crash [@ js::gc::MarkId ] with TestPilot (Mac, Windows) or Firebug or AdBlock plus (Mac) or Kikin (Windows)

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
8 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression})

Trunk
crash, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 .x+)

Details

(Whiteboard: [softblocker], crash signature)

(Reporter)

Description

8 years ago
This is a new crash signature that exist in 4.0b7 and 4.0b8pre builds.
It is #280 top crasher in 4.0b8pre for the last week.

Signature	js::gc::MarkId
UUID	0cd8485f-91fa-4df2-90a9-c32992101127
Time 	2010-11-27 21:37:05.751414
Uptime	47900
Last Crash	461141 seconds (5.3 days) before submission
Install Age	47900 seconds (13.3 hours) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101127030319
Branch	2.0
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 2 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0xafc00c
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0322
MSAFD Tcpip [TCP/IP] : 2 : 1 :
MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll
RSVP UDP Service Provider : 6 : 2 : %SystemRoot%\system32\rsvpsp.dll
RSVP TCP Service Provider : 6 : 1 : %SystemRoot%\system32\rsvpsp.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{06F03DD6-853B-40AE-9562-BA55BA51D8E7}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{06F03DD6-853B-40AE-9562-BA55BA51D8E7}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{60AFFCC2-DE5D-498D-BADD-A109D06BA9CF}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{60AFFCC2-DE5D-498D-BADD-A109D06BA9CF}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll
MSAFD NetBIOS [\Device\NetBT_Tcpip_{6402FFE3-9500-43F2-A899-3BE8D640F226}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\syste

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::gc::MarkId 	js/src/jsgcinlines.h:403
1 	mozjs.dll 	js::Shape::trace 	js/src/jsscope.cpp:1460
2 	mozjs.dll 	JSObject::trace 	js/src/jsscopeinlines.h:163
3 	mozjs.dll 	js_TraceObject 	js/src/jsobj.cpp:6169
4 	mozjs.dll 	js::gc::MarkChildren 	js/src/jsgcinlines.h:266
5 	mozjs.dll 	js::gc::MarkObject 	js/src/jsgcinlines.h:240
6 	mozjs.dll 	js::gc::MarkChildren 	js/src/jsgcinlines.h:252
7 	mozjs.dll 	js::gc::MarkObject 	js/src/jsgcinlines.h:240
8 	mozjs.dll 	js::gc::MarkChildren 	js/src/jsgcinlines.h:254
9 	mozjs.dll 	js::gc::MarkObject 	js/src/jsgcinlines.h:240
10 	mozjs.dll 	JSWrapper::trace 	js/src/jswrapper.cpp:284
11 	mozjs.dll 	js::proxy_TraceObject 	js/src/jsproxy.cpp:924

More reports at:
http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=exact&query=&range_value=4&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=js%3A%3Agc%3A%3AMarkId
(Reporter)

Comment 1

8 years ago
It is #35 top crasher in 4.0b9pre for the last week.
blocking2.0: --- → ?
Blocks: 613650
blocking2.0: ? → -
(Reporter)

Comment 2

8 years ago
It is #9 top crasher in 4.0b9 for the last week.
blocking2.0: - → ?
Keywords: topcrash
These are very obscure--there's no way we can hold a release for them unless they are a disaster. We will try to look at them if we have time, though.
blocking2.0: ? → .x

Comment 4

8 years ago
#9 is pretty scary. We should try to reproduce and capture on a replay box. David, do you mind if we track this as a softblocker? (overrule me if you do)

Updated

8 years ago
blocking2.0: .x → final+
Whiteboard: [softblocker]
Adding chofmann to the bug. Should we get some URLs for this one?
(In reply to comment #5)
> Adding chofmann to the bug. Should we get some URLs for this one?

You could try but I doubt you will find much. See bug 613650. I think Bill did have some ideas for investigating these.

Comment 7

8 years ago
(In reply to comment #6)
> (In reply to comment #5)
> > Adding chofmann to the bug. Should we get some URLs for this one?
> 
> You could try but I doubt you will find much. See bug 613650. I think Bill did
> have some ideas for investigating these.

yeah, not much of interest in the url list or other correlations that might help to reproduce. in general, it looks like just general purpose browsing, and this particular signature was introduced sometime during beta8 development

Correlation to startup or time of session
250 total crashes for js::gc::MarkId on 20110120-crashdata.csv
25 startup crashes inside 30 sec.
79 startup crashes inside 3 min.
40 repeated crashes inside 3 min. of last crash


checking --- js::gc::MarkId 20110120-crashdata.csv
found in: 4.0b9 4.0b10pre 4.0b8 4.0b9pre
release total-crashes
              js::gc::MarkId crashes
                         pct.
all     286249   250     0.000873365
4.0b9    45733   230     0.00502919
4.0b10pre 2333    11     0.00471496
4.0b8     5579     8     0.00143395
4.0b9pre   233     1     0.00429185

os breakdown
js::gc::MarkIdTotal 250
Win5.1  0.68
Win6.0  0.02
Win6.1  0.26


flash versions around at time of crash
 249 [blank]  -- not loaded?
   1 10.0.45.2

addon compatibility checks
  22 [unknown or unchecked]
 228 checked

most frequent url is

   14 http://ubactest.com:5000/?auth_id= XXXX someone's id

and some youtube and adult video urls

   1 http://www.youtube.com/watch?v=oohCQPABS7I&feature=related
   1 http://www.youtube.com/watch?v=j850dqa-nTs&feature=related
   1 http://www.youtube.com/watch?v=fWcFc2Bm7JE&feature=related
   1 http://www.youtube.com/watch?v=ZwN9aqwQ2x4
   1 http://www.youtube.com/watch?v=RYVm0qbWIZU
   1 http://www.youtube.com/watch?v=R0_lZU8hye0&NR=1
   1 http://www.youtube.com/watch?v=DtRhfqbp9MU
   1 http://www.youtube.com/results?search_query=the%20time%20-%20black%20eyed%20peas&search=Search&sa=X&oi=spell&resnum=0&spell=1

  many wyciwyg:// urls with google talk gaget and gmail around.

Comment 9

8 years ago
that combination of facebook and zynga, and yet hardly any flash version reported is an interesting one.   maybe a lot of users don't have flash or have it turned off when hitting those.
(In reply to comment #6)
> I think Bill did
> have some ideas for investigating these.

I was just thinking of poisoning objects after they're GCed in opt builds. That way we'd have a better chance of catching mark errors earlier.

Updated

8 years ago
Depends on: 629974
(Reporter)

Comment 11

8 years ago
It is currently #20 top crasher in 4.0b11 and #22 top crasher in 4.0b12pre over the last week.
It still happens in today's build.
OS: Windows XP → All
(Reporter)

Updated

7 years ago
Keywords: topcrash

Comment 14

7 years ago
that could also explain why we don't see flash version info or flash in module list.

Comment 15

7 years ago
comment 12 is worth investigating, although just not part of this bug AFAICT, so I openned Bug 637532 - input shows problems with flash games on fx4 for more investigation.
(Reporter)

Comment 16

7 years ago
#10 top crasher in 4.0b12.
Keywords: topcrash
** PRODUCT DRIVERS PLEASE NOTE **

This bug is one of 7 automatically changed from blocking2.0:final+ to blocking2.0:.x during the endgame of Firefox 4 for the following reasons:

 - it was marked as a soft blocking issue without a requirement for beta coverage
blocking2.0: final+ → .x+
(Reporter)

Updated

7 years ago
Severity: normal → critical

Comment 18

7 years ago
This spiked very significantly on FF4 release day (yesterday), together with bug 601102 and bug 643746 (all three are in JS and started spiking on 4.0* the day before, so at least the spike cause might be related), which together account for 2800 crashes in a million 4.0* ADU on that day or about 7.4% of all 4.0* crashes on that day, all three are in the top ten top crashers for 4.0* for this day.
(Reporter)

Comment 19

7 years ago
4.0 correlations by add-on gives:
Mac OS X:     85% (736/869) vs.  26% (3180/12045) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
Windows:      72% (252/352) vs.  26% (3180/12045) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
Summary: crash [@ js::gc::MarkId ] → crash [@ js::gc::MarkId ] mainly with TestPilot 1.1 and below

Comment 20

7 years ago
This crash has been around for longer than this recent spike, and the correlation with testpilot is a lot weaker than for e.g. bug 601102 and bug 643746.
I *hypothesize* that there is some deeper problem in GC or so that we are just triggering a lot more likely when testpilot is installed.
(Reporter)

Updated

7 years ago
Summary: crash [@ js::gc::MarkId ] mainly with TestPilot 1.1 and below → crash [@ js::gc::MarkId ] with TestPilot (Mac, Windows) or Firebug or AdBlock plus (Mac) or Kikin (Windows)

Updated

7 years ago
Blocks: 646745
(Reporter)

Comment 21

7 years ago
It is #2 (#1 unsolved) top crasher on Mac OS X and #6 on Windows in 4.0.

Updated

7 years ago
Assignee: general → wmccloskey

Comment 22

7 years ago
I think I have a fix for this and related id crashes.

Comment 23

7 years ago
Andreas, where are we with this. Any chance we can get a fix in so we can nominate for Macaw?
(In reply to comment #23)
> Andreas, where are we with this. Any chance we can get a fix in so we can
> nominate for Macaw?

IIUC, Andreas's fix is for a class of id crashes that is distinct from the Kikin crashes. We're making good progress on those in bug 637304.
Crash Signature: [@ js::gc::MarkId ]
(Reporter)

Comment 25

7 years ago
There have been only one crash in 7.0.1 8.0.1 for the last four weeks
(Reporter)

Comment 26

7 years ago
The stack trace looks like:
Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	js::gc::MarkId 	js/src/vm/String.h:405
1 	XUL 	js::gc::MarkChildren 	js/src/jsgcmark.cpp:308
2 	XUL 	js::gc::MarkChildren 	js/src/jsgcmark.cpp:130
3 	XUL 	nsXPConnect::Traverse 	js/src/xpconnect/src/nsXPConnect.cpp:881
4 	XUL 	nsCycleCollector::BeginCollection 	xpcom/base/nsCycleCollector.cpp:1618
5 	XUL 	nsCycleCollectorRunner::Run 	xpcom/base/nsCycleCollector.cpp:3481
6 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
7 	XUL 	NS_ProcessNextEvent_P 	obj-firefox/i386/xpcom/build/nsThreadUtils.cpp:245
8 	XUL 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:272
9 	libnspr4.dylib 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:187
10 	libSystem.B.dylib 	_pthread_start 	
11 	libSystem.B.dylib 	thread_start
Keywords: topcrash
Hardware: x86 → All
Assignee: wmccloskey → general
(Reporter)

Comment 27

5 years ago
There have been no crashes for the last four weeks after 8.0.1.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.