Closed Bug 657199 Opened 13 years ago Closed 8 years ago

Yandex Bar (http://bar.yandex.ru) triggers execution of JS code during the cycle collection on shutdown

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
platform-rel --- -

People

(Reporter: mdykun, Unassigned)

References

(
URL
)

Details

(Keywords: crash, regression, reproducible, Whiteboard: [platform-rel-yandex]) 

User-Agent:       Mozilla/5.0 (Windows NT 6.1; rv:6.0a1) Gecko/20110514 Firefox/6.0a1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:6.0a1) Gecko/20110514 Firefox/6.0a1

Crashing when browser restarted

Crash-report https://crash-stats.mozilla.com/report/index/3f5b7b9a-bd8d-4df3-a3c9-5bb6c2110514

Reproducible: Couldn't Reproduce
0 	mozcrt19.dll 	arena_dalloc_small 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4045
1 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4173
2 	mozcrt19.dll 	free 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:6037
3 	mozjs.dll 	js::gc::FinalizeArenas<JSString> 	js/src/jsgc.cpp:278
4 	mozjs.dll 	js::gc::ArenaList::backgroundFinalize 	js/src/jsgc.cpp:1281
5 	mozjs.dll 	js::GCHelperThread::doSweep 	js/src/jsgc.cpp:2142
6 	mozjs.dll 	js::GCHelperThread::threadLoop 	js/src/jsgc.cpp:2095
7 	mozjs.dll 	js::GCHelperThread::threadMain 	js/src/jsgc.cpp:2075
8 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
9 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
10 	mozcrt19.dll 	_callthreadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:348
11 	mozcrt19.dll 	_threadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:326
12 	kernel32.dll 	BaseThreadInitThunk 	
13 	ntdll.dll 	__RtlUserThreadStart 	
14 	ntdll.dll 	_RtlUserThreadStart
Version: unspecified → Trunk
Keywords: crash
Product: Firefox → Core
QA Contact: general → general
After some tests I realized that error caused by using Yandex Bar (bar.yandex.ru), and specifically - by it function "text only". When this function is turned off, no crashes during browser restart. When turned on - crash every restart.
URL: http://bar.yandex.ru
Summary: Crash [@ arena_dalloc_small | arena_dalloc | free | js::gc::FinalizeArenas<JSString> ] → Crash when using Yandex Bar (http://bar.yandex.ru) [@ arena_dalloc_small | arena_dalloc | free | js::gc::FinalizeArenas<JSString> ] [@ zzz_AsmCodeRange_Begin ]
0 	ntdll.dll 	zzz_AsmCodeRange_Begin 	
1 	ntdll.dll 	EtwEventEnabled 	
2 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4172
3 	mozjs.dll 	js::gc::FinalizeArenas<JSString> 	js/src/jsgc.cpp:278
4 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
5 	nspr4.dll 	nspr4.dll@0x1b54f 	
6 	mozjs.dll 	js::GCHelperThread::doSweep 	js/src/jsgc.cpp:2142
7 	nspr4.dll 	nspr4.dll@0x1b54f 	
8 	mozjs.dll 	js::GCHelperThread::threadMain 	js/src/jsgc.cpp:2075
9 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
10 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
11 	mozcrt19.dll 	_callthreadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:348
12 	mozcrt19.dll 	_threadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:326
13 	kernel32.dll 	BaseThreadInitThunk 	
14 	ntdll.dll 	__RtlUserThreadStart 	
15 	ntdll.dll 	_RtlUserThreadStart 	


0 	ntdll.dll 	zzz_AsmCodeRange_Begin 	
1 	ntdll.dll 	EtwEventEnabled 	
2 	mozcrt19.dll 	arena_dalloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:4176
3 	mozjs.dll 	js::gc::FinalizeArenas<JSString> 	js/src/jsgc.cpp:278
4 	shell32.dll 	SdbInitDatabase 	
5 	nspr4.dll 	PR_Unlock 	nsprpub/pr/src/threads/combined/prulock.c:347
6 	mozjs.dll 	js::gc::ArenaList::backgroundFinalize 	js/src/jsgc.cpp:1281
7 	nspr4.dll 	nspr4.dll@0x1b54f 	
8 	mozjs.dll 	js::GCHelperThread::doSweep 	js/src/jsgc.cpp:2142
9 	nspr4.dll 	nspr4.dll@0x1b54f 	
10 	mozjs.dll 	js::GCHelperThread::threadMain 	js/src/jsgc.cpp:2075
11 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
12 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
13 	mozcrt19.dll 	_callthreadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:348
14 	mozcrt19.dll 	_threadstartex 	obj-firefox/memory/jemalloc/crtsrc/threadex.c:326
15 	kernel32.dll 	BaseThreadInitThunk 	
16 	ntdll.dll 	__RtlUserThreadStart 	
17 	ntdll.dll 	_RtlUserThreadStart
Reproduced:
Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110517 Firefox/6.0a1

Steps to Reproduce:
1. Start Firefox Nightly with a new, clean profile
2. Use about:config and add extensions.checkCompatibility.6.0a / false
3. Visit http://bar.yandex.ru/
4. Press the Установите Яндекс.Бар button and install the Yandex Bar add-on
5. Select Restart now and accept license
6. After restart keep just one tab open and visit https://www.mozilla.com/
7. Select text mode by left clicking "&" to the right of the address bar.
8. Select File/Quit

Actual Results:  
Crash

Expected Results:  
Firefox exits without crash

Crash IDs:
bp-2cefdcf8-44fc-44f9-aa8a-d0eda2110517
[@ js::Shape::hashify ] 

bp-74cd9d96-15ac-412f-9e44-c84e32110517
[@ free | js::gc::FinalizeArenas<JSString> ] 

bp-64bd83c7-16af-4d73-8a03-5d1512110517
[@ libpthread-2.13.so@0x9114 ] 

bp-f323825d-1e78-4ec7-b155-7e6062110517
[@ libpthread-2.13.so@0x9114 ] 

bp-38b6d981-e580-4b2b-8719-b71192110517
[@ free | js::gc::FinalizeArenas<JSString> ]
Regression range:

Last good nightly: 2011-05-13 First bad nightly: 2011-05-14

Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ad1fa68dcaf5&tochange=8404426ef391
OS: Windows NT → All
Hardware: x86 → All
Regression range of Tracemonkey:

Last good nightly: 2011-05-13 First bad nightly: 2011-05-14

Pushlog: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=5ff15fe83e16&tochange=599d1c6cba63

Apparently there is a merge of mozilla-central and tracemonkey in the regression range.
Keywords: reproducible
More Crash IDs:

bp-f164af04-5486-42fb-9ede-60b462110517
[@ js::Shape::hashify ] 

bp-60e8743a-412e-4212-9453-8ab952110517
[@ js::Shape::hashify ]

bp-127dd872-c78c-45c7-82f7-c17842110517
[@ js::Shape::hashify ] 

bp-dfef9127-483c-4d1c-b085-7e8b82110517
[@ libpthread-2.13.so@0xeeeb ] 

bp-37626da3-d7aa-445e-b0ba-435c22110517
[@ libpthread-2.13.so@0xeeeb ] 

bp-5cbb4c4a-a396-4cc2-a802-5e19a2110517
[@ libpthread-2.13.so@0xeeeb ] 

bp-08730185-439a-489b-97d5-cc2802110517
[@ libpthread-2.13.so@0xeeeb ]
Status: UNCONFIRMED → NEW
Ever confirmed: true
The first bad revision is:
changeset:   69498:d406a64628e3
user:        Igor Bukanov <igor@mir2.org>
date:        Fri Apr 22 00:20:12 2011 +0200
summary:     bug 601234 - avoiding extra indirection and branch on the fast path of GC allocation. r=wmccloskey
Keywords: regression
I see the crash on an optimized builds on x64  Linux as well.
I managed to reproduce the crash in a debug build with optimizations on. The culprit is that Yandex toolbar triggers the execution of JS code during the GC on shutdown. This should not happen and the code asserts about that. But prior the bug 601234 the code also had a protection against that in optimized builds via returning NULL from the GC thing allocator. I will restore that check in that bug. But we should do something about that JS running.

Here is the stack that clearly shows the issue:

#0  0x00007f9668ea639d in nanosleep () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f9668ea6210 in __sleep (seconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/sleep.c:138
#2  0x00007f966ab7ac52 in ah_crap_handler (signum=6) at /scratch/igor/m/tm/toolkit/xre/nsSigHandlers.cpp:119
#3  0x00007f966ab7ea3b in nsProfileLock::FatalSignalHandler (signo=6, info=0x7fffc65438b0, context=0x7fffc6543780) at /scratch/igor/build/ff/tmopt/toolkit/profile/nsProfileLock.cpp:226
#4  <signal handler called>
#5  0x00007f966d7dc7bb in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#6  0x00007f966c9e2e58 in NewFinalizableGCThing<JSString> (cx=0x7f9647d09400, chars=0x7f9647e67040, length=6) at /scratch/igor/m/tm/js/src/jsgcinlines.h:184
#7  js_NewGCString (cx=0x7f9647d09400, chars=0x7f9647e67040, length=6) at /scratch/igor/m/tm/js/src/jsgcinlines.h:209
#8  JSFixedString::new_ (cx=0x7f9647d09400, chars=0x7f9647e67040, length=6) at /scratch/igor/m/tm/js/src/jsstrinlines.h:330
#9  js_NewString (cx=0x7f9647d09400, chars=0x7f9647e67040, length=6) at /scratch/igor/m/tm/js/src/jsstr.cpp:3608
#10 0x00007f966c865e0a in JS_NewStringCopyZ (cx=0x7f9647d09400, s=<value optimized out>) at /scratch/igor/m/tm/js/src/jsapi.cpp:5241
#11 0x00007f966bca3d2e in XPCConvert::NativeData2JS (lccx=..., d=0x7fffc6543fe0, s=0x7fffc65443b0, type=..., iid=0x7f966dbc8820, pErr=0x0) at /scratch/igor/m/tm/js/src/xpconnect/src/xpcconvert.cpp:377
#12 0x00007f966bccc0b3 in XPCConvert::NativeData2JS (this=<value optimized out>, wrapper=<value optimized out>, methodIndex=<value optimized out>, info=0x7f965cab4290, nativeParams=<value optimized out>) at /scratch/igor/m/tm/js/src/xpconnect/src/xpcprivate.h:3203
#13 nsXPCWrappedJSClass::CallMethod (this=<value optimized out>, wrapper=<value optimized out>, methodIndex=<value optimized out>, info=0x7f965cab4290, nativeParams=<value optimized out>) at /scratch/igor/m/tm/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1555
#14 0x00007f966bcc1367 in nsXPCWrappedJS::CallMethod (this=0x7f964b22ac00, methodIndex=6, info=0x7f965cab4290, params=0x7fffc65443b0) at /scratch/igor/m/tm/js/src/xpconnect/src/xpcwrappedjs.cpp:586
#15 0x00007f966c591e00 in PrepareAndDispatch (self=<value optimized out>, methodIndex=<value optimized out>, args=0x7fffc6544530, gpregs=<value optimized out>, fpregs=<value optimized out>) at /scratch/igor/m/tm/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#16 0x00007f966c59111b in SharedStub () from /home/igor/b/ff/tmopt/dist/lib/libxul.so
#17 0x00007f966adf619a in imgLoader::GetCacheQueue (key=0x7f964b5ab460, entry=0x7f964b2c1d90) at /scratch/igor/m/tm/modules/libpr0n/src/imgLoader.cpp:808
#18 imgLoader::SetHasNoProxies (key=0x7f964b5ab460, entry=0x7f964b2c1d90) at /scratch/igor/m/tm/modules/libpr0n/src/imgLoader.cpp:1069
#19 0x00007f966ae00eb7 in imgRequest::RemoveProxy (this=0x7f964b3a1830, proxy=0x7f964b2bf8d0, aStatus=0, aNotify=<value optimized out>) at /scratch/igor/m/tm/modules/libpr0n/src/imgRequest.cpp:333
#20 0x00007f966ae06319 in ~imgRequestProxy (this=0x7f964b2bf8d0, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/modules/libpr0n/src/imgRequestProxy.cpp:113
#21 0x00007f966ae04f5e in imgRequestProxy::Release (this=0x7f964b2bf8d0) at /scratch/igor/m/tm/modules/libpr0n/src/imgRequestProxy.cpp:60
#22 0x00007f966b0a0a75 in ~nsCOMPtr (this=0x7f964b2e1060, __in_chrg=<value optimized out>) at ../../dist/include/nsCOMPtr.h:533
#23 ~Image (this=0x7f964b2e1060, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/nsCSSValue.cpp:1330
#24 0x00007f966b0a1bc4 in nsCSSValue::Image::Release (this=0x7f964b2c1238) at /scratch/igor/m/tm/layout/style/nsCSSValue.h:511
#25 nsCSSValue::DoReset (this=0x7f964b2c1238) at /scratch/igor/m/tm/layout/style/nsCSSValue.cpp:310
#26 0x00007f966b047326 in nsCSSValue::Reset (this=<value optimized out>, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/nsCSSValue.h:401
#27 ~nsCSSValue (this=<value optimized out>, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/nsCSSValue.h:230
#28 ~nsCSSCompressedDataBlock (this=<value optimized out>, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/nsCSSDataBlock.cpp:307
#29 0x00007f966b04ab64 in ~nsAutoPtr (this=0x7f964b2c11c0, __in_chrg=<value optimized out>) at ../../dist/include/nsAutoPtr.h:104
#30 ~Declaration (this=0x7f964b2c11c0, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/Declaration.cpp:76
#31 0x00007f966b13688d in ~StyleRule (this=0x7f964b585e70, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/StyleRule.cpp:1287
#32 0x00007f966b08234b in mozilla::css::Rule::Release (this=0x7f964b585e70) at /scratch/igor/m/tm/layout/style/nsCSSRules.cpp:87
#33 0x00007f966b131276 in mozilla::css::StyleRule::Release (this=0x60d8) at /scratch/igor/m/tm/layout/style/StyleRule.cpp:1308
#34 0x00007f966c4ddedf in ReleaseObjects (aElement=0x60d8) at /scratch/igor/build/ff/tmopt/xpcom/build/nsCOMArray.cpp:167
#35 0x00007f966c4e3afd in nsVoidArray::EnumerateForwards (this=0x7fffc6544940, aFunc=0x7f966c4dded0 <ReleaseObjects>, aData=0x0) at /scratch/igor/build/ff/tmopt/xpcom/build/nsVoidArray.cpp:724
#36 0x00007f966c4de845 in nsCOMArray_base::Clear (this=0x7f9650e8a9b0, __in_chrg=<value optimized out>) at /scratch/igor/build/ff/tmopt/xpcom/build/nsCOMArray.cpp:177
#37 ~nsCOMArray_base (this=0x7f9650e8a9b0, __in_chrg=<value optimized out>) at /scratch/igor/build/ff/tmopt/xpcom/build/nsCOMArray.cpp:58
#38 0x00007f966b09a690 in ~nsCOMArray (this=0x7f9650e8a940, __in_chrg=<value optimized out>) at ../../dist/include/nsCOMArray.h:160
#39 ~nsCSSStyleSheetInner (this=0x7f9650e8a940, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/nsCSSStyleSheet.cpp:910
#40 0x00007f966b09a883 in nsCSSStyleSheetInner::RemoveSheet (this=0x7f9650e8a940, aSheet=0x7f964b5ae350) at /scratch/igor/m/tm/layout/style/nsCSSStyleSheet.cpp:929
#41 0x00007f966b09ce97 in ~nsCSSStyleSheet (this=0x7f964b5ae350, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/layout/style/nsCSSStyleSheet.cpp:1063
#42 0x00007f966b095f4e in nsCSSStyleSheet::Release (this=0x7f964b5ae350) at /scratch/igor/m/tm/layout/style/nsCSSStyleSheet.cpp:1091
#43 0x00007f966b5c6b2f in ~nsRefPtr (this=0x7f9654e243e0, __in_chrg=<value optimized out>) at ../../../dist/include/nsAutoPtr.h:969
#44 nsTArrayElementTraits<nsRefPtr<nsCSSStyleSheet> >::Destruct (this=0x7f9654e243e0, __in_chrg=<value optimized out>) at ../../../dist/include/nsTArray.h:279
#45 nsTArray<nsRefPtr<nsCSSStyleSheet>, nsTArrayDefaultAllocator>::DestructRange (this=0x7f9654e243e0, __in_chrg=<value optimized out>) at ../../../dist/include/nsTArray.h:1106
#46 nsTArray<nsRefPtr<nsCSSStyleSheet>, nsTArrayDefaultAllocator>::RemoveElementsAt (this=0x7f9654e243e0, __in_chrg=<value optimized out>) at ../../../dist/include/nsTArray.h:834
#47 nsTArray<nsRefPtr<nsCSSStyleSheet>, nsTArrayDefaultAllocator>::Clear (this=0x7f9654e243e0, __in_chrg=<value optimized out>) at ../../../dist/include/nsTArray.h:845
#48 ~nsTArray (this=0x7f9654e243e0, __in_chrg=<value optimized out>) at ../../../dist/include/nsTArray.h:373
#49 ~nsXBLPrototypeResources (this=0x7f9654e243e0, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/content/xbl/src/nsXBLPrototypeResources.cpp:69
#50 0x00007f966b5c2998 in ~nsXBLPrototypeBinding (this=0x7f964b5a4680, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/content/xbl/src/nsXBLPrototypeBinding.cpp:398
#51 0x00007f966b5caf01 in DeletePrototypeBinding (aKey=<value optimized out>, aData=0x7f964b5a4680, aClosure=0x6) at /scratch/igor/m/tm/content/xbl/src/nsXBLDocumentInfo.cpp:552
#52 0x00007f966c50a41a in hashEnumerateRemove (hdr=<value optimized out>, i=<value optimized out>, arg=0xffffffffffffffff) at /scratch/igor/m/tm/xpcom/ds/nsHashtable.cpp:330
#53 0x00007f966c4da248 in PL_DHashTableEnumerate (table=0x7f9650f42910, etor=<value optimized out>, arg=<value optimized out>) at /scratch/igor/build/ff/tmopt/xpcom/build/pldhash.c:754
#54 0x00007f966c50ca84 in nsHashtable::Reset (this=0x7f9650f42900, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/xpcom/ds/nsHashtable.cpp:351
#55 nsObjectHashtable::Reset (this=0x7f9650f42900, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/xpcom/ds/nsHashtable.cpp:775
#56 ~nsObjectHashtable (this=0x7f9650f42900, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/xpcom/ds/nsHashtable.cpp:734
#57 0x00007f966b5cbe1e in ~nsXBLDocumentInfo (this=0x7f964b2e1a60, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/content/xbl/src/nsXBLDocumentInfo.cpp:528
#58 0x00007f966b5cb956 in nsXBLDocumentInfo::Release (this=0x7f964b2e1a60) at /scratch/igor/m/tm/content/xbl/src/nsXBLDocumentInfo.cpp:495
#59 0x00007f966b5b95ea in XBLFinalize (cx=0x7f9647d09400, obj=0x7f964b4c1478) at /scratch/igor/m/tm/content/xbl/src/nsXBLBinding.cpp:119
#60 0x00007f966c90d497 in JSObject::finalize (cx=0x7f9647d09400, listHeadp=<value optimized out>) at /scratch/igor/m/tm/js/src/jsobjinlines.h:141
#61 js::gc::Arena<JSObject_Slots2>::finalize (cx=0x7f9647d09400, listHeadp=<value optimized out>) at /scratch/igor/m/tm/js/src/jsgc.cpp:231
#62 FinalizeArenas<JSObject_Slots2> (cx=0x7f9647d09400, listHeadp=<value optimized out>) at /scratch/igor/m/tm/js/src/jsgc.cpp:278
#63 0x00007f966c90f14f in finalizeNow<JSObject_Slots2> (this=<value optimized out>, cx=0x7f9647d09400) at /scratch/igor/m/tm/js/src/jsgc.cpp:1211
#64 JSCompartment::finalizeObjectArenaLists (this=<value optimized out>, cx=0x7f9647d09400) at /scratch/igor/m/tm/js/src/jsgc.cpp:1999
#65 0x00007f966c913468 in MarkAndSweep (cx=0x7f9647d09400, comp=<value optimized out>, gckind=<value optimized out>) at /scratch/igor/m/tm/js/src/jsgc.cpp:2387
#66 GCCycle (cx=0x7f9647d09400, comp=<value optimized out>, gckind=<value optimized out>) at /scratch/igor/m/tm/js/src/jsgc.cpp:2668
#67 0x00007f966c913e69 in js_GC (cx=0x7f9647d09400, comp=0x0, gckind=GC_NORMAL) at /scratch/igor/m/tm/js/src/jsgc.cpp:2743
#68 0x00007f966bc7ca70 in nsXPConnect::Collect (this=<value optimized out>) at /scratch/igor/m/tm/js/src/xpconnect/src/nsXPConnect.cpp:406
#69 0x00007f966c58aa3d in nsCycleCollector::BeginCollection (this=0x7f965ca2e000, aForceGC=24792, aListener=0x0) at /scratch/igor/m/tm/xpcom/base/nsCycleCollector.cpp:2570
#70 0x00007f966c58adc0 in nsCycleCollector::Collect (this=0x7f965ca2e000, aTryCollections=5, aListener=0x0) at /scratch/igor/m/tm/xpcom/base/nsCycleCollector.cpp:2537
#71 0x00007f966c58b305 in nsCycleCollector::Shutdown () at /scratch/igor/m/tm/xpcom/base/nsCycleCollector.cpp:2785
#72 nsCycleCollector_shutdown () at /scratch/igor/m/tm/xpcom/base/nsCycleCollector.cpp:3465
#73 0x00007f966c4efb04 in mozilla::ShutdownXPCOM (servMgr=0x7f965ca27168) at /scratch/igor/m/tm/xpcom/build/nsXPComInit.cpp:682
#74 0x00007f966ab67466 in ~ScopedXPCOMStartup (this=0x7fffc654d500, __in_chrg=<value optimized out>) at /scratch/igor/m/tm/toolkit/xre/nsAppRunner.cpp:1077
#75 0x00007f966ab6f5d8 in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>) at /scratch/igor/m/tm/toolkit/xre/nsAppRunner.cpp:3733
#76 0x0000000000401d2c in main (argc=2, argv=0x7fffc654d908) at /scratch/igor/m/tm/browser/app/nsBrowserApp.cpp:159
Summary: Crash when using Yandex Bar (http://bar.yandex.ru) [@ arena_dalloc_small | arena_dalloc | free | js::gc::FinalizeArenas<JSString> ] [@ zzz_AsmCodeRange_Begin ] → Yandex Bar (http://bar.yandex.ru) triggers execution of JS code during the cycle collection on shutdown
The cycle collector is invoking the JS GC because the JS GC hasn't run yet.  Waiting 10 to 15 seconds before shutting down should ensure that the shutdown CC won't be the first one, and thus it won't invoke the GC.  I don't know if that will help or not.
(In reply to comment #13)
> The cycle collector is invoking the JS GC because the JS GC hasn't run yet.

The problem is that we are allowing to run a JS code when running JS_GC() from a finalizer. This should never happen. But I do not know who to blame here - the buggy extension that violates some rules or an implementation that does not detect and report the bug early. In any case, the CC is just an innocent messenger here.
I also sent bug report to yandex.bar developers with link on this bug
Just to get it documented, the version I've reproduced the bug with is:
Яндекс.Бар 5.2.3
platform-rel: --- → ?
Whiteboard: [platform-rel-yandex]
I'm gonna close this on the assumption that the current version (8.20.1) doesn't have the bug, given the original report's age and the fact the current version has reviews that don't mention crashes.

If someone is able to still reproduce, please let us know and we can re-open, thanks!
Status: NEW → RESOLVED
Closed: 8 years ago
platform-rel: ? → -
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.