Closed Bug 654877 Opened 14 years ago Closed 11 years ago

Crash @ js::gc::ScanShape

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox6 - ---
firefox15 - ---

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [js:t])

Crash Data

Seen while reviewing trunk crashes. This crash occurs on Mac and Linux in small volume. Perhaps the same bug as Bug 654196, but the Mac and Linux version? Frame Module Signature [Expand] Source 0 XUL js::gc::ScanShape js/src/jsgcmark.cpp:491 1 XUL js::GCMarker::drainMarkStack js/src/jsgcmark.cpp:210 2 XUL XPCJSRuntime::TraceJS js/src/jsgc.h:1110 3 XUL js::MarkRuntime js/src/jsgc.cpp:1741 4 XUL js_GC js/src/jsgc.cpp:2349 5 XUL nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:406 6 XUL nsXPConnect::GarbageCollect js/src/xpconnect/src/nsXPConnect.cpp:414 7 XUL nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424 8 XUL nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 9 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:618 10 XUL NS_ProcessPendingEvents_P obj-firefox/x86_64/xpcom/build/nsThreadUtils.cpp:200 11 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:130 12 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:422 13 CoreFoundation __CFRunLoopDoSources0 14 CoreFoundation __CFRunLoopRun 15 CoreFoundation CFRunLoopRunSpecific 16 HIToolbox HIToolbox@0x2e7ed 17 HIToolbox HIToolbox@0x2e5f2 18 HIToolbox HIToolbox@0x2e4ab 19 AppKit _DPSNextEvent 20 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 21 AppKit -[NSApplication run] 22 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:769 23 XUL nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:224 24 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3682 25 firefox-bin main browser/app/nsBrowserApp.cpp:158 26 firefox-bin firefox-bin@0x953
> Perhaps the same bug as Bug 654196, but the Mac and Linux version? Probably so. These crashes start showing up at the same time, with the 2011042700 build.
More precisely, these crashes start with the 20110427030633 build.
Crash Signature: [@ js::gc::ScanShape ]
It is #10 top browser crasher in 6.0b2 and happens mainly only on Windows. Strangely, bug 654196 which it is related to does no longer happen in 6.0b2 because of the PGO disabling.
tracking-firefox6: --- → ?
OS: Mac OS X → All
optimistically tracking for 7.
tracking-firefox6: ?-
tracking-firefox7: --- → +
tracking-firefox7: + → ---
Clearing tracking for 7 as we are in the stage where we can't "optimistically" track anything and the crash team has not flagged this.
FWIW, I see this pretty much every day when waking my Mac up from hibernation. I use Deep Sleep <http://deepsleep.free.fr/> to force full hibernation instead of the default standby mode. When I resume, I get the Crash Reporter — sometimes after a few seconds of Firefox usage, sometimes immediately. Latest Firefox 6 and OS X: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Interestingly, I do not experience the same issue on Aurora on this same account. It stays up even after the wake-up.
Ooooh! Are you sharing profiles beteen Aurora and Release? Can you reproduce with Beta or Nightly? Can you try running in safe mode (no extensions) and see if it still happens? Can you create a new mac OS x user and see if it reproduces there? Thanks for the reproducible case and any help!
I am not actively sharing as such, but I have accidentally started Release with the Aurora profile before, and the other way round. So yes, there might have been some "cross-contamination". I use Release for work and Aurora for non-work, but the two different profiles are pretty much the same when it comes to plugins (i.e. Flash, QuickTime, Garmin Communicator). It is not 100% reproducible, though: today, it did not crash. No idea why not, though. Here are some other recent crashes I submitted; I hope that helps: bp-9ec0cad6-1b13-42e2-85e6-1e76a2110917 bp-799a7920-5563-4399-988c-b4acb2110917 bp-da2c2909-4773-44ec-a9fb-dd6a92110916 bp-a3f312a8-0497-47e8-80d2-d0ecb2110915 bp-9183aa2e-4066-43c5-b75d-449772110914 I will see what it does tomorrow morning (CET). If it crashes, I will try again with safe mode, with a new profile, and with a new user account, in that order.
Oh wait, extensions: the Aurora profile does not have Firebug installed. I use it quite a lot in the other (work) profile. I will install it in the "non-work" profile too, and see if that changes anything.
Unfortunately, I have not been able to consistently reproduce this. Sometimes it crashes when resuming after hibernation, sometimes it doesn't. When I restore my session after a crash, hibernate and resume again, nothing happens. All of this with my "real-world" profile with Flash etc. enabled. Two more crashes: 3283414f-ed39-4a26-9893-b821a2110919 and df506b9f-a639-48b4-b79b-ae83a2110920. It does seem to have something to do with the GC, but I do not know enough to be of help there. Is there anything I can do to help? Maybe open a particularly JS-heavy site you know of to help trigger the GC?
It's been a while, but I had another one tonight: bp-35675e31-b828-4427-8662-ae48a2110926. (For your convenience, here are the previous two again, but properly prefixed so they are linked automatically: bp-3283414f-ed39-4a26-9893-b821a2110919 and bp-df506b9f-a639-48b4-b79b-ae83a2110920.) Is there a way to link crash reports to this bug without spamming everyone? Or are they not useful enough to mention or link, anyway?
Appears at #28 on 8.0 over the past week and at #24 on 8.0.1.
Keywords: topcrash
Depends on: 654196
I have an STR for this crash. I also get the following additional signatures when using the same STR outlined below: [@ js::gc::MarkInternal<js::GlobalObject>(JSTracer*, js::GlobalObject**) ] https://crash-stats.mozilla.com/report/index/bp-a461bb70-6fef-451d-9e2d-85d202120512 [@ JS_DHashTableOperate ] https://crash-stats.mozilla.com/report/index/bp-c38fb92e-5edb-48a8-8921-8b0a62120512 [@ js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int) ] https://crash-stats.mozilla.com/report/index/bp-bd172fc8-ec07-44da-8ffc-d8baf2120512 I do not get this crash without addons. Certain addons make crashing possible. One such is Adblock Plus (however, there are others). The more of such addons you have the easier it is to trigger the crash. Hopefully this helps with tracking this down: 1. Start Nightly with a new profile 2. Make sure you have a printer installed. You can also use a PDF printer, like Bullzip: http://www.bullzip.com/products/pdf/info.php 3. Install Adblock Plus dev build: http://adblockplus.org/en/development-builds 4. Restart the browser and do not accept any of the Adblock Plus subscriptions. 5. Visit the following URL: www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif 6. Click File --> Print Preview 7. Toggle "Scale:" between "Shrink To Fit" and "125%" 10 times (i.e. "Shrink To Fit" then "125%" counts as 1; followed by "Shrink To Fit" counts as 2; followed by "125%" counts as 3... etc.) 8. Click the "Print..." button and complete ALL the steps necessary to produce the print job. At this point you should get a crash. 9. If you didn't crash, try doing Step 7 20 times or so instead. I've been able to crash on both Windows XP and Windows 7 [@ js::gc::ScanShape ] https://crash-stats.mozilla.com/report/index/bp-03011822-c696-4d5f-b57c-30a492120512
There's a spike in crashes (2 crashes an hour) from 15.0a1/20120513. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22a58090fa70&tochange=c758cc9b60e5 It's likely a regression from bug 735099 which has been backed out since.
Blocks: 735099
tracking-firefox15: --- → ?
Summary: Firefox 6.0a1 Crash Report [@ js::gc::ScanShape ] → Crash @ js::gc::ScanShape
tracking-firefox15: ?+
Whiteboard: [js:investigate][js:p1:fx16]
Whiteboard: [js:investigate][js:p1:fx16] → [js:inv:p1]
The spike is gone in 15.0a1/20120514. Crashes are gone after 15.0a1/20120531. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3aa566994890&tochange=73783bf75c4c
tracking-firefox15: +-
Whiteboard: [js:inv:p1] → [js:t]
Depends on: 767908
There are only 80 crashes in 15.0.1.
Keywords: topcrash
firefox signature ends in the version 17/19 range
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.