Closed Bug 673925 Opened 14 years ago Closed 9 years ago

Firefox 5.0 Crash Report [@ js::Shape::finalize(JSContext*) ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
5 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: cbook, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [tbird crash])

Crash Data

Found this crash while checking crash-stats: Firefox 5.0 Crash Report [@ js::Shape::finalize(JSContext*) ] -> https://crash-stats.mozilla.com/report/list?version=Firefox%3A5.0&query_search=signature&query_type=contains&reason_type=contains&range_value=28&range_unit=days&hang_type=any&process_type=any&signature=js%3A%3AShape%3A%3Afinalize%28JSContext%2A%29 - example crash report https://crash-stats.mozilla.com/report/index/dd81a168-80c5-4724-8057-214782110725 One Crash mentioned www.facebook.com/cafeworld Crashing Thread Frame Module Signature [Expand] Source 0 mozjs.dll js::Shape::finalize js/src/jspropertytree.cpp:339 1 mozjs.dll FinalizeArenaList<js::Shape> js/src/jsgc.cpp:1844 2 mozjs.dll MarkAndSweep js/src/jsgc.cpp:2298 3 mozjs.dll GCUntilDone js/src/jsgc.cpp:2555 4 mozjs.dll js::MaybeGC js/src/jsgc.cpp:1764
This is the code: Shape::finalize(JSContext *cx) { if (!inDictionary()) { if (parent && parent->isMarked()) // crash here parent->removeChild(this); Given bug 673760, I was worried that we might be freeing the chunk that parent lives in before we get here. However, it looks like we never free chunks until after MarkAndSweep finishes (since that's when background sweeping starts). So we should be okay accessing the mark bitmap, even if parent has already been swept. I'm ccing Gregor and Igor to make sure this makes sense, since I haven't dealt with the background sweeping code much. Looking at the crash addresses, a lot of them look pretty bogus. 0xfb00 seems to be a really common one. This kinda suggests that the parent pointer is getting corrupted somewhere. If that's the case, we don't have much chance of fixing this without a reproducible test case.
Crash Signature: js::Shape::finalize(JSContext*) → [@ js::Shape::finalize(JSContext*) ]
Crash Signature: [@ js::Shape::finalize(JSContext*) ] → [@ js::Shape::finalize(JSContext*) ] [@ js::Shape::finalize ]
Assignee: general → nobody
In past month, pretty much no Firefox crashes newer than version 13 https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=28&signature=js%3A%3AShape%3A%3Afinalize#tab-reports No Thunderbird crashes newer than version 17
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Whiteboard: [tbird crash]
You need to log in before you can comment on or make changes to this bug.