Closed Bug 661366 Opened 14 years ago Closed 11 years ago

Firefox 7.0a1 Crash [@ js::gc::ScanObject ]

Categories

(Core :: JavaScript: GC, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox5 - wontfix
firefox6 - wontfix
firefox7 - wontfix
firefox8 - wontfix
firefox9 - wontfix
firefox10 - wontfix
firefox11 - wontfix
status1.9.2 --- unaffected

People

(Reporter: marcia, Unassigned)

Details

(Keywords: crash, sec-moderate, Whiteboard: [sg:moderate])

Crash Data

Seen while reviewing trunk crash stats. https://crash-stats.mozilla.com/report/list?signature=js::gc::ScanObject to the crashes so which are all Windows and low volume. Crashes started showing up in crash stats using 2011052700 https://crash-stats.mozilla.com/report/index/75f48738-6fea-4ac1-96c5-dec9f2110601 Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=831f8e040f38&tochange=0cf4fa02c0f2 Frame Module Signature [Expand] Source 0 @0x650064 1 mozjs.dll js::gc::ScanObject js/src/jsgcmark.cpp:560 2 mozjs.dll js::GCMarker::drainMarkStack js/src/jsgcmark.cpp:725 3 xul.dll XPCJSRuntime::TraceJS js/src/xpconnect/src/xpcjsruntime.cpp:380 4 mozjs.dll js::MarkRuntime js/src/jsgc.cpp:1882 5 mozjs.dll MarkAndSweep js/src/jsgc.cpp:2318 6 mozjs.dll GCCycle js/src/jsgc.cpp:2673 7 mozjs.dll js_GC js/src/jsgc.cpp:2736 8 mozjs.dll JS_FreeArenaPool js/src/jsarena.cpp:347 9 xul.dll nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:406 10 xul.dll nsXPConnect::GarbageCollect js/src/xpconnect/src/nsXPConnect.cpp:414 11 xul.dll GCTimerFired dom/base/nsJSEnvironment.cpp:3302 12 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424 13 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 14 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:618 15 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:134 16 xul.dll xul.dll@0xb6561f 17 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 18 xul.dll xul.dll@0x37092f 19 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176 20 xul.dll imgLoader::LoadImage modules/libpr0n/src/imgLoader.cpp:1718
Summary: Firefox 7.0a1 Crash [@ js::gc::ScanObject ] Search Mozilla Support for Help → Firefox 7.0a1 Crash [@ js::gc::ScanObject ]
This range includes this one as the only change to JS itself that I spot right away: http://hg.mozilla.org/mozilla-central/rev/7d2a3d61a377 "Bug 605033 diagnostic: disable PGO for JS" That one was supposed to fix crashes, but maybe (wild guess) it just shifted the signatures to something else. Of course, it's entirely possible that something else is responsible here.
I looked at a few of these crashes. At a glance, they appear to be the same JS GC crashes that we've been getting forever. The signature just keeps changing due to code churn and different inlining strategies.
Bill, "different inlining strategies" sounds to me like it very potentially was the "turn off PGO" patch that might have caused that come up, is that a valid interpretation? We shouldn't shoot too fast and first see what 5.0b3 with the same patch will show us, but if it might have only shifted crashes to different signatures and not fixing them, it might not have been worth to be done, so we need to keep an eye on those.
Yes, I meant to agree that turning off PGO is probably what caused the signature change. However, that doesn't mean that turning off PGO wasn't a real fix for bug 605033. In that bug, Dave found very clear evidence that turning off PGO fixes a crash.
(In reply to comment #4) > In that bug, Dave found very clear evidence that > turning off PGO fixes a crash. Yes, that's why I said we first need to see what 5.0b3 will show us. As turning off PGO has a significant speed cost, we'll be weighing stability vs. performance there, so every piece of info playing into this needs to be kept in mind.
Crash Signature: [@ js::gc::ScanObject ]
similar to bug 661873; variant, dupe, unrelated?
Group: core-security
Keywords: testcase-wanted
Whiteboard: [sg:critical?]
We are going to track this from a stability point of view for FF6 but not a security point of view. Once we have 6.0b2, we can verify this signature disappears of is reduced.
Whiteboard: [sg:critical?] → [sg:critical?] [waiting on 6b2 numbers]
321 crashes in the last week with the B2 build ID.
My brother saw this crash today on his updated 6 beta build: http://crash-stats.mozilla.com/report/index/bp-65892512-9e4f-47d3-9356-f9fdd2110727
Whiteboard: [sg:critical?] [waiting on 6b2 numbers] → [sg:critical?]
This specific bug is not something that's directly being worked on, but it's part of a larger set of GC problems that *is* being worked on by Bill, so assigning this to him to have an owner here. But given the nature of this problem and the lack of ease of exploitability we won't be tracking this for 7.
Assignee: general → wmccloskey
I'm taking this off the tracking list because these GC bugs just clutter things up.
Whiteboard: [sg:critical?] → [sg:moderate]
Assignee: wmccloskey → general
Group: javascript-core-security
Group: javascript-core-security
Assignee: general → nobody
Hiding a random GC crash and marking it sec-moderate isn't too useful. Also, from crash stats, the most recent crash I see with this signature is Firefox 10, though that's likely due to functions being renamed.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Component: JavaScript Engine → JavaScript: GC
You need to log in before you can comment on or make changes to this bug.