Closed Bug 654903 Opened 14 years ago Closed 12 years ago

Firefox Crash Report [@ js::gc::PushMarkStack ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
6 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox6 - ---
firefox15 - ---

People

(Reporter: marcia, Assigned: billm)

References

Details

(Keywords: crash, regression, Whiteboard: [js:nonactionable][#3 topcrash in 6 Beta and 7 Aurora])

Crash Data

Seen while reviewing crash stats. http://tinyurl.com/3gfmerp links to a week's worth of crashes. Crashes started showing up using the 2011042700 build. Currently the #21 top crash on the trunk. Signature shows up in Windows and Linux only so far. https://crash-stats.mozilla.com/report/index/5e74fe93-b353-4a29-aedf-dae552110504 Frame Module Signature [Expand] Source 0 mozjs.dll js::gc::PushMarkStack js/src/jsgcmark.cpp:176 1 mozjs.dll js::gc::ScanValue js/src/jsgcmark.cpp:472 2 mozjs.dll js::gc::ScanLargeObject js/src/jsgcmark.cpp:595 3 mozjs.dll js::GCMarker::drainMarkStack 4 mozjs.dll mozjs.dll@0x4fa5f 5 xul.dll XPCJSRuntime::TraceJS js/src/xpconnect/src/xpcjsruntime.cpp:376 6 mozjs.dll js::MarkRuntime js/src/jsgc.cpp:1741 7 mozjs.dll MarkAndSweep js/src/jsgc.cpp:2349 8 mozjs.dll GCUntilDone js/src/jsgc.cpp:2684 9 mozjs.dll JS_GC js/src/jsapi.cpp:2593 10 xul.dll nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:406 11 xul.dll nsXPConnect::GarbageCollect js/src/xpconnect/src/nsXPConnect.cpp:414 12 xul.dll GCTimerFired dom/base/nsJSEnvironment.cpp:3300 13 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424 14 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 15 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:618 16 nspr4.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c:347 17 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 18 xul.dll xul.dll@0x3751ff 19 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176 20 xul.dll mozilla::storage::AsyncExecuteStatements::AsyncExecuteStatements storage/src/mozStorageAsyncStatementExecution.cpp:238 21 xul.dll nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:189 22 @0x76d1ffff 23 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:224 24 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3682 25 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:106 26 firefox.exe __tmainCRTStartup obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591 27 kernel32.dll BaseThreadInitThunk 28 ntdll.dll __RtlUserThreadStart 29 ntdll.dll _RtlUserThreadStart
Probably dup of 652931. Any new crashes?
https://crash-stats.mozilla.com/report/list?signature=js::gc::PushMarkStack lists the latest crashes, a few on the 22nd of May.
Crash Signature: [@ js::gc::PushMarkStack ]
It is #17 top crasher in 6.0. A comment says: "Firefox has crahed twice when the PC was in power save mode."
(In reply to comment #2) > Probably dup of 652931. Any new crashes? Not a dupe of bug 652931 because it crashes in the latest nightly. It is now #12 top browser crasher in 6.0 but it is probably linked to PGO turn on which will be disabled in 6.0b2.
It is #3 top browser crasher in 6.0b2 and in 7.0a2 and #12 in 8.0a1.
tracking-firefox6: --- → ?
tracking-firefox7: --- → ?
tracking-firefox8: --- → ?
Whiteboard: [#3 topcrash in 6 Beta and 7 Aurora]
optimistically tracking for 7.
tracking-firefox6: ?-
tracking-firefox7: ?+
tracking-firefox8: ? → ---
I received this bug when I went to about:memory on Fennec. Also when closing 10 tabs within 3 seconds of each other. The tabs were opened to various pages in about:about as well as a news.google.com. Mozilla/5.0 (Android; Linux armv7I; rv:7.0) Gecko/20110830 Firefox/7.0 Fennec/7.0 [beta 3 candidate] Maybe related to bug 683063?
Naoki, can you reproduce this reliably?
1744 crashes in FF 7 in the last week. The comments across all versions point to this happening rather randomly.
So I spoke to dmandelin about this one. I don't think it makes sense to track this unless we have noticed a clear volume regression since the signature started appearing at the end of April. We think this is likely due to some random memory corruption so unless we can find a clear reproducible test case I am removing the tracking flag. The right way to fix this is to work with the JS team to explore ways we can dig into this further. Some of the work that Bill is doing covers this.
tracking-firefox7: + → ---
Keywords: topcrash
I add the js::gc::PushMarkStack(js::GCMarker*, js::BaseShape*) crash signature that first appeared in 11.0a1/20111204. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9740118b9dcc&tochange=c2102c45c8da More reports at: https://crash-stats.mozilla.com/report/list?range_value=30&range_unit=days&signature=js%3A%3Agc%3A%3APushMarkStack%28js%3A%3AGCMarker*%2C%20js%3A%3ABaseShape*%29&version=Firefox%3A11.0a1
Crash Signature: [@ js::gc::PushMarkStack ] → [@ js::gc::PushMarkStack] [@ js::gc::PushMarkStack(js::GCMarker*, js::BaseShape*)]
Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20120107 Firefox/12.0a1 SeaMonkey/2.9a1 ID:20120107003001 bug 716232 (first seen in this nightly) has the same signature but the rest of the stack is different.
Fireofox 9.0.1 crash report bp-1858193f-50a7-4fa8-9093-076672120125
Summary: Firefox 6.0a1 Crash Report [@ js::gc::PushMarkStack ] → Firefox Crash Report [@ js::gc::PushMarkStack ]
It's #9 top browser crasher in 9.0.1 (218 crashes/1M ADU), #2 in 10.0b5 (318 crashes/1M ADU) behind the empty crash signature. It's also higher in 10 because top hangs disappear. There are no extension correlations (9.0.1 and 10.0b4) on Windows and one with Firebug on Linux. Here is a list of extension (not exhaustive) when it's the only one in the crash report, except the default Firefox extension: * ffxtlbr@babylon.com 1.2.0 (Babylon toolbar) * {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} 3.9.0.3 (uTorrentBar) * twitternotifier@naan.net 2.3.5 (Echofon for Twitter) * {EEE6C361-6118-11DC-9C72-001320C79847} 1.3.0.1 (SweetIM Toolbar for Firefox) * mozilla_cc@internetdownloadmanager.com 7.3.11 (IDM CC) * {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF} 2.0 (DealPly) * tuentifox@mozilla-hispano.org 0.4b2 (TFox) * wrc@avast.com 6.0.1367 (Avast WebRep) * {b9db16a4-6edc-47ec-a1f4-b86292ed211d} 4.9.8 (DownloadHelper) * appbar@alot.com 1.0.12000 (ALOT Appbar) * {BBDA0591-3099-440a-AA10-41764D9DB4DB} 3.2 (Symantec IPS) * {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} 2.0.3 (AdBlock Plus) * {99079a25-328f-4bd4-be04-00955acaa0a7} 4.4.1.00 (Searchqu Toolbar) * jqs@sun.com 1.0 (Java Quick Starter) * {20a82645-c095-46ed-80e3-08825760534b} 0.0.0 (Microsoft .NET Framework Assistant) * {1E73965B-8B48-48be-9C8D-68B920ABC1C4} 10.0.0.1416 (AVG Safe Search) * {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} 2.0.21 (forecastfox) * helperbar@helperbar.com 1.0 (Linkury Smartbar) * en-AU@dictionaries.addons.mozilla.org 2.1.2 (Australian-English dictionary) * {635abd67-4fe9-1b23-4f01-e679fa7484c1} 2.4.5.20111209014555 (Yahoo Toolbar) * {a3a5c777-f583-4fef-9380-ab4add1bc2a8} 3.1.5 (Cuevana Stream) * litmus-ff@f-secure.com 1.10 (FSecure toolbar) * {c45c406e-ab73-11d8-be73-000a95be3b12} 1.1.9 (Web Developer) * xpiral@gmail.com 3.0 * fdm_ffext@freedownloadmanager.org 1.5.5 (Free Download Manager) * {7b13ec3e-999a-4b70-b9cb-2617b8323822} 3.9.0.3 (Zynga Toolbar) * jid0-0PGffAcVvhUBieFYkRVVc5w6lIU@jetpack 2.3.14 (Missing e) * {d21e1d10-117c-11df-8a39-0800200c9a66} 1.0.31 (LiveTool Toolbar)
Keywords: regression
Version: Trunk → 6 Branch
Scoobidiver, from all I know, this is a GC marking crash and therefore one of those we can't reasonably work on. It probably doesn't matter what keywords you mark it with or what comments you post unless you have consistent steps to reproduce. GC marking crashes have the nasty habit of just uncovering something that has gone bad way earlier in totally different code and therefore the connection between the cause and the consequence is severed and we have no reasonable way of action left there. Also, for a common signature it's clear that there are any number of add-ons in the stacks, probably half of all add-ons available if you go through all reports. That doesn't mean they have any connection to the crash.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #16) > Scoobidiver, from all I know, this is a GC marking crash and therefore one > of those we can't reasonably work on. If I understood your point, it's like a crash with an empty signature. Fixing other JS crashes will make this crash less common.
(In reply to Scoobidiver from comment #17) > If I understood your point, it's like a crash with an empty signature. > Fixing other JS crashes will make this crash less common. The garbage collector touches pretty much every JS thing in memory, so if something else has corrupted memory, you'll get a crash in the GC.
Firefox just crashed with this same message: https://crash-stats.mozilla.com/report/index/7f1f0238-304e-48c1-8a34-7f1a32120504 Firefox 15a1 2012-05-04-12-29-39-mozilla-central cset 9ebf3dc839c5
Got a similar one (and a bunch of other signatures) https://crash-stats.mozilla.com/report/index/bp-95bfc7ea-12ad-41be-bd0c-dd77b2120505 But only when incremental GC is enabled.
Yeah, incremental GC has become super crashy in the last few days. See bug 752098. geeknik, do you have incremental GC enabled, too?
Incremental GC was fine until Compartments-Per-Global landed yesterday. As soon as I installed the re-spin, I had to disable incremental GC otherwise the browser was unusable.
Depends on: 752098
Some other changes related to incremental GC landed the same day, so it isn't quite clear whether CPG or the other problem is to blame. There's a patch in progress for one of the problems.
I am seeing this crash always when running Firebug's test suite. I have also noticed this crash: https://crash-stats.mozilla.com/report/index/bp-89e33f6b-c1d0-4a5b-a932-0e46b2120509 but not sure whether it's related Honza
(In reply to Jan Honza Odvarko from comment #24) > I am seeing this crash always when running Firebug's test suite. When did it start happening? Do you have incremental GC enabled?
(In reply to Bill McCloskey (:billm) from comment #25) > (In reply to Jan Honza Odvarko from comment #24) > > I am seeing this crash always when running Firebug's test suite. > When did it start happening? Unfortunately our Firebug's test bot doesn't work these days so, I don't know. > Do you have incremental GC enabled? I don't think so, how can I verify? Honza
(In reply to Jan Honza Odvarko from comment #26) > > Do you have incremental GC enabled? > I don't think so, how can I verify? Type about:support, the information is in the JavaScript section.
(In reply to Scoobidiver from comment #27) > (In reply to Jan Honza Odvarko from comment #26) > > > Do you have incremental GC enabled? > > I don't think so, how can I verify? > Type about:support, the information is in the JavaScript section. Unfortunately that's incorrect; see bug 735944. To find the correct value, search for gc_incremental in about:config.
javascript.options.mem.gc_incremental -> false javascript.options.mem.gc_incremental_slice_ms -> 10 (in about:support) Incremental GC -> 1 Should I change something and retest? Honza
Assignee: general → wmccloskey
There's a spike in crashes (40 crashes an hour) from 15.0a1/20120513. The regression range for the spike is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22a58090fa70&tochange=c758cc9b60e5 It's likely a regression from bug 735099 which has been backed out since.
Blocks: 735099
tracking-firefox15: --- → ?
Depends on: 754811
Spike showing right now. There's a good chance it was from IGC being re-enabled and will be temporary--we can reset the flags if so.
tracking-firefox15: ?+
Whiteboard: [#3 topcrash in 6 Beta and 7 Aurora] → [#3 topcrash in 6 Beta and 7 Aurora][js:investigate][js:p1:fx16]
Spike is gone. I hate this bug.
tracking-firefox15: +-
Whiteboard: [#3 topcrash in 6 Beta and 7 Aurora][js:investigate][js:p1:fx16] → [js:nonactionable][#3 topcrash in 6 Beta and 7 Aurora]
Depends on: 757795
There are only 258 crashes in 15.0.1.
Keywords: topcrash
signatures do not occur in current versions
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.