Open Bug 698296 Opened 13 years ago Updated 1 year ago

crash in js::SweepBackgroundThings @ js::gc::Arena::finalize

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
9 Branch
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox18 + wontfix
firefox19 - affected
firefox20 --- affected
firefox21 + fixed
firefox22 --- affected
firefox23 --- affected

People

(Reporter: mdykun, Assigned: sfink)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, Whiteboard: qa-not-actionable)

Crash Data

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:9.0a2) Gecko/20111030 Firefox/9.0a2
Build ID: 20111030042025

Steps to reproduce:

Crashing when restart browser
Please provide a crash id -> https://developer.mozilla.org/en/How_to_get_a_stacktrace_for_a_bug_report
Crash Signature: [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int) ]
Keywords: crash
Do you have steps to reproduce? Any other crash ids?

Does the crash still occur if you start Firefox in Safe Mode? http://support.mozilla.com/en-US/kb/Safe+Mode
Confirming based on crash stats - crashes show up on the trunk as well:  https://crash-stats.mozilla.com/report/list?signature=je_free%20|%20js::gc::Arena::finalize%3CJSString%3E%28JSContext*,%20js::gc::AllocKind,%20unsigned%20int%29
Status: UNCONFIRMED → NEW
Ever confirmed: true
It first appeared in 9.0a1/20110904.
It might be a regression from bug 681884.
It's #61 top crasher in 9.0b3.
Assignee: nobody → general
Component: General → JavaScript Engine
Keywords: regression
Product: Firefox → Core
QA Contact: general → general
Severity: normal → critical
Crash Signature: [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int) ] → [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int)] [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int, bool)]
Crash Signature: [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int)] [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int, bool)] → [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int)] [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int, bool)] [@ je_free | js::gc::Arena::finalize<JSString>(js::FreeOp* js…
Summary: Firefox 9.0a2 Crash Report [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int) ] → Firefox 9.0a2 Crash Report @ je_free | js::gc::Arena::finalize
Version: 9 Branch → 16 Branch
Summary: Firefox 9.0a2 Crash Report @ je_free | js::gc::Arena::finalize → Firefox Crash Report @ je_free | js::gc::Arena::finalize
Version: 16 Branch → 9 Branch
It's #6 top browser crasher in 18.0a2 and #70 in 19.0a1.

It's correlated to old versions of Yandex Bar in Aurora:
  je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int)|EXCEPTION_ACCESS_VIOLATION_READ (56 crashes)
     93% (52/56) vs.   6% (131/2269) yasearch@yandex.ru (Yandex.Bar, https://addons.mozilla.org/addon/3495)
          4% (2/56) vs.   0% (2/2269) 6.6
         50% (28/56) vs.   3% (74/2269) 6.9.1
         14% (8/56) vs.   1% (21/2269) 7.1.1
         11% (6/56) vs.   0% (10/2269) 7.2
         14% (8/56) vs.   1% (16/2269) 7.2.1
          0% (0/56) vs.   0% (4/2269) 7.2.2
          0% (0/56) vs.   0% (3/2269) 7.2.3
tracking-firefox18: --- → ?
Keywords: topcrash
Since this is correlated to old versions of Yandex bar, if we're not able to reproduce (and resolve a Firefox regression, if any) we may just consider blocklisting.
tracking-firefox18: ?+
Keywords: qawanted
QA Contact: jbecerra
We may choose to track bug 770238 instead of this one.
While checking on Socorro, there can still be found crashes from all 3 signatures of this bug, within the last days.

These crashes can be seen here:

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=je_free%20|%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%26lt%3BJSString%26gt%3B%28JSContext*%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29&reason_type=contains&date=11%2F29%2F2012%2014%3A36%3A33&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=je_free%20|%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28JSContext*%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29


https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=je_free%20|%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%26lt%3BJSString%26gt%3B%28JSContext*%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%2C%20bool%29&reason_type=contains&date=11%2F29%2F2012%2014%3A37%3A47&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=je_free%20|%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28JSContext*%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%2C%20bool%29


https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=je_free%20|%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%26lt%3BJSString%26gt%3B%28js%3A%3AFreeOp*%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29&reason_type=contains&date=11%2F29%2F2012%2014%3A37%3A47&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=je_free%20|%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28js%3A%3AFreeOp*%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29


I've also tried to reproduce the crash by installing Yandex Elements 7.2.6 (as suggested in one of the comments of the crashes links written above), but wasn't successful.
Steve - do you expect bug 770238 to have an impact here as well? If not, do you have any suggestions for reproducing?
Assignee: general → sphink
This sounds a lot like bug 770238, and I would expect that to fix it. It happens during shutdown with an extension known to trigger a heap corruption bug, and the crash signature is totally consistent with heap corruption.

That said, I would not expect this to be correlated to old versions of the Yandex bar; I would expect the newer versions to crash with the same frequency (at least, it was my understanding that the new versions still use the scripted protocol handler.) Perhaps that's just statistical error, though, if the new versions are not heavily used yet.
Crash Signature: js::gc::AllocKind, unsigned int)] → js::gc::AllocKind, unsigned int)] [@ moz_abort | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ moz_abort | je_free | js::gc::Arena::finalize<JSShortString>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
(In reply to Steve Fink [:sfink] from comment #16)
> This sounds a lot like bug 770238, and I would expect that to fix it. It
> happens during shutdown with an extension known to trigger a heap corruption
> bug, and the crash signature is totally consistent with heap corruption.
> 
> That said, I would not expect this to be correlated to old versions of the
> Yandex bar; I would expect the newer versions to crash with the same
> frequency (at least, it was my understanding that the new versions still use
> the scripted protocol handler.) Perhaps that's just statistical error,
> though, if the new versions are not heavily used yet.

Thank you Steve for your reply. As specified in comment 14, I tried to reproduce the crashes with the newer version, Yandex Elements 7.2.6, but with no success.
After the fix of bug 770238 and with combined signatures, it's still #17 top browser crasher w/o hangs in 18.0b4 and #60 in 19.0a2.

Here are correlations per extension in 18.0 Beta (mix of beta 3 and 4):
  moz_abort | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int)|EXCEPTION_BREAKPOINT (152 crashes)
     42% (64/152) vs.   2% (732/47321) yasearch@yandex.ru (Yandex.Bar, https://addons.mozilla.org/addon/3495)
     34% (52/152) vs.   2% (715/47321) vb@yandex.ru 

  moz_abort | je_free | js::gc::Arena::finalize<JSShortString>(js::FreeOp*, js::gc::AllocKind, unsigned int)|EXCEPTION_BREAKPOINT (31 crashes)
     94% (29/31) vs.  82% (38868/47321) testpilot@labs.mozilla.com (Mozilla Labs - Test Pilot, https://addons.mozilla.org/addon/13661)
Depends on: 770238
Given we're past Firefox 18 b5 and don't have any actionable leads, we'll wontfix for FF18.
status-firefox18: --- → wontfix
tracking-firefox19: --- → ?
Taking QA Contact as Fx19 lead. So far we've been unable to reproduce this with the Yandex version called out in comments. Are there any other leads QA can follow?
QA Contact: jbecerra → anthony.s.hughes
Pinged Steven to check for next steps, since we don't have any good QA leads (or anything actionable right now).
Crash Signature: js::gc::AllocKind, unsigned int)] [@ moz_abort | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ moz_abort | je_free | js::gc::Arena::finalize<JSShortString>(js::FreeOp*, js::gc::AllocKind, unsigned int)] → js::gc::AllocKind, unsigned int)] [@ moz_abort | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ moz_abort | je_free | js::gc::Arena::finalize<JSShortString>(js::FreeOp*, js::gc::AllocKind unsigned int)] [@…
The stack trace looks like:
Frame 	Module 	Signature 	Source
0 	mozglue.dll 	arena_run_tree_insert 	memory/mozjemalloc/jemalloc.c:3137
1 	mozglue.dll 	je_free 	memory/mozjemalloc/jemalloc.c:6589
2 	mozjs.dll 	js::gc::Arena::finalize<JSString> 	js/src/jsgc.cpp:355
3 	mozjs.dll 	js::SweepBackgroundThings 	js/src/jsgc.cpp:2873
4 	mozjs.dll 	js::GCHelperThread::doSweep 	js/src/jsgc.cpp:3147
5 	mozjs.dll 	js::GCHelperThread::threadLoop 	js/src/jsgc.cpp:2999
6 	mozjs.dll 	js::GCHelperThread::threadMain 	js/src/jsgc.cpp:2978
7 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:395
8 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:90
9 	msvcr100.dll 	_callthreadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314
10 	msvcr100.dll 	_threadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292
11 	kernel32.dll 	BaseThreadInitThunk 	
12 	ntdll.dll 	__RtlUserThreadStart 	
13 	ntdll.dll 	_RtlUserThreadStart
Summary: Firefox Crash Report @ je_free | js::gc::Arena::finalize → crash in js::SweepBackgroundThings @ js::gc::Arena::finalize
This bug appears to have fallen outside of our typical topcrash range post-release. Can anybody confirm?
(In reply to Alex Keybl [:akeybl] from comment #23)
> This bug appears to have fallen outside of our typical topcrash range
> post-release. Can anybody confirm?
It's at the threshold: #31 in 18.0 and #20 in 19.0b1 with combined signatures.
There can be seen reports on Socorro, containing the last 4 signatures of this bug, within last month, regarding Firefox: 18, 18.0.1, 19 beta 1 and beta 2.

For the 3rd signature, [@ je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int) ], reports are available here: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%26lt%3BJSString%26gt%3B%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29&reason_type=contains&date=01%2F21%2F2013%2012%3A28%3A32&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29

For the 4th signature, [@ moz_abort | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int) ], reports are available here: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=moz_abort%20%7C%20je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%26lt%3BJSString%26gt%3B%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29&reason_type=contains&date=01%2F21%2F2013%2012%3A28%3A32&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=moz_abort%20%7C%20je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29

For the 5th signature, [@ moz_abort | je_free | js::gc::Arena::finalize<JSShortString>(js::FreeOp*, js::gc::AllocKind, unsigned int) ], reports are available here: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=moz_abort%20%7C%20je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%26lt%3BJSShortString%26gt%3B%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29&reason_type=contains&date=01%2F21%2F2013%2012%3A28%3A33&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=moz_abort%20%7C%20je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSShortString%3E%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29

For the 6th signature, [@ arena_run_tree_insert | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int) ], reports are available here: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=arena_run_tree_insert%20%7C%20je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%26lt%3BJSString%26gt%3B%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29&reason_type=contains&date=01%2F21%2F2013%2012%3A28%3A35&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=arena_run_tree_insert%20%7C%20je_free%20%7C%20js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28js%3A%3AFreeOp%2A%2C%20js%3A%3Agc%3A%3AAllocKind%2C%20unsigned%20int%29
I couldn't find reports containing the first 2 signatures, within last month, regarding Firefox: 18, 18.0.1, 19 beta 1 or beta 2.
Thanks, for one thing we know this as well as its signatures is still around. Have you verified the stacks to call finalize from js::SweepBackgroundThings, though? This specific bug reports is only tracking those stacks.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #27)
> Thanks, for one thing we know this as well as its signatures is still
> around. Have you verified the stacks to call finalize from
> js::SweepBackgroundThings, though? This specific bug reports is only
> tracking those stacks.

I've checked the stacktrace, and I think it's the same bug. Could you please take a look?

https://crash-stats.mozilla.com/report/index/f77fa048-6491-46c6-8f45-2f56a2130121

https://crash-stats.mozilla.com/report/index/c048e040-943e-427a-b5f1-65e332130121

https://crash-stats.mozilla.com/report/index/342cc452-f038-4324-969b-98bcc2130121

https://crash-stats.mozilla.com/report/index/7a8221fe-b90d-44a7-ae95-6ca282130120
(In reply to Manuela Muntean from comment #28)
> I've checked the stacktrace, and I think it's the same bug. Could you please
> take a look?

Thanks, those stacks all come from js::SweepBackgroundThings, right. Those, thanks for verifying that it's still around. Not that this is particularly surprising given that it's not marked fixed and Scoobidiver noted in comment #24 that it's just around the topcrash threshold in 18.0 abd 19.0b1. ;-)
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #29)
> (In reply to Manuela Muntean from comment #28)
> > I've checked the stacktrace, and I think it's the same bug. Could you please
> > take a look?
> 
> Thanks, those stacks all come from js::SweepBackgroundThings, right. Those,
> thanks for verifying that it's still around. Not that this is particularly
> surprising given that it's not marked fixed and Scoobidiver noted in comment
> #24 that it's just around the topcrash threshold in 18.0 abd 19.0b1. ;-)

No problem Robert. Glad to help! :-) Hopefully this issue will go away soon.
(In reply to Manuela Muntean from comment #30)
> Hopefully this issue will go away soon.

I doubt it. For one thing, this is probably collecting multiple different problems in one signature (as it is so often with things in GC land), and for the other, without someone coding up a fix here it will stay around. It would be helpful if someone could find reproducible cases that produce those crashes, but those are probably quite difficult to find.
This is around #33 top crash on beta (probably a little higher in aggregate), and lower on release. We no longer plan to track for upcoming releases, unless this bug spikes significantly.
tracking-firefox19: +-
Keywords: topcrash
It has been a top crash since 21.0b6 likely related to bug 868369.
Crash Signature: , unsigned int)] [@ arena_run_tree_insert | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int)] → , unsigned int)] [@ arena_run_tree_insert | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | JSObject::finish(js::FreeOp*) ] [@ moz_abort | arena_dalloc | je_free | JSObject::finish(…
status-firefox21: --- → affected
tracking-firefox21: --- → ?
Keywords: topcrash
(In reply to Scoobidiver from comment #33)
> It has been a top crash since 21.0b6 likely related to bug 868369.

CCing :Till here as it could be related to bug 868369
(In reply to bhavana bajaj [:bajaj] from comment #34)
> CCing :Till here as it could be related to bug 868369

If the theory I put forward in bug 868369, comment 14 is correct, the frequency of this crash signature could very likely have increased at some point before the self-hosted Array extras where backed out. It would be very interesting to find a regression window in that case, as the underlying issue would then be a different one.
The initial signatures and added ones don't recover in Beta but they do in Aurora and Nightly at least recently.
The Beta regression range for the signature morphing and spike is:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=dc33b3fb2fb0&tochange=c1453860aef9
I suspected the backout of bug 784294 in Beta.

In 21.0b6, the stack trace looks like:
Frame 	Module 	Signature 	Source
0 	mozglue.dll 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4658
1 	mozglue.dll 	je_free 	memory/mozjemalloc/jemalloc.c:6589
2 	mozjs.dll 	JSObject::finish 	js/src/jsobjinlines.h:1009
3 	mozjs.dll 	js::gc::Arena::finalize<JSObject> 	js/src/jsgc.cpp:341
4 	mozjs.dll 	FinalizeTypedArenas<JSObject> 	js/src/jsgc.cpp:405
5 	mozjs.dll 	FinalizeArenas 	js/src/jsgc.cpp:442
6 	mozjs.dll 	SweepBackgroundThings 	js/src/jsgc.cpp:2194
7 	nspr4.dll 	_MD_CURRENT_THREAD 	nsprpub/pr/src/threads/combined/prulock.c:372
8 	mozjs.dll 	js::GCHelperThread::threadLoop 	js/src/jsgc.cpp:2317
9 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:395
10 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:90
11 	msvcr100.dll 	_callthreadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314
12 	msvcr100.dll 	_threadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292
13 	kernel32.dll 	BaseThreadStart

Compared to previous stacks, JSObject::finish is added and <JSObject> has replaced <JS.*String>.

More reports at:
* Before 21.0b6 (#26 in 21.0b5):
https://crash-stats.mozilla.com/report/list?signature=moz_abort+|+je_free+|+js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28js%3A%3AFreeOp*%2C+js%3A%3Agc%3A%3AAllocKind%2C+unsigned+int%29
https://crash-stats.mozilla.com/report/list?signature=moz_abort+|+je_free+|+js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSShortString%3E%28js%3A%3AFreeOp*%2C+js%3A%3Agc%3A%3AAllocKind%2C+unsigned+int%29
https://crash-stats.mozilla.com/report/list?signature=je_free+|+js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSString%3E%28js%3A%3AFreeOp*%2C+js%3A%3Agc%3A%3AAllocKind%2C+unsigned+int%29
https://crash-stats.mozilla.com/report/list?signature=je_free+|+js%3A%3Agc%3A%3AArena%3A%3Afinalize%3CJSShortString%3E%28js%3A%3AFreeOp*%2C+js%3A%3Agc%3A%3AAllocKind%2C+unsigned+int%29

* 21.0b6 (#10 in 21.0b6):
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+je_free+|+JSObject%3A%3Afinish%28js%3A%3AFreeOp*%29
https://crash-stats.mozilla.com/report/list?signature=moz_abort+|+arena_dalloc+|+je_free+|+JSObject%3A%3Afinish%28js%3A%3AFreeOp*%29
https://crash-stats.mozilla.com/report/list?signature=extent_tree_ad_remove+|+huge_dalloc+|+je_free+|+JSObject%3A%3Afinish%28js%3A%3AFreeOp*%29
According to Socorro, only crashes with the last 3 signatures reproduce on Firefox 21 beta:
https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=extent_tree_ad_remove%20%7C%20huge_dalloc%20%7C%20je_free%20%7C%20JSObject%3A%3Afinish%28js%3A%3AFreeOp%2A%29&reason_type=contains&date=05%2F08%2F2013%2012%3A54%3A05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=extent_tree_ad_remove%20%7C%20huge_dalloc%20%7C%20je_free%20%7C%20JSObject%3A%3Afinish%28js%3A%3AFreeOp%2A%29
https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=moz_abort%20%7C%20arena_dalloc%20%7C%20je_free%20%7C%20JSObject%3A%3Afinish%28js%3A%3AFreeOp%2A%29&reason_type=contains&date=05%2F08%2F2013%2012%3A54%3A04&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=moz_abort%20%7C%20arena_dalloc%20%7C%20je_free%20%7C%20JSObject%3A%3Afinish%28js%3A%3AFreeOp%2A%29
https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=arena_dalloc%20%7C%20je_free%20%7C%20JSObject%3A%3Afinish%28js%3A%3AFreeOp%2A%29&reason_type=contains&date=05%2F08%2F2013%2012%3A54%3A04&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=arena_dalloc%20%7C%20je_free%20%7C%20JSObject%3A%3Afinish%28js%3A%3AFreeOp%2A%29&page=1

Unfortunately, most of them have distinct extensions and no details about how to reproduce them (1 scrolling text, 1 waiting on answers.yahoo.com). I also went through tens of crashes without yandex, so I think this is no longer related to that.

I tried to reproduce this crash with clean and dirty profiles, taking into account all the clues from current and older crashes but I didn't even get a hang.

I don't think QA will be able to find steps here without any leads.
Thank you Ioana for the extensive testing.

Scoobidiver, are there any other leads you could point us to?

Note to Release Management, I think it's safe to call this WONTFIX for Firefox 19 and 20, continue to track for Firefox 21+.
Flags: needinfo?(scoobidiver)
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #38)
> Scoobidiver, are there any other leads you could point us to?
As long as bug 867342 is not fixed (prevent crash correlations), I can't be of much help. I hope the spike will be fixed in 21.0b7 by the fix of bug 868369.
Flags: needinfo?(scoobidiver)
In 21.0b7, the new signatures have disappeared and the old ones are back to their previous volumes.
status-firefox20: --- → affected
status-firefox21: affectedfixed
status-firefox22: --- → affected
status-firefox23: --- → affected
Depends on: 868369
Keywords: topcrash
Crash Signature: , unsigned int)] [@ arena_dalloc | je_free | JSObject::finish(js::FreeOp*) ] [@ moz_abort | arena_dalloc | je_free | JSObject::finish(js::FreeOp*) ] [@ extent_tree_ad_remove | huge_dalloc | je_free | JSObject::finish(js::FreeOp*) ] → , unsigned int)] [@ arena_dalloc | je_free | JSObject::finish(js::FreeOp*) ] [@ moz_abort | arena_dalloc | je_free | JSObject::finish(js::FreeOp*) ] [@ extent_tree_ad_remove | huge_dalloc | je_free | JSObject::finish(js::FreeOp*) ] [@ moz_abort | aren…
Removing the "qawanted" keyword since QA didn't reproduce the issue locally. Please add back the keyword if you have more details. Thanks!
Keywords: qawanted
Crash Signature: arena_run_reg_dalloc | arena_dalloc_small | arena_dalloc | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int) ] → arena_run_reg_dalloc | arena_dalloc_small | arena_dalloc | je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, js::gc::AllocKind, unsigned int) ] [@ je_free | js::gc::Arena::finalize<T>] [@ moz_abort | je_free | js::gc::Arena::finalize<T>] [@ are…
Whiteboard: qa-not-actionable
Severity: critical → S2

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3
Crash Signature: [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int)] [@ je_free | js::gc::Arena::finalize<JSString>(JSContext*, js::gc::AllocKind, unsigned int, bool)] [@ je_free | js::gc::Arena::finalize<JSString>(js::FreeOp*, j… → [@ je_free | js::gc::Arena::finalize<JSString>] [@ je_free | js::gc::Arena::finalize<JSString>] [@ je_free | js::gc::Arena::finalize<JSString>] [@ moz_abort | je_free | js::gc::Arena::finalize<JSString>] [@ moz_abort | je_free | js::gc::Arena::finaliz…
You need to log in before you can comment on or make changes to this bug.