Closed Bug 633845 Opened 13 years ago Closed 8 years ago

Crash @ js::MaybeGC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking2.0 --- .x+

People

(Reporter: mozilla, Assigned: gal)

References

Details

(Keywords: crash, Whiteboard: [tbird crash])

Crash Data

Attachments

(1 file, 2 obsolete files)

patch
4.59 KB, patch
jst
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12pre) Gecko/20110213 Firefox/4.0b12pre
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12pre) Gecko/20110212 Firefox/4.0b12pre

All I can do is point you to https://crash-stats.mozilla.com/report/index/bp-a9d30d8f-38c4-4145-8a5d-972ed2110213 . Minefield was running when I went to sleep; when I woke up, there was a crash reporter dialog, and that crash report is the result. Something must have happened during the night, but what?

Note that I was running the Feb. 12 nightly build, so the fix in 630243 should have been merged in?

Reproducible: Didn't try
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
Version: unspecified → Trunk
I got a crash with this signature as well: 
https://crash-stats.mozilla.com/report/index/bp-119713f3-5b45-4007-acaf-46f782110303 

It's intermittent and I couldn't find out about a specific cause.

Gal: Any thoughts about this?
Looking.
Exciting. We are not in a compartment.
Assignee: general → gal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Not exploitable, very safe NULL crash.
Attached patch patch (obsolete) — Splinter Review 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #516733 -
        Attachment is obsolete: true

    
    

    
  
The attached patch is the way to go once we merge requests and enter/leave compartment. Until then I guess I should do a spot fix.

    
    

    
  
Asking for .x
blocking2.0: --- → ?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #516734 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 516740 [details] [diff] [review]
patch

jst, this moves the MaybeGC where we are guaranteed to have a compartment. Also, I added what I believe is a missing compartment enter/leave.

        Attachment #516740 -
        Flags: review?(jst)
blocking2.0: ? → .x+

        Attachment #516740 -
        Flags: review?(jst) → review+

    
    

    
  
This would seem to be a regression, or something changed on trunk to expose the flaw.  A close examination of crash-stats reveals the first build to crash is the day before 4.0b9 with bp-47047bd3-5b9e-4e2d-ae9f-85ba32110110 4.0b9pre buildid 20110109030350

The crash rate of subsequent "pre" builds suggests the change should be within a week or two before 2011-01-09.


My crash was also when I was away from FF bp-8d7e1755-951a-45e8-8433-227a92110316  I have many unattended crashes, most of which crash-stats can't render the stacks so I'm not sure if they are related. Some examples:
bp-8ecd0f31-03df-4759-9d55-d8d982110317 (today)
bp-edcf9037-4a3d-43a3-a25c-dd0f42110224
bp-205ff1f2-e75a-4e1f-a871-63f842110222

Mac and linux crash sig is js::MaybeGC
OS: Windows NT → All
Summary: JavaScript crash, [@ js::MaybeGC(JSContext*)] → JavaScript crash, [@ js::MaybeGC(JSContext*)], [@ js::MaybeGC]
Crash Signature: [@ js::MaybeGC(JSContext*)]
[@ js::MaybeGC]

    
    

    
  
Andreas/anyone: did this ever land?

Just asking because of Bug 681205 with the same Stack.
Crash Signature: [@ js::MaybeGC(JSContext*)]
[@ js::MaybeGC] → [@ js::MaybeGC(JSContext*)]
[@ js::MaybeGC]

    
    

    
  
This has been rising on 8 in the last days, and has hit topcrash rank #25 there yesterday.

    
    

    
  
(In reply to Wayne Mery (:wsmwk) from comment #12)

> ... 
> My crash was also when I was away from FF
> bp-8d7e1755-951a-45e8-8433-227a92110316  I have many unattended crashes,
> most of which crash-stats can't render the stacks so I'm not sure if they
> are related. Some examples:
> bp-8ecd0f31-03df-4759-9d55-d8d982110317 (today)
> bp-edcf9037-4a3d-43a3-a25c-dd0f42110224
> bp-205ff1f2-e75a-4e1f-a871-63f842110222
> ...
That's Bug 696637.

I had a "[@ js::MaybeGC(JSContext*) ]" bp-abd2b34c-9efc-435b-b507-7e2e92111029 with Aurora.

    
    

    
  
It's now #19 top crasher in 8.0b5 and #69 in 7.0.1.
Maybe, there's an additional regression in 8.0.

    
  
Keywords: topcrash

    
    

    
  
I just had this crash in Firefox 10b.
https://crash-stats.mozilla.com/report/index/bp-becea400-48d4-46cf-bd61-0fd0a2120124
0 	mozjs.dll 	js::MaybeGC 	js/src/jsgc.cpp:2138
1 	mozjs.dll 	JS_MaybeGC 	js/src/jsapi.cpp:2760
2 	xul.dll 	xul.dll@0x18e8b4 	
3 	xul.dll 	xul.dll@0x1661a2 	
4 	xul.dll 	xul.dll@0x1436e9 	
5 	xul.dll 	xul.dll@0x193efd 	
6 	xul.dll 	xul.dll@0xc91503 

I suspect it was an oom crash.

Was the patch in this bug checked in?

    
    

    
  
It's only #120 top browser crasher in 9.0.1, #132 in 10.0b5, #221 in 11.0a2 and #213 in 12.0a1.
Keywords: topcrash
Summary: JavaScript crash, [@ js::MaybeGC(JSContext*)], [@ js::MaybeGC] → Crash @ js::MaybeGC

    
    

    
  
FWIW 10 release crashed like bp-938136e7-66b7-42d4-9419-740d92120208 on bug 725865.
Unfortunately, there are no steps to reproduce.
The PC was screen locked and unattended and the crash was there when the screen was unlocked.

    
    

    
  
low level crash for Thunderbird
Whiteboard: [tbird crash]

    
    

    
  
(In reply to Martijn Wargers [:mwargers] (QA) from comment #17)
> ...
> Was the patch in this bug checked in?

Checking hg, never landed afaict. And much has been refactored since 2011.

But Thunderbird has no crashes after version 17. And firefox not after 22 or 23. So the signature is gone - whether the crash morphed or not is a question had to answer without digging.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: