Status

()

defect
--
critical
RESOLVED WORKSFORME
9 years ago
3 years ago

People

(Reporter: mozilla, Assigned: gal)

Tracking

({crash})

Trunk
x86
All
Points:
---

Firefox Tracking Flags

(blocking2.0 .x+)

Details

(Whiteboard: [tbird crash], crash signature)

Attachments

(1 attachment, 2 obsolete attachments)

Reporter

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12pre) Gecko/20110213 Firefox/4.0b12pre
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12pre) Gecko/20110212 Firefox/4.0b12pre

All I can do is point you to https://crash-stats.mozilla.com/report/index/bp-a9d30d8f-38c4-4145-8a5d-972ed2110213 . Minefield was running when I went to sleep; when I woke up, there was a crash reporter dialog, and that crash report is the result. Something must have happened during the night, but what?

Note that I was running the Feb. 12 nightly build, so the fix in 630243 should have been merged in?

Reproducible: Didn't try
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → Trunk
Reporter

Comment 1

9 years ago
Hmmm, it did it again. 

https://crash-stats.mozilla.com/report/index/15262d4b-6128-4f0d-922c-d30872110217 is the crash report.
I got a crash with this signature as well: 
https://crash-stats.mozilla.com/report/index/bp-119713f3-5b45-4007-acaf-46f782110303 

It's intermittent and I couldn't find out about a specific cause.

Gal: Any thoughts about this?
Assignee

Comment 3

8 years ago
Looking.
Assignee

Comment 4

8 years ago
Exciting. We are not in a compartment.
Assignee

Updated

8 years ago
Assignee: general → gal
Assignee

Updated

8 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee

Comment 5

8 years ago
Not exploitable, very safe NULL crash.
Assignee

Comment 6

8 years ago
Posted patch patch (obsolete) — Splinter Review
Assignee

Comment 7

8 years ago
Posted patch patch (obsolete) — Splinter Review
Attachment #516733 - Attachment is obsolete: true
Assignee

Comment 8

8 years ago
The attached patch is the way to go once we merge requests and enter/leave compartment. Until then I guess I should do a spot fix.
Assignee

Comment 9

8 years ago
Asking for .x
blocking2.0: --- → ?
Assignee

Comment 10

8 years ago
Posted patch patchSplinter Review
Attachment #516734 - Attachment is obsolete: true
Assignee

Comment 11

8 years ago
Comment on attachment 516740 [details] [diff] [review]
patch

jst, this moves the MaybeGC where we are guaranteed to have a compartment. Also, I added what I believe is a missing compartment enter/leave.
Attachment #516740 - Flags: review?(jst)
blocking2.0: ? → .x+
Attachment #516740 - Flags: review?(jst) → review+
This would seem to be a regression, or something changed on trunk to expose the flaw.  A close examination of crash-stats reveals the first build to crash is the day before 4.0b9 with bp-47047bd3-5b9e-4e2d-ae9f-85ba32110110 4.0b9pre buildid 20110109030350

The crash rate of subsequent "pre" builds suggests the change should be within a week or two before 2011-01-09.


My crash was also when I was away from FF bp-8d7e1755-951a-45e8-8433-227a92110316  I have many unattended crashes, most of which crash-stats can't render the stacks so I'm not sure if they are related. Some examples:
bp-8ecd0f31-03df-4759-9d55-d8d982110317 (today)
bp-edcf9037-4a3d-43a3-a25c-dd0f42110224
bp-205ff1f2-e75a-4e1f-a871-63f842110222

Mac and linux crash sig is js::MaybeGC
OS: Windows NT → All
Summary: JavaScript crash, [@ js::MaybeGC(JSContext*)] → JavaScript crash, [@ js::MaybeGC(JSContext*)], [@ js::MaybeGC]
Crash Signature: [@ js::MaybeGC(JSContext*)] [@ js::MaybeGC]
Andreas/anyone: did this ever land?

Just asking because of Bug 681205 with the same Stack.
Crash Signature: [@ js::MaybeGC(JSContext*)] [@ js::MaybeGC] → [@ js::MaybeGC(JSContext*)] [@ js::MaybeGC]

Comment 14

8 years ago
This has been rising on 8 in the last days, and has hit topcrash rank #25 there yesterday.

Comment 15

8 years ago
(In reply to Wayne Mery (:wsmwk) from comment #12)

> ... 
> My crash was also when I was away from FF
> bp-8d7e1755-951a-45e8-8433-227a92110316  I have many unattended crashes,
> most of which crash-stats can't render the stacks so I'm not sure if they
> are related. Some examples:
> bp-8ecd0f31-03df-4759-9d55-d8d982110317 (today)
> bp-edcf9037-4a3d-43a3-a25c-dd0f42110224
> bp-205ff1f2-e75a-4e1f-a871-63f842110222
> ...
That's Bug 696637.

I had a "[@ js::MaybeGC(JSContext*) ]" bp-abd2b34c-9efc-435b-b507-7e2e92111029 with Aurora.
It's now #19 top crasher in 8.0b5 and #69 in 7.0.1.
Maybe, there's an additional regression in 8.0.

Updated

8 years ago
Keywords: topcrash
I just had this crash in Firefox 10b.
https://crash-stats.mozilla.com/report/index/bp-becea400-48d4-46cf-bd61-0fd0a2120124
0 	mozjs.dll 	js::MaybeGC 	js/src/jsgc.cpp:2138
1 	mozjs.dll 	JS_MaybeGC 	js/src/jsapi.cpp:2760
2 	xul.dll 	xul.dll@0x18e8b4 	
3 	xul.dll 	xul.dll@0x1661a2 	
4 	xul.dll 	xul.dll@0x1436e9 	
5 	xul.dll 	xul.dll@0x193efd 	
6 	xul.dll 	xul.dll@0xc91503 

I suspect it was an oom crash.

Was the patch in this bug checked in?
It's only #120 top browser crasher in 9.0.1, #132 in 10.0b5, #221 in 11.0a2 and #213 in 12.0a1.
Keywords: topcrash
Summary: JavaScript crash, [@ js::MaybeGC(JSContext*)], [@ js::MaybeGC] → Crash @ js::MaybeGC

Updated

8 years ago
Duplicate of this bug: 725865

Comment 20

8 years ago
FWIW 10 release crashed like bp-938136e7-66b7-42d4-9419-740d92120208 on bug 725865.
Unfortunately, there are no steps to reproduce.
The PC was screen locked and unattended and the crash was there when the screen was unlocked.
low level crash for Thunderbird
Whiteboard: [tbird crash]
(In reply to Martijn Wargers [:mwargers] (QA) from comment #17)
> ...
> Was the patch in this bug checked in?

Checking hg, never landed afaict. And much has been refactored since 2011.

But Thunderbird has no crashes after version 17. And firefox not after 22 or 23. So the signature is gone - whether the crash morphed or not is a question had to answer without digging.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.