Closed Bug 654903 Opened 9 years ago Closed 6 years ago

Firefox Crash Report [@ js::gc::PushMarkStack ]

Categories

(Core :: JavaScript Engine, defect, critical)

6 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox6 - ---
firefox15 - ---

People

(Reporter: marcia, Assigned: billm)

References

Details

(Keywords: crash, regression, Whiteboard: [js:nonactionable][#3 topcrash in 6 Beta and 7 Aurora])

Crash Data

Seen while reviewing crash stats. http://tinyurl.com/3gfmerp links to a week's worth of crashes. Crashes started showing up using the 2011042700 build. Currently the #21 top crash on the trunk. Signature shows up in Windows and Linux only so far.

https://crash-stats.mozilla.com/report/index/5e74fe93-b353-4a29-aedf-dae552110504

Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	js::gc::PushMarkStack 	js/src/jsgcmark.cpp:176
1 	mozjs.dll 	js::gc::ScanValue 	js/src/jsgcmark.cpp:472
2 	mozjs.dll 	js::gc::ScanLargeObject 	js/src/jsgcmark.cpp:595
3 	mozjs.dll 	js::GCMarker::drainMarkStack 	
4 	mozjs.dll 	mozjs.dll@0x4fa5f 	
5 	xul.dll 	XPCJSRuntime::TraceJS 	js/src/xpconnect/src/xpcjsruntime.cpp:376
6 	mozjs.dll 	js::MarkRuntime 	js/src/jsgc.cpp:1741
7 	mozjs.dll 	MarkAndSweep 	js/src/jsgc.cpp:2349
8 	mozjs.dll 	GCUntilDone 	js/src/jsgc.cpp:2684
9 	mozjs.dll 	JS_GC 	js/src/jsapi.cpp:2593
10 	xul.dll 	nsXPConnect::Collect 	js/src/xpconnect/src/nsXPConnect.cpp:406
11 	xul.dll 	nsXPConnect::GarbageCollect 	js/src/xpconnect/src/nsXPConnect.cpp:414
12 	xul.dll 	GCTimerFired 	dom/base/nsJSEnvironment.cpp:3300
13 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:424
14 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:520
15 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
16 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
17 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:202
18 	xul.dll 	xul.dll@0x3751ff 	
19 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:176
20 	xul.dll 	mozilla::storage::AsyncExecuteStatements::AsyncExecuteStatements 	storage/src/mozStorageAsyncStatementExecution.cpp:238
21 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
22 		@0x76d1ffff 	
23 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:224
24 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3682
25 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:106
26 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
27 	kernel32.dll 	BaseThreadInitThunk 	
28 	ntdll.dll 	__RtlUserThreadStart 	
29 	ntdll.dll 	_RtlUserThreadStart
Duplicate of this bug: 655561
Probably dup of 652931. Any new crashes?
Crash Signature: [@ js::gc::PushMarkStack ]
It is #17 top crasher in 6.0.

A comment says: "Firefox has crahed twice when the PC was in power save mode."
(In reply to comment #2)
> Probably dup of 652931. Any new crashes?
Not a dupe of bug 652931 because it crashes in the latest nightly.
It is now #12 top browser crasher in 6.0 but it is probably linked to PGO turn on which will be disabled in 6.0b2.
It is #3 top browser crasher in 6.0b2 and in 7.0a2 and #12 in 8.0a1.
Whiteboard: [#3 topcrash in 6 Beta and 7 Aurora]
optimistically tracking for 7.
I received this bug when I went to about:memory on Fennec.  Also when closing 10 tabs within 3 seconds of each other.  The tabs were opened to various pages in about:about as well as a news.google.com.  

Mozilla/5.0 (Android; Linux armv7I; rv:7.0) Gecko/20110830 Firefox/7.0 Fennec/7.0
[beta 3 candidate]

Maybe related to bug 683063?
Naoki, can you reproduce this reliably?
1744 crashes in FF 7 in the last week. The comments across all versions point to this happening rather randomly.
So I spoke to dmandelin about this one. I don't think it makes sense to track this unless we have noticed a clear volume regression since the signature started appearing at the end of April. We think this is likely due to some random memory corruption so unless we can find a clear reproducible test case I am removing the tracking flag. The right way to fix this is to work with the JS team to explore ways we can dig into this further. Some of the work that Bill is doing covers this.
Keywords: topcrash
I add the js::gc::PushMarkStack(js::GCMarker*, js::BaseShape*) crash signature that first appeared in 11.0a1/20111204. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9740118b9dcc&tochange=c2102c45c8da

More reports at:
https://crash-stats.mozilla.com/report/list?range_value=30&range_unit=days&signature=js%3A%3Agc%3A%3APushMarkStack%28js%3A%3AGCMarker*%2C%20js%3A%3ABaseShape*%29&version=Firefox%3A11.0a1
Crash Signature: [@ js::gc::PushMarkStack ] → [@ js::gc::PushMarkStack] [@ js::gc::PushMarkStack(js::GCMarker*, js::BaseShape*)]
Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20120107 Firefox/12.0a1 SeaMonkey/2.9a1 ID:20120107003001

bug 716232 (first seen in this nightly) has the same signature but the rest of the stack is different.
Fireofox 9.0.1 crash report bp-1858193f-50a7-4fa8-9093-076672120125
Summary: Firefox 6.0a1 Crash Report [@ js::gc::PushMarkStack ] → Firefox Crash Report [@ js::gc::PushMarkStack ]
It's #9 top browser crasher in 9.0.1 (218 crashes/1M ADU), #2 in 10.0b5 (318 crashes/1M ADU) behind the empty crash signature.
It's also higher in 10 because top hangs disappear.

There are no extension correlations (9.0.1 and 10.0b4) on Windows and one with Firebug on Linux.
Here is a list of extension (not exhaustive) when it's the only one in the crash report, except the default Firefox extension:
* ffxtlbr@babylon.com 1.2.0 (Babylon toolbar)
* {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} 3.9.0.3  (uTorrentBar)
* twitternotifier@naan.net 	2.3.5 (Echofon for Twitter)
* {EEE6C361-6118-11DC-9C72-001320C79847} 	1.3.0.1 (SweetIM Toolbar for Firefox)
* mozilla_cc@internetdownloadmanager.com 	7.3.11 (IDM CC)
* {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF} 	2.0 (DealPly)
* tuentifox@mozilla-hispano.org 	0.4b2 (TFox)
* wrc@avast.com 	6.0.1367 (Avast WebRep)
* {b9db16a4-6edc-47ec-a1f4-b86292ed211d} 	4.9.8 (DownloadHelper)
* appbar@alot.com 	1.0.12000 (ALOT Appbar)
* {BBDA0591-3099-440a-AA10-41764D9DB4DB} 	3.2 (Symantec IPS)
* {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} 	2.0.3 (AdBlock Plus)
* {99079a25-328f-4bd4-be04-00955acaa0a7} 	4.4.1.00 (Searchqu Toolbar)
* jqs@sun.com 	1.0 (Java Quick Starter)
* {20a82645-c095-46ed-80e3-08825760534b} 	0.0.0 (Microsoft .NET Framework Assistant)
* {1E73965B-8B48-48be-9C8D-68B920ABC1C4} 	10.0.0.1416 (AVG Safe Search)
* {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} 	2.0.21 (forecastfox)
* helperbar@helperbar.com 	1.0 (Linkury Smartbar)
* en-AU@dictionaries.addons.mozilla.org 	2.1.2 (Australian-English dictionary)
* {635abd67-4fe9-1b23-4f01-e679fa7484c1} 	2.4.5.20111209014555 (Yahoo Toolbar)
* {a3a5c777-f583-4fef-9380-ab4add1bc2a8} 	3.1.5 (Cuevana Stream)
* litmus-ff@f-secure.com 	1.10 (FSecure toolbar)
* {c45c406e-ab73-11d8-be73-000a95be3b12} 	1.1.9 (Web Developer)
* xpiral@gmail.com 	3.0
* fdm_ffext@freedownloadmanager.org 	1.5.5 (Free Download Manager)
* {7b13ec3e-999a-4b70-b9cb-2617b8323822} 	3.9.0.3  (Zynga Toolbar)
* jid0-0PGffAcVvhUBieFYkRVVc5w6lIU@jetpack 	2.3.14 (Missing e)
* {d21e1d10-117c-11df-8a39-0800200c9a66} 	1.0.31 (LiveTool Toolbar)
Keywords: regression
Version: Trunk → 6 Branch
Scoobidiver, from all I know, this is a GC marking crash and therefore one of those we can't reasonably work on. It probably doesn't matter what keywords you mark it with or what comments you post unless you have consistent steps to reproduce. GC marking crashes have the nasty habit of just uncovering something that has gone bad way earlier in totally different code and therefore the connection between the cause and the consequence is severed and we have no reasonable way of action left there.
Also, for a common signature it's clear that there are any number of add-ons in the stacks, probably half of all add-ons available if you go through all reports. That doesn't mean they have any connection to the crash.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #16)
> Scoobidiver, from all I know, this is a GC marking crash and therefore one
> of those we can't reasonably work on.
If I understood your point, it's like a crash with an empty signature. Fixing other JS crashes will make this crash less common.
(In reply to Scoobidiver from comment #17)
> If I understood your point, it's like a crash with an empty signature.
> Fixing other JS crashes will make this crash less common.

The garbage collector touches pretty much every JS thing in memory, so if something else has corrupted memory, you'll get a crash in the GC.
Firefox just crashed with this same message:

https://crash-stats.mozilla.com/report/index/7f1f0238-304e-48c1-8a34-7f1a32120504


Firefox 15a1 
2012-05-04-12-29-39-mozilla-central
cset 9ebf3dc839c5
Got a similar one (and a bunch of other signatures)
https://crash-stats.mozilla.com/report/index/bp-95bfc7ea-12ad-41be-bd0c-dd77b2120505

But only when incremental GC is enabled.
Yeah, incremental GC has become super crashy in the last few days.  See bug 752098.  geeknik, do you have incremental GC enabled, too?
Incremental GC was fine until Compartments-Per-Global landed yesterday. As soon as I installed the re-spin, I had to disable incremental GC otherwise the browser was unusable.
Depends on: 752098
Some other changes related to incremental GC landed the same day, so it isn't quite clear whether CPG or the other problem is to blame.  There's a patch in progress for one of the problems.
I am seeing this crash always when running Firebug's test suite.

I have also noticed this crash:
https://crash-stats.mozilla.com/report/index/bp-89e33f6b-c1d0-4a5b-a932-0e46b2120509
but not sure whether it's related

Honza
(In reply to Jan Honza Odvarko from comment #24)
> I am seeing this crash always when running Firebug's test suite.

When did it start happening? Do you have incremental GC enabled?
(In reply to Bill McCloskey (:billm) from comment #25)
> (In reply to Jan Honza Odvarko from comment #24)
> > I am seeing this crash always when running Firebug's test suite.

> When did it start happening?
Unfortunately our Firebug's test bot doesn't work these
days so, I don't know.

> Do you have incremental GC enabled?
I don't think so, how can I verify?

Honza
(In reply to Jan Honza Odvarko from comment #26)
> > Do you have incremental GC enabled?
> I don't think so, how can I verify?
Type about:support, the information is in the JavaScript section.
(In reply to Scoobidiver from comment #27)
> (In reply to Jan Honza Odvarko from comment #26)
> > > Do you have incremental GC enabled?
> > I don't think so, how can I verify?
> Type about:support, the information is in the JavaScript section.

Unfortunately that's incorrect; see bug 735944. To find the correct value, search for gc_incremental in about:config.
javascript.options.mem.gc_incremental -> false
javascript.options.mem.gc_incremental_slice_ms -> 10

(in about:support) Incremental GC -> 1

Should I change something and retest?

Honza
Assignee: general → wmccloskey
There's a spike in crashes (40 crashes an hour) from 15.0a1/20120513. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22a58090fa70&tochange=c758cc9b60e5
It's likely a regression from bug 735099 which has been backed out since.
Blocks: 735099
Depends on: 754811
Spike showing right now. There's a good chance it was from IGC being re-enabled and will be temporary--we can reset the flags if so.
Whiteboard: [#3 topcrash in 6 Beta and 7 Aurora] → [#3 topcrash in 6 Beta and 7 Aurora][js:investigate][js:p1:fx16]
Spike is gone. I hate this bug.
Whiteboard: [#3 topcrash in 6 Beta and 7 Aurora][js:investigate][js:p1:fx16] → [js:nonactionable][#3 topcrash in 6 Beta and 7 Aurora]
Depends on: 757795
There are only 258 crashes in 15.0.1.
Keywords: topcrash
signatures do not occur in current versions
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.