Open Bug 654196 Opened 9 years ago Updated Last year

Crash Report @ js::GCMarker::drainMarkStack

Categories

(Core :: JavaScript: GC, defect, critical)

defect
Not set
critical

Tracking

()

Tracking Status
firefox6 - ---
firefox15 - ---
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected

People

(Reporter: marcia, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Seen while reviewing trunk crash stats. Trunk only crash which started showing up in crash stats using 2011042700 build.

Possible regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c5e8cc100248&tochange=c833fb1623ca

There was a merge in this changeset.

https://crash-stats.mozilla.com/report/index/66b76fe1-d1a6-4e17-8f57-1a66c2110428

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::GCMarker::drainMarkStack 	js/src/jsgcmark.cpp:711
1 	xul.dll 	XPCJSRuntime::TraceJS 	js/src/xpconnect/src/xpcjsruntime.cpp:380
2 	mozjs.dll 	js::MarkRuntime 	js/src/jsgc.cpp:1836
3 	mozjs.dll 	MarkAndSweep 	js/src/jsgc.cpp:2477
4 	mozjs.dll 	GCUntilDone 	js/src/jsgc.cpp:2812
5 	mozjs.dll 	JS_GC 	js/src/jsapi.cpp:2592
6 	xul.dll 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:405
7 	xul.dll 	nsXPConnect::GarbageCollect 	js/src/xpconnect/src/nsXPConnect.cpp:413
8 	xul.dll 	GCTimerFired 	dom/base/nsJSEnvironment.cpp:3300
9 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
10 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:516
11 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
12 	xul.dll 	TimerThread::RemoveTimer 	xpcom/threads/TimerThread.cpp:417
13 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
14 	xul.dll 	xul.dll@0x373c1d 	
15 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
16 	xul.dll 	mozilla::storage::AsyncExecuteStatements::AsyncExecuteStatements 	storage/src/mozStorageAsyncStatementExecution.cpp:238
17 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
18 		@0x78173f 	
19 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:224
20 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3765
21 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:128
22 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
23 	kernel32.dll 	BaseThreadInitThunk 	
24 	ntdll.dll 	__RtlUserThreadStart 	
25 	ntdll.dll 	_RtlUserThreadStart
Crashing code was introduced in
http://hg.mozilla.org/mozilla-central/rev/3e5aaea1ccf8
which is part of that range.
Blocks: 616666
The patch in bug 616666 changed all the GC marking code to go through a single, central path. So I think what happened is that all the old GC crashes will now be lumped into this bug. Unfortunately, this means we'll be getting less data about these crashes, since the C stack is no longer used for marking. Maybe there's a way we can add some diagnostic data that the crash reporter can pick up on.
This signature is the #4 top browser crash on the trunk.
Crash Signature: [@ js::GCMarker::drainMarkStack() ]
It is #5 top browser crasher in 6.0a2.
It is #10 top browser crasher in 6.0.
This isn't 6 material so not going to track.
Crash Signature: [@ js::GCMarker::drainMarkStack() ] → [@ js::GCMarker::drainMarkStack() ] [@ js::GCMarker::drainMarkStack ]
It's #280 top crasher in 7.0.1.
It's probably related to bug 668583 and bug 686441.
Summary: Firefox 6.0a1 Crash Report [@ js::GCMarker::drainMarkStack() ] → Firefox 6.0a1 Crash Report [@ js::GCMarker::drainMarkStack() ] mainly with Better Facebook
Blocks: 654877
Duplicate of this bug: 752157
I have an STR for this crash.  I also get the following additional signatures when using the same STR outlined below:

[@ js::gc::MarkInternal<js::GlobalObject>(JSTracer*, js::GlobalObject**) ]
https://crash-stats.mozilla.com/report/index/bp-a461bb70-6fef-451d-9e2d-85d202120512

[@ JS_DHashTableOperate ]
https://crash-stats.mozilla.com/report/index/bp-c38fb92e-5edb-48a8-8921-8b0a62120512

[@ js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int) ]
https://crash-stats.mozilla.com/report/index/bp-bd172fc8-ec07-44da-8ffc-d8baf2120512


I do not get this crash without addons.  Certain addons make crashing possible. One such is Adblock Plus (however, there are others).  The more of such addons you have the easier it is to trigger the crash.  Hopefully this helps with tracking this down:

1. Start Nightly with a new profile
2. Make sure you have a printer installed.  You can also use a PDF printer, like Bullzip: http://www.bullzip.com/products/pdf/info.php
3. Install Adblock Plus dev build: http://adblockplus.org/en/development-builds
4. Restart the browser and do not accept any of the Adblock Plus subscriptions.
5. Visit the following URL: www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif
6. Click File --> Print Preview
7. Toggle "Scale:" between "Shrink To Fit" and "125%" 10 times (i.e. "Shrink To Fit" then "125%" counts as 1; followed by "Shrink To Fit" counts as 2; followed by "125%" counts as 3... etc.)
8. Click the "Print..." button and complete ALL the steps necessary to produce the print job.  At this point you should get a crash.
9. If you didn't crash, try doing Step 7 20 times or so instead.

I've been able to crash on both Windows XP and Windows 7

[@ js::gc::ScanShape ]
https://crash-stats.mozilla.com/report/index/bp-03011822-c696-4d5f-b57c-30a492120512
(In reply to IU from comment #13)
None of your crash reports match this crash signature. Please comment in the right bug, bug 654877 and bug 702531.
(In reply to Scoobidiver from comment #14)
> (In reply to IU from comment #13)
> None of your crash reports match this crash signature. Please comment in the
> right bug, bug 654877 and bug 702531.

The point is that the same STR produces many different signatures.  But whatever.  I'll comment elsewhere.
There's a spike in crashes (3 crashes an hour) from 15.0a1/20120513. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22a58090fa70&tochange=c758cc9b60e5
It's likely a regression from bug 735099 which has been backed out since.
Blocks: 735099
Since bug 735099 was backed out, I don't think we need to track this bug at this time.
Summary: Firefox 6.0a1 Crash Report [@ js::GCMarker::drainMarkStack() ] mainly with Better Facebook → Crash Report [@ js::GCMarker::drainMarkStack() ] mainly with Better Facebook
Crash Signature: [@ js::GCMarker::drainMarkStack() ] [@ js::GCMarker::drainMarkStack ] → [@ js::GCMarker::drainMarkStack()] [@ js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ @0x0 | js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ js::GCMarker::drainMarkStack]
Summary: Crash Report [@ js::GCMarker::drainMarkStack() ] mainly with Better Facebook → Crash Report @ js::GCMarker::drainMarkStack
I'm continuing to hit this on other pages on huffingtonpost.ca today, after getting the latest Nightly.
Assignee: general → nobody
Crash Signature: [@ js::GCMarker::drainMarkStack()] [@ js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ @0x0 | js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ js::GCMarker::drainMarkStack] → [@ js::GCMarker::drainMarkStack()] [@ js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ @0x0 | js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ js::GCMarker::drainMarkStack] [@ @0x0 | js::GCMarker::drainMarkStack]
Blocks: 1077386
See Also: → 719114
Component: JavaScript Engine → JavaScript: GC
Crash volume for signature 'js::GCMarker::drainMarkStack':
 - nightly (version 51): 9 crashes from 2016-08-01.
 - aurora  (version 50): 9 crashes from 2016-08-01.
 - beta    (version 49): 25 crashes from 2016-08-02.
 - release (version 48): 540 crashes from 2016-07-25.
 - esr     (version 45): 2 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       3       3       1
 - aurora        5       2       0
 - beta          5      11       3
 - release     187     164      67
 - esr           0       0       0

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #331      #261
 - aurora            #150
 - beta    #1772
 - release #118      #92
 - esr
Looks like drainmarkstack got renamed.
Crash Signature: [@ js::GCMarker::drainMarkStack()] [@ js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ @0x0 | js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ js::GCMarker::drainMarkStack] [@ @0x0 | js::GCMarker::drainMarkStack] → [@ js::GCMarker::drainMarkStack()] [@ js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ @0x0 | js::GCMarker::drainMarkStack(js::SliceBudget&)] [@ js::GCMarker::drainMarkStack] [@ @0x0 | js::GCMarker::drainMarkStack] [@ js::GCMarker::markUntilBudgetEx…
You need to log in before you can comment on or make changes to this bug.