761081 - crash in JSScript::markChildren

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

It first appeared in 13.0a1/20120307. The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7d0d1108a14e&tochange=78e56fd22f2a
It's #178 top crasher in 13.0b7, #200 in 14.0a2 over the last week.

There's a spike in crashes starting from 15.0a1/20120601. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3aa566994890&tochange=73783bf75c4c
It's #36 top crasher in 15.0a1 over the last day.

Signature 	JSScript::markChildren(JSTracer*) More Reports Search
UUID	bcd2c732-f01a-49d4-a735-4aa082120604
Date Processed	2012-06-04 01:10:42
Uptime	36
Last Crash	38 seconds before submission
Install Age	9.9 hours since version was first installed.
Install Time	2012-06-03 15:17:00
Product	Firefox
Version	15.0a1
Build ID	20120603030523
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0x1ff32f0
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x1201, AdapterSubsysID: 14603842, AdapterDriverVersion: 8.17.13.142
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3880792064
System Memory Use Percentage	21
Available Page File	32229367808
Available Physical Memory	6740520960

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JSScript::markChildren 	js/src/jsscript.cpp:2110
1 	mozjs.dll 	js::gc::MarkUnbarriered<JSScript> 	js/src/gc/Marking.cpp:135
2 	mozjs.dll 	fun_trace 	js/src/jsfun.cpp:499
3 	mozjs.dll 	js::GCMarker::processMarkStackTop 	js/src/gc/Marking.cpp:1180
4 	mozjs.dll 	js::GCMarker::drainMarkStack 	js/src/gc/Marking.cpp:1224
5 	mozjs.dll 	NonIncrementalMark 	js/src/jsgc.cpp:3345
6 	mozjs.dll 	GCCycle 	js/src/jsgc.cpp:3693
7 	mozjs.dll 	Collect 	js/src/jsgc.cpp:3802
8 	xul.dll 	mozilla::CalibratedPerformanceCounter 	xpcom/ds/TimeStamp_windows.cpp:521
9 	xul.dll 	nsJSContext::GarbageCollectNow 	dom/base/nsJSEnvironment.cpp:2978

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JSScript%3A%3AmarkChildren%28JSTracer*%29
https://crash-stats.mozilla.com/report/list?signature=JSScript%3A%3AmarkChildren

Comment 1

[David Mandelin [:dmandelin]]

It subsided again.

Comment 2

[Scoobidiver (away)]

It's #18 top browser crasher in 15.0b2, #12 in 16.0a2, and #14 in 17.0a1.

Comment 3

[Alex Keybl [:akeybl]]

(In reply to Scoobidiver from comment #2)
> It's #18 top browser crasher in 15.0b2, #12 in 16.0a2, and #14 in 17.0a1.

Let's see if this is spiking before tracking for release.

Comment 4

[Scoobidiver (away)]

(In reply to Alex Keybl [:akeybl] from comment #3)
> Let's see if this is spiking before tracking for release.
It spiked in 15.0a1/20120601 as explained in comment 0.

Comment 5

[Lukas Blakk [:lsblakk] use ?needinfo]

This is highest on Win XP (70%) and much higher in 15 than it was in 14 but it's been around since 13 so while it's worth keeping an eye on, I wouldn't block a release on this with its present volume.

Comment 6

[Lukas Blakk [:lsblakk] use ?needinfo]

Also the volume on 16/17 is quite low which contributes to the decision on comment 5.

Comment 7

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

We have compartment GC enabled in FF15 but not in 16 or 17. However, nothing related to compartment GC happened on 6/1.

Comment 8

[Scoobidiver (away)]

(In reply to Lukas Blakk [:lsblakk] from comment #6)
> Also the volume on 16/17 is quite low which contributes to the decision on
> comment 5.
Without counting Flash hangs where nothing can be done by Mozilla, it's #9 in 15.0b2, #10 in 16.0a2 and 17.0a1.

Comment 9

[Robert Kaiser]

This signature is topcrash #6 in Firefox desktop 18.0b3

Comment 11

[alex_mayorga]

FWIW Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 ID:20140415030203 CSet: 5b6e82e7bbbf crashed like this for me.

Report ID 	Date Submitted
bp-27ab81d3-d853-4022-8b3e-01bab2140415	15/04/2014	03:15 p.m.

Shall I file a new bug?

Comment 12

[alex_mayorga]

Robert,

Can you please advise on comment 11 above?

Comment 13

[Robert Kaiser]

Is this reproducible? If not, then there's not much sense in filing a separate bug for a crash that happens during garbage collection as there's no way to determine what's causing it from the report, the cause for something like this (like memory corruption) has usually happened long before the garbage collection stumbled over it and crashed.

Comment 14

[Ioana Chiorean]

https://crash-stats.mozilla.com/report/index/08dd165a-16de-4663-8451-e21672140424

Comment 15

[Tracy Walker [:tracy]]

crashes @ JSScript::markChildren(JSTracer*) have crept into the top 20 volume crashers on Fx30. (#19)

Comment 16

[Merike Sell (:merike)]

Firefox 32: https://crash-stats.mozilla.com/report/index/017e3d6d-0433-4977-8199-1df902140531

Comment 17

[Liu Xing]

https://crash-stats.mozilla.com/report/index/146cfb49-006c-41c3-ba40-4146c2140602

Comment 18

[u279076]

None of these signatures are in the topcrash range anymore. Regardless we still have no actionable information for this long-standing crash.

Comment 19

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.