Closed
Bug 661366
Opened 14 years ago
Closed 11 years ago
Firefox 7.0a1 Crash [@ js::gc::ScanObject ]
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
People
(Reporter: marcia, Unassigned)
Details
(Keywords: crash, sec-moderate, Whiteboard: [sg:moderate])
Crash Data
Seen while reviewing trunk crash stats. https://crash-stats.mozilla.com/report/list?signature=js::gc::ScanObject to the crashes so which are all Windows and low volume. Crashes started showing up in crash stats using 2011052700
https://crash-stats.mozilla.com/report/index/75f48738-6fea-4ac1-96c5-dec9f2110601
Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=831f8e040f38&tochange=0cf4fa02c0f2
Frame Module Signature [Expand] Source
0 @0x650064
1 mozjs.dll js::gc::ScanObject js/src/jsgcmark.cpp:560
2 mozjs.dll js::GCMarker::drainMarkStack js/src/jsgcmark.cpp:725
3 xul.dll XPCJSRuntime::TraceJS js/src/xpconnect/src/xpcjsruntime.cpp:380
4 mozjs.dll js::MarkRuntime js/src/jsgc.cpp:1882
5 mozjs.dll MarkAndSweep js/src/jsgc.cpp:2318
6 mozjs.dll GCCycle js/src/jsgc.cpp:2673
7 mozjs.dll js_GC js/src/jsgc.cpp:2736
8 mozjs.dll JS_FreeArenaPool js/src/jsarena.cpp:347
9 xul.dll nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:406
10 xul.dll nsXPConnect::GarbageCollect js/src/xpconnect/src/nsXPConnect.cpp:414
11 xul.dll GCTimerFired dom/base/nsJSEnvironment.cpp:3302
12 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424
13 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520
14 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:618
15 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:134
16 xul.dll xul.dll@0xb6561f
17 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202
18 xul.dll xul.dll@0x37092f
19 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:176
20 xul.dll imgLoader::LoadImage modules/libpr0n/src/imgLoader.cpp:1718
Reporter | ||
Updated•14 years ago
|
Summary: Firefox 7.0a1 Crash [@ js::gc::ScanObject ] Search Mozilla Support for Help → Firefox 7.0a1 Crash [@ js::gc::ScanObject ]
![]() |
||
Comment 1•14 years ago
|
||
This range includes this one as the only change to JS itself that I spot right away:
http://hg.mozilla.org/mozilla-central/rev/7d2a3d61a377 "Bug 605033 diagnostic: disable PGO for JS"
That one was supposed to fix crashes, but maybe (wild guess) it just shifted the signatures to something else. Of course, it's entirely possible that something else is responsible here.
I looked at a few of these crashes. At a glance, they appear to be the same JS GC crashes that we've been getting forever. The signature just keeps changing due to code churn and different inlining strategies.
![]() |
||
Comment 3•14 years ago
|
||
Bill, "different inlining strategies" sounds to me like it very potentially was the "turn off PGO" patch that might have caused that come up, is that a valid interpretation? We shouldn't shoot too fast and first see what 5.0b3 with the same patch will show us, but if it might have only shifted crashes to different signatures and not fixing them, it might not have been worth to be done, so we need to keep an eye on those.
Yes, I meant to agree that turning off PGO is probably what caused the signature change. However, that doesn't mean that turning off PGO wasn't a real fix for bug 605033. In that bug, Dave found very clear evidence that turning off PGO fixes a crash.
![]() |
||
Comment 5•14 years ago
|
||
(In reply to comment #4)
> In that bug, Dave found very clear evidence that
> turning off PGO fixes a crash.
Yes, that's why I said we first need to see what 5.0b3 will show us. As turning off PGO has a significant speed cost, we'll be weighing stability vs. performance there, so every piece of info playing into this needs to be kept in mind.
Assignee | ||
Updated•14 years ago
|
Crash Signature: [@ js::gc::ScanObject ]
Comment 6•14 years ago
|
||
similar to bug 661873; variant, dupe, unrelated?
Comment 7•14 years ago
|
||
We are going to track this from a stability point of view for FF6 but not a security point of view. Once we have 6.0b2, we can verify this signature disappears of is reduced.
tracking-firefox6:
--- → +
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] [waiting on 6b2 numbers]
Updated•14 years ago
|
status-firefox5:
--- → wontfix
status-firefox6:
--- → wontfix
status-firefox7:
--- → affected
status-firefox8:
--- → affected
tracking-firefox5:
--- → -
tracking-firefox7:
--- → +
tracking-firefox8:
--- → +
Reporter | ||
Comment 8•14 years ago
|
||
321 crashes in the last week with the B2 build ID.
Comment 9•14 years ago
|
||
My brother saw this crash today on his updated 6 beta build:
http://crash-stats.mozilla.com/report/index/bp-65892512-9e4f-47d3-9356-f9fdd2110727
Reporter | ||
Updated•14 years ago
|
Whiteboard: [sg:critical?] [waiting on 6b2 numbers] → [sg:critical?]
Comment 10•14 years ago
|
||
This specific bug is not something that's directly being worked on, but it's part of a larger set of GC problems that *is* being worked on by Bill, so assigning this to him to have an owner here. But given the nature of this problem and the lack of ease of exploitability we won't be tracking this for 7.
Comment 11•14 years ago
|
||
I'm taking this off the tracking list because these GC bugs just clutter things up.
Updated•14 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
tracking-firefox10:
--- → -
tracking-firefox11:
--- → -
Updated•14 years ago
|
status1.9.2:
--- → unaffected
Whiteboard: [sg:critical?] → [sg:moderate]
Assignee: wmccloskey → general
![]() |
||
Updated•13 years ago
|
Keywords: sec-moderate
Updated•12 years ago
|
Group: javascript-core-security
Updated•11 years ago
|
Group: javascript-core-security
Assignee | ||
Updated•11 years ago
|
Assignee: general → nobody
Comment 12•11 years ago
|
||
Hiding a random GC crash and marking it sec-moderate isn't too useful. Also, from crash stats, the most recent crash I see with this signature is Firefox 10, though that's likely due to functions being renamed.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Updated•11 years ago
|
Component: JavaScript Engine → JavaScript: GC
Updated•10 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•