Closed Bug 777693 Opened 13 years ago Closed 13 years ago

crash in js::EncapsulatedValue::writeBarrierPre with {6dfff1b3-5c82-4a33-91e2-65f51c0d090e}

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
16 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox16 + verified
firefox17 + verified

People

(Reporter: scoobidiver, Assigned: billm)

Details

(Keywords: crash, topcrash, Whiteboard: [js:p1:fx17])

Crash Data

Attachments

(1 file)

patch
1.68 KB, patch
terrence
: review+
akeybl
: approval-mozilla-aurora+
Details | Diff | Splinter Review
It's #12 top browser crasher in 16.0a2. A Google search for {6dfff1b3-5c82-4a33-91e2-65f51c0d090e} shows Firefox correlations and virus scan reports. Signature js::EncapsulatedValue::writeBarrierPre(JS::Value const&) More Reports Search UUID d2f9d02f-eca5-412b-b322-0b7042120726 Date Processed 2012-07-26 12:43:11 Uptime 1097 Last Crash 5.5 hours before submission Install Age 2.2 hours since version was first installed. Install Time 2012-07-26 10:28:30 Product Firefox Version 16.0a2 Build ID 20120725042010 Release Channel aurora OS Windows NT OS Version 5.1.2600 Service Pack 3 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x0 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x29c2, AdapterSubsysID: 29c28086, AdapterDriverVersion: 6.14.10.4820 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- EMCheckCompatibility True Adapter Vendor ID 0x8086 Adapter Device ID 0x29c2 Total Virtual Memory 2147352576 Available Virtual Memory 1910702080 System Memory Use Percentage 58 Available Page File 2032545792 Available Physical Memory 443109376 Frame Module Signature Source 0 mozjs.dll js::EncapsulatedValue::writeBarrierPre js/src/gc/Barrier-inl.h:25 1 mozjs.dll js_AddRootRT js/src/jsgc.cpp:1258 2 mozjs.dll js_AddRoot js/src/jsgc.cpp:1233 3 mozjs.dll JS_GetPropertyDescArray js/src/jsdbgapi.cpp:880 4 xul.dll _buildProps js/jsd/jsd_val.c:434 5 xul.dll jsd_IterateProperties js/jsd/jsd_val.c:524 6 xul.dll jsd_GetValueProperty js/jsd/jsd_val.c:559 7 xul.dll jsdValue::GetProperty js/jsd/jsd_xpc.cpp:2376 8 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:70 9 xul.dll XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:2382 10 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474 11 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:344 12 mozjs.dll js::Interpret js/src/jsinterp.cpp:2442 13 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:355 14 mozjs.dll js::Invoke js/src/jsinterp.h:119 15 mozjs.dll js_fun_apply js/src/jsfun.cpp:740 16 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:344 17 mozjs.dll js::Interpret js/src/jsinterp.cpp:2442 18 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:355 19 mozjs.dll js::Invoke js/src/jsinterp.cpp:387 20 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5568 21 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1436 22 xul.dll nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:580 23 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85 24 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112 25 xul.dll jsds_CallHookProc js/jsd/jsd_xpc.cpp:588 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AEncapsulatedValue%3A%3AwriteBarrierPre%28JS%3A%3AValue+const%26%29
I looked at the code for JS_GetPropertyDescArray and it seems pretty broken. This is probably our fault. I'll put a patch together.
Assignee: general → wmccloskey
Whiteboard: [js:p1:fx17]
Attached patch patchSplinter Review
We shouldn't be using AddRoot here without initializing the root first.
Attachment #649876 - Flags: review?(terrence)
Attachment #649876 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/cf8b707ee6df
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
status-firefox17: --- → fixed
Will there be an Aurora uplift nomination here?
status-firefox16: --- → affected
Comment on attachment 649876 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Incremental GC User impact if declined: Crashes related to debugger use. Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Very low. String or UUID changes made by this patch: None.
Attachment #649876 - Flags: approval-mozilla-aurora?
Comment on attachment 649876 [details] [diff] [review] patch [Triage Comment] Low risk fix for a 16 top crasher, approved for Aurora.
Attachment #649876 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
It should be pushed to Aurora before closing the channel.
Please verify by checking Socorro.
Keywords: verifyme
QA Contact: ioana.budnar
Thanks Ioana, can you please also verify for Firefox 16.0.1? Thanks.
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #12) > Thanks Ioana, can you please also verify for Firefox 16.0.1? Thanks. The situation is the same for Firefox 16.0.1 and 16.0.2. There are several crashes in mozjs.dll js/src/gc/Barrier-inl.h:25 and 23, but none of them have to do with JS_GetPropertyDescArray or js_AddRoot.
status-firefox16: fixedverified
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: