Last Comment Bug 777693 - crash in js::EncapsulatedValue::writeBarrierPre with {6dfff1b3-5c82-4a33-91e2-65f51c0d090e}
: crash in js::EncapsulatedValue::writeBarrierPre with {6dfff1b3-5c82-4a33-91e2...
: crash, topcrash
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 16 Branch
: x86 Windows 7
-- critical (vote)
: mozilla17
Assigned To: Bill McCloskey (:billm)
: Ioana (away)
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2012-07-26 06:18 PDT by Scoobidiver (away)
Modified: 2014-01-10 10:39 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.68 KB, patch)
2012-08-07 16:41 PDT, Bill McCloskey (:billm)
terrence.d.cole: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description User image Scoobidiver (away) 2012-07-26 06:18:09 PDT
It's #12 top browser crasher in 16.0a2.
A Google search for {6dfff1b3-5c82-4a33-91e2-65f51c0d090e} shows Firefox correlations and virus scan reports.

Signature 	js::EncapsulatedValue::writeBarrierPre(JS::Value const&) More Reports Search
UUID	d2f9d02f-eca5-412b-b322-0b7042120726
Date Processed	2012-07-26 12:43:11
Uptime	1097
Last Crash	5.5 hours before submission
Install Age	2.2 hours since version was first installed.
Install Time	2012-07-26 10:28:30
Product	Firefox
Version	16.0a2
Build ID	20120725042010
Release Channel	aurora
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x29c2, AdapterSubsysID: 29c28086, AdapterDriverVersion:
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x29c2
Total Virtual Memory	2147352576
Available Virtual Memory	1910702080
System Memory Use Percentage	58
Available Page File	2032545792
Available Physical Memory	443109376

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::EncapsulatedValue::writeBarrierPre 	js/src/gc/Barrier-inl.h:25
1 	mozjs.dll 	js_AddRootRT 	js/src/jsgc.cpp:1258
2 	mozjs.dll 	js_AddRoot 	js/src/jsgc.cpp:1233
3 	mozjs.dll 	JS_GetPropertyDescArray 	js/src/jsdbgapi.cpp:880
4 	xul.dll 	_buildProps 	js/jsd/jsd_val.c:434
5 	xul.dll 	jsd_IterateProperties 	js/jsd/jsd_val.c:524
6 	xul.dll 	jsd_GetValueProperty 	js/jsd/jsd_val.c:559
7 	xul.dll 	jsdValue::GetProperty 	js/jsd/jsd_xpc.cpp:2376
8 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
9 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2382
10 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
11 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:344
12 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2442
13 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
14 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:119
15 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:740
16 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:344
17 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2442
18 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
19 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:387
20 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5568
21 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1436
22 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
23 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
24 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
25 	xul.dll 	jsds_CallHookProc 	js/jsd/jsd_xpc.cpp:588

More reports at:
Comment 1 User image Bill McCloskey (:billm) 2012-07-26 10:00:11 PDT
I looked at the code for JS_GetPropertyDescArray and it seems pretty broken. This is probably our fault. I'll put a patch together.
Comment 2 User image Bill McCloskey (:billm) 2012-08-07 16:41:58 PDT
Created attachment 649876 [details] [diff] [review]

We shouldn't be using AddRoot here without initializing the root first.
Comment 4 User image Ryan VanderMeulen [:RyanVM] 2012-08-09 19:57:25 PDT
Comment 5 User image Lukas Blakk [:lsblakk] use ?needinfo 2012-08-20 19:29:05 PDT
Will there be an Aurora uplift nomination here?
Comment 6 User image Bill McCloskey (:billm) 2012-08-20 21:28:26 PDT
Comment on attachment 649876 [details] [diff] [review]

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Incremental GC
User impact if declined: Crashes related to debugger use.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Very low.
String or UUID changes made by this patch: None.
Comment 7 User image Alex Keybl [:akeybl] 2012-08-22 09:35:48 PDT
Comment on attachment 649876 [details] [diff] [review]

[Triage Comment]
Low risk fix for a 16 top crasher, approved for Aurora.
Comment 8 User image Scoobidiver (away) 2012-08-26 11:03:19 PDT
It should be pushed to Aurora before closing the channel.
Comment 9 User image Andrew McCreight [:mccr8] 2012-08-26 11:10:10 PDT
Comment 10 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-10-16 15:45:18 PDT
Please verify by checking Socorro.
Comment 12 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-10-17 11:28:23 PDT
Thanks Ioana, can you please also verify for Firefox 16.0.1? Thanks.
Comment 13 User image Ioana (away) 2012-10-29 06:16:30 PDT
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12)
> Thanks Ioana, can you please also verify for Firefox 16.0.1? Thanks.

The situation is the same for Firefox 16.0.1 and 16.0.2. There are several crashes in mozjs.dll js/src/gc/Barrier-inl.h:25 and 23, but none of them have to do with JS_GetPropertyDescArray or js_AddRoot.
Comment 14 User image Tracy Walker [:tracy] 2014-01-10 10:39:50 PST
mass remove verifyme requests greater than 4 months old

Note You need to log in before you can comment on or make changes to this bug.