760039 - crash in CCGraphBuilder::NoteChild (NoteXPCOMChild/NoteScriptChild)

Status: RESOLVED WORKSFORME

(Core :: XPCOM, defect)

Description

[Carsten Book [:Tomcat]]

This bug was filed from the Socorro interface and is 
report bp-e0a25119-40f3-4823-bb40-370802120530 .
============================================================= 
Found in the Crashstats list for Firefox 13.0 and seems this mostly a Windows XP Crash 

no comments so far in the reports:

Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	GCGraphBuilder::NoteChild 	xpcom/base/nsCycleCollector.cpp:1844
1 	xul.dll 	NoteJSChild 	js/xpconnect/src/nsXPConnect.cpp:837
2 	mozjs.dll 	js::gc::MarkInternal<JSScript> 	js/src/jsgcmark.cpp:110
3 	mozjs.dll 	js::gc::MarkScript 	js/src/jsgcmark.cpp:210
4 	mozjs.dll 	JSFunction::trace 	js/src/jsfun.cpp:1104
5 	mozjs.dll 	fun_trace 	js/src/jsfun.cpp:1113
6 	mozjs.dll 	js::ObjectImpl::markChildren 	js/src/vm/ObjectImpl.cpp:52
7 	mozjs.dll 	js::TraceChildren 	js/src/jsgcmark.cpp:1142
8 	xul.dll 	nsXPConnect::Traverse 	js/xpconnect/src/nsXPConnect.cpp:995
9 	xul.dll 	GCGraphBuilder::Traverse 	xpcom/base/nsCycleCollector.cpp:1932
10 	xul.dll 	nsCycleCollector::MarkRoots 	xpcom/base/nsCycleCollector.cpp:2297
11 	xul.dll 	nsCycleCollector::BeginCollection 	xpcom/base/nsCycleCollector.cpp:3278
12 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
13 	xul.dll 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:289
14 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
15 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
16 	msvcr100.dll 	_callthreadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314
17 	msvcr100.dll 	_threadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292
18 	kernel32.dll 	BaseThreadInitThunk 	
19 	ntdll.dll 	__RtlUserThreadStart 	
20 	ntdll.dll 	_RtlUserThreadStart

Comment 1

[Scoobidiver (away)]

It's #97 top crasher in 13.0b5.

Comment 2

[Andrew McCreight [:mccr8]]

In some sense, this is signature just the newest incarnation of NoteXPCOMChild/NoteScriptChild, which I factored out in bug 730357.

However, most of the crashes I looked at in 13/14 are on this line:
  ++childPi->mInternalRefs;

This loads the field of a CC data structure and increments it.  So this could be an actual problem with the cycle collector.

Comment 3

[Wayne Mery (:wsmwk)]

(In reply to Andrew McCreight [:mccr8] from comment #2)
> In some sense, this is signature just the newest incarnation of
> NoteXPCOMChild/NoteScriptChild, which I factored out in bug 730357.

so also related to bug 752325?
bp-389175f3-6048-4dda-86b3-fb5e82130729
bp-660191b3-6179-4a20-ac2c-b98bd2130727

> However, most of the crashes I looked at in 13/14 are on this line:
>   ++childPi->mInternalRefs;
> 
> This loads the field of a CC data structure and increments it.  So this
> could be an actual problem with the cycle collector.

#127 crash for firefox 22

Comment 4

[Andrew McCreight [:mccr8]]

NoteXPCOMChild and NoteScriptChild call into NoteChild, so it could be the same  crash, depending on how things get inlined and reported.

Comment 6

[Wayne Mery (:wsmwk)]

There are no crashes with CCGraphBuilder::NoteXPCOMChild newer than version 38.

But there are come current version crashes for CCGraphBuilder::NoteXPCOMChild whose Bug 1261541 was duped to this