Closed Bug 777693 Opened 12 years ago Closed 12 years ago

crash in js::EncapsulatedValue::writeBarrierPre with {6dfff1b3-5c82-4a33-91e2-65f51c0d090e}

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
16 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox16 + verified
firefox17 + verified

People

(Reporter: scoobidiver, Assigned: billm)

Details

(Keywords: crash, topcrash, Whiteboard: [js:p1:fx17])

Crash Data

Attachments

(1 file)

patch
1.68 KB, patch
terrence
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
It's #12 top browser crasher in 16.0a2.
A Google search for {6dfff1b3-5c82-4a33-91e2-65f51c0d090e} shows Firefox correlations and virus scan reports.

Signature 	js::EncapsulatedValue::writeBarrierPre(JS::Value const&) More Reports Search
UUID	d2f9d02f-eca5-412b-b322-0b7042120726
Date Processed	2012-07-26 12:43:11
Uptime	1097
Last Crash	5.5 hours before submission
Install Age	2.2 hours since version was first installed.
Install Time	2012-07-26 10:28:30
Product	Firefox
Version	16.0a2
Build ID	20120725042010
Release Channel	aurora
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x29c2, AdapterSubsysID: 29c28086, AdapterDriverVersion: 6.14.10.4820
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x29c2
Total Virtual Memory	2147352576
Available Virtual Memory	1910702080
System Memory Use Percentage	58
Available Page File	2032545792
Available Physical Memory	443109376

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::EncapsulatedValue::writeBarrierPre 	js/src/gc/Barrier-inl.h:25
1 	mozjs.dll 	js_AddRootRT 	js/src/jsgc.cpp:1258
2 	mozjs.dll 	js_AddRoot 	js/src/jsgc.cpp:1233
3 	mozjs.dll 	JS_GetPropertyDescArray 	js/src/jsdbgapi.cpp:880
4 	xul.dll 	_buildProps 	js/jsd/jsd_val.c:434
5 	xul.dll 	jsd_IterateProperties 	js/jsd/jsd_val.c:524
6 	xul.dll 	jsd_GetValueProperty 	js/jsd/jsd_val.c:559
7 	xul.dll 	jsdValue::GetProperty 	js/jsd/jsd_xpc.cpp:2376
8 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70
9 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2382
10 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
11 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:344
12 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2442
13 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
14 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:119
15 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:740
16 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:344
17 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2442
18 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:355
19 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:387
20 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5568
21 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1436
22 	xul.dll 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:580
23 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85
24 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112
25 	xul.dll 	jsds_CallHookProc 	js/jsd/jsd_xpc.cpp:588

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AEncapsulatedValue%3A%3AwriteBarrierPre%28JS%3A%3AValue+const%26%29
I looked at the code for JS_GetPropertyDescArray and it seems pretty broken. This is probably our fault. I'll put a patch together.
Assignee: general → wmccloskey
Whiteboard: [js:p1:fx17]
Attached patch patchSplinter Review 
We shouldn't be using AddRoot here without initializing the root first.
Attachment #649876 - Flags: review?(terrence)
Attachment #649876 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/cf8b707ee6df
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
status-firefox17: --- → fixed
Will there be an Aurora uplift nomination here?
status-firefox16: --- → affected
Comment on attachment 649876 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Incremental GC
User impact if declined: Crashes related to debugger use.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Very low.
String or UUID changes made by this patch: None.
Attachment #649876 - Flags: approval-mozilla-aurora?
Comment on attachment 649876 [details] [diff] [review]
patch

[Triage Comment]
Low risk fix for a 16 top crasher, approved for Aurora.
Attachment #649876 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
It should be pushed to Aurora before closing the channel.
Please verify by checking Socorro.
Keywords: verifyme
QA Contact: ioana.budnar
Thanks Ioana, can you please also verify for Firefox 16.0.1? Thanks.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12)
> Thanks Ioana, can you please also verify for Firefox 16.0.1? Thanks.

The situation is the same for Firefox 16.0.1 and 16.0.2. There are several crashes in mozjs.dll js/src/gc/Barrier-inl.h:25 and 23, but none of them have to do with JS_GetPropertyDescArray or js_AddRoot.
status-firefox16: fixedverified
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.