Closed Bug 682594 Opened 14 years ago Closed 7 years ago

Crash [@ CellCallback ], segfault sometimes at address 0x10000

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bjacob, Unassigned)

Details

(Keywords: crash)

Crash Data

I was just looking at the list of top crashers on Linux for Firefox 9.0a1. This one is ranking 19th. https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A9.0a1&platform=linux&query_search=signature&query_type=contains&reason_type=contains&date=&range_value=1&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=CellCallback Crash links: https://crash-stats.mozilla.com/report/index/2cc025a5-2a3b-4af1-b4c6-4863e2110825 https://crash-stats.mozilla.com/report/index/f7732386-f89c-43d9-84a1-b7d432110821 https://crash-stats.mozilla.com/report/index/4e3040cc-ae21-42c5-b44e-282632110820 These 3 crashes are at addresses 0x7fb239f00040, 0x10000, 0x10006 respectively. The first one is crashing at js/src/xpconnect/src/xpcjsruntime.cpp:1378 The second and third ones are crashing at js/src/jsscope.h:249 Do we have 2 separate bugs here?
Severity: normal → critical
Keywords: crash, topcrash
https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=CellCallback implies this signature is also present on Aurora and also on Mac. (In reply to Benoit Jacob [:bjacob] from comment #0) > Do we have 2 separate bugs here? Possibly - do we have two functions named the same here? Same pattern or different?
I don't know, we need a JS engine developer to decide on that.
CellCallback is surely around but very low volume, so let's take it off the topcrash list.
Keywords: topcrash
> Do we have 2 separate bugs here? Probably not. The code in question is the JS memory reporter, which crawls over the entire GC heap measuring pretty much every live thing on the GC heap and lots of stuff they point to. Any kind of GC heap corruption is quite likely to trigger a crash, but exactly where is highly unpredictable. So, any crash with a stack trace like this: CellCallback js::IterateCompartmentsArenasCells mozilla::xpconnect::memory::CollectCompartmentStatsForRuntime XPConnectJSCompartmentsMultiReporter::CollectReports (and possibly one or two functions before the CellCallback) is likely to be indicative of GC heap corruption.
Assignee: general → nobody
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.