThreadUtils.cpp:245
8 	XUL 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:272
9 	libnspr4.dylib 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:187
10 	libSystem.B.dylib 	_pthread_start 	
11 	libSystem.B.dylib 	thread_start
Keywords: topcrash
Hardware: x86 → All
Assignee: wmccloskey → general
There have been no crashes for the last four weeks after 8.0.1.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.