Closed Bug 661873 Opened 15 years ago Closed 14 years ago

Firefox 5.0 Crash Report [@ js::gc::TypedMarker(JSTracer*, JSString*) ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
5 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox5 - wontfix

People

(Reporter: marcia, Assigned: billm)

Details

(Keywords: crash, Whiteboard: [sg:critical?])

Crash Data

Seen while reviewing crash data for Firefox 5 Beta 3. https://crash-stats.mozilla.com/report/list?signature=js::gc::TypedMarker%28JSTracer*,%20JSString*%29 to the reports, which all happen with 20110527093235 build ID. https://crash-stats.mozilla.com/report/index/4d865001-9389-45e9-a7e4-045942110603 Frame Module Signature [Expand] Source 0 mozjs.dll js::gc::TypedMarker js/src/jsstr.cpp:194 1 mozjs.dll js::gc::MarkAtomRange js/src/jsgcinlines.h:542 2 mozjs.dll js_TraceScript js/src/jsscript.cpp:1516 3 mozjs.dll fun_trace js/src/jsfun.cpp:1979 4 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:406 5 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 6 mozjs.dll fun_trace js/src/jsfun.cpp:1965 7 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:406 8 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 9 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 10 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 11 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 12 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 13 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 14 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 15 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 16 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 17 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 18 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:394 19 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 20 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:392 21 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 22 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:392 23 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 24 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 25 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 26 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 27 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:394 28 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 29 mozjs.dll JSWrapper::trace js/src/jswrapper.cpp:313 30 mozjs.dll js::proxy_TraceObject js/src/jsproxy.cpp:965 31 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:406 32 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 33 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:392 34 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 35 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:392 36 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 37 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 38 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 39 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 40 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 41 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 42 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 43 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 44 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 45 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 46 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 47 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 48 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 49 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:394 50 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 51 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:392 52 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 53 mozjs.dll js::gc::MarkValueRange js/src/jsgcinlines.h:639 54 mozjs.dll array_trace js/src/jsarray.cpp:948 55 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:406 56 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 57 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 58 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 59 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 60 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 61 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 62 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 63 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:394 64 mozjs.dll js::gc::MarkObject js/src/jsgcinlines.h:336 65 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:392 66 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 67 mozjs.dll js::gc::MarkObjectSlots js/src/jsgc.cpp:2653 68 mozjs.dll js::gc::MarkChildren js/src/jsgcinlines.h:416 69 mozjs.dll js::gc::MarkKind js/src/jsgcinlines.h:599 70 mozjs.dll js::MarkRuntime js/src/jsgc.cpp:1652 71 mozjs.dll MarkAndSweep js/src/jsgc.cpp:2195 72 mozjs.dll GCUntilDone js/src/jsgc.cpp:2555 73 mozjs.dll js_GC js/src/jsgc.cpp:2624 74 mozjs.dll JS_GC js/src/jsapi.cpp:2665 75 xul.dll nsXPConnect::Collect js/src/xpconnect/src/nsXPConnect.cpp:405 76 xul.dll nsXPConnect::GarbageCollect js/src/xpconnect/src/nsXPConnect.cpp:413 77 xul.dll GCTimerFired dom/base/nsJSEnvironment.cpp:3300 78 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:424 79 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:520 80 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:618 81 xul.dll TimerThread::RemoveTimer xpcom/threads/TimerThread.cpp:417 82 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 83 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 84 mozcrt19.dll _VEC_memzero 85 xul.dll xul.dll@0x36f37f 86 firefox.exe firefox.exe@0x1bb7 87 ntdll.dll WinSqmStartSession 88 ntdll.dll _RtlUserThreadStart 89 firefox.exe firefox.exe@0x186f 90 firefox.exe firefox.exe@0x186f
This a new crash signature appearing in b3. Not super high volume but we don't have many users. We probably need to have someone look into it since it's a new regression.
tracking-firefox5: --- → ?
Bill, can you please look into this. Looks like a regression in 5 with high crash volume.
tracking-firefox5: ?+
Assignee: general → wmccloskey
Whiteboard: [blocks-fx5b5]
Many of these crashes have the following frames at the top of the stack: 0 mozjs.dll js::gc::TypedMarker js/src/jsstr.cpp:194 1 mozjs.dll js::gc::MarkAtomRange js/src/jsgcinlines.h:542 2 mozjs.dll js_TraceScript js/src/jsscript.cpp:1516 3 mozjs.dll fun_trace js/src/jsfun.cpp:1979 This sort of suggests that we have a function object that points to a script whose memory has been freed. While trying to trace the scripts child pointers, we end up crashing on invalid data. This isn't so unlikely, since the invariants for script lifetimes are more complicated than for other objects. However, I've looked over all the code that deals with script creation and destruction. Nothing really jumps out at me as being wrong. We could try to land some diagnostic patches to see if an invalid script is really the problem. However, I'm not optimistic that it would yield useful information, and I suspect that it's too late in the game for that anyway.
Marcia, can we get URLs to try to reproduce?
I asked chofmann to run the report, but in the meantime I manually checked some of the URLs and was not able to reproduce. My guess is this will not be easy to reproduce since some of the sites were behind logins.
Group: core-security
(In reply to comment #3) > This sort of suggests that we have a function object that points to a script > whose memory has been freed. While trying to trace the scripts child > pointers, we end up crashing on invalid data. assuming the worst from a security PoV.
Whiteboard: [blocks-fx5b5] → [sg:critical?][blocks-fx5b5]
Whiteboard: [sg:critical?][blocks-fx5b5] → [sg:critical?]
no real pattern or consistency in the urls 2 https://www.facebook.com/login.php?login_attempt=1 2 http://www.facebook.com/ many http://www.facebook.com/ajax/profile/navigation.php?id=.... http://www.facebook.com/ajax/pagelet/generic.php/pagelet/home/morestories.php?__a=3&ajaxpipe=1&data=... http://0.214.channel.facebook.com/iframe/11?r=http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php and a variety facebook related kinds of urls 2 http://www.orkut.com.br/Home?rl=t 1 http://x.oanda.com/delivery/afr.php?zoneid=641&cb=83742075118 1 http://www.youtube.com/watch?v=w9wynNrvOBo 1 http://www.yessy.com/GlassArt/index.html?i=13492 1 http://www.xanga.com/cms/quickviewer.aspx?user=hkblog&viewscheduler=88418 1 http://www.weather.com.cn/html/weather/101280101.shtml 1 http://www.videoniz.com/myindex1.php 1 http://www.studioodjgordinho.blogspot.com/ 1 http://www.stanki-korvet.ru/katalog/Makita/akshurupovert-makita 1 http://www.sodicas.org/como-colocar-musica-no-perfil-do-orkut-que-tocam-automaticas 1 http://www.rtiindia.org/forum/24751-mobile-number-address-locator.html 1 http://www.planujemywesele.pl/katalog/7/kategoria/zespol-weselny 1 http://www.onlinefootballmanager.co.uk/specialists.asp 1 http://www.nva-korenevo.ru/images/tables/vnk_gab.htm 1 http://www.musiqbuzz.com/ 1 http://www.motesplatsen.se/pages/new_members.aspx 1 http://www.minecraftforum.net/viewtopic.php?t=15921 1 http://www.maidmarian.com/sherwood.htm 1 http://www.indiaonapage.com/mobilenumbertrace 1 http://www.impressum-generator.de/generator/forms/5_behoerdlichezulassung.html 1 http://www.google.fr/ 1 http://schuelervz.net/ 1 http://registration.sifyitest.com/sbipomay11/reg_photo.php?regno_success=MzQyMjYwMA== 1 http://rd.hirkereso.hu/rd/11300974?url=http://nol.hu/kulfold/elrabolt_gyerekeket_nevelt_a_mediamagnas__ 1 http://radioaopotencia.com/
Crash Signature: [@ js::gc::TypedMarker(JSTracer*, JSString*) ]
270 crashes in the last week on 5.0. Haven't had any luck with any of the URLs in Comment 7.
Now that we have more volume on 5.0, this has 1194 crashes on the last week on 5.0. No correlations that are helpful.
Crash Signature: [@ js::gc::TypedMarker(JSTracer*, JSString*) ] → [@ js::gc::TypedMarker(JSTracer*, JSString*) ] [@ js::gc::TypedMarker ]
Bill, seems like this is *not* showing up on 6 and 7 (trunk), do you think that's because this got fixed, or because of a signature change that would mean this crash is still happening, but shows up under a different signature in crash-stats?
status-firefox6: affected → ---
tracking-firefox7: --- → +
This code is no longer present, so that's why it's not showing up on crash-stats. It's been subsumed by other code, mostly js::gc::ScanShape (which I believe we do still crash on). So I'm pretty sure that nothing got fixed.
Since we have other bugs covering the GC crash issues and this stack no longer shows up we don't really need this bug anymore.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.