Closed Bug 783896 Opened 7 years ago Closed 3 years ago

crash in js::gc::IsMarked

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: wsmwk, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [tbird crash][js:inv])

Crash Data

#9 crash in TB15 beta.  potentially topcrash, so need to check ranking after TB15 releases

Doesn't rank in top 300 for firefox 15


This bug was filed from the Socorro interface and is 
report bp-773d64d6-4cc9-4768-8329-337642120819 .
============================================================= 

0	mozjs.dll	js::gc::IsMarked<js::gc::Cell>	js/src/gc/Marking.cpp:184
1	mozjs.dll	JSCompartment::sweepInitialShapeTable	js/src/jsscope.cpp:1379
2	mozjs.dll	JSCompartment::sweep	js/src/jscompartment.cpp:468
3	mozjs.dll	SweepPhase	js/src/jsgc.cpp:3273
4	mozjs.dll	GCCycle	js/src/jsgc.cpp:3719
5	mozjs.dll	Collect	js/src/jsgc.cpp:3822
6	mozjs.dll	js::GC	js/src/jsgc.cpp:3846
7	mozjs.dll	js::GCForReason	js/src/jsfriendapi.cpp:137
8	xul.dll	nsXPCComponents_Utils::ForceGC	js/xpconnect/src/XPCComponents.cpp:3922 

184    if (!(*thingp)->compartment()->isCollecting())

firefox stacks are different, and even they are not all the same. example crashes:
bp-75d29183-8454-4f53-aa11-f5e7d2120819
bp-293f9378-fba0-4f35-a5a8-3141f2120807
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Thunderbird → Core
Whiteboard: [tbird crash]
Assignee: general → terrence
Whiteboard: [tbird crash] → [tbird crash][js:inv]
There's a spike in crashes from IonMonkey.
Crash Signature: [@ js::gc::IsMarked<js::gc::Cell>] → [@ js::gc::IsMarked<js::gc::Cell>] [@ js::gc::IsMarked<js::DebugScopeObject>] [@ js::gc::IsMarked<JSScript>] [@ js::gc::IsMarked<js::GlobalObject>]
It's #23 top browser crasher in 16.0.1 and #35 in 17.0b1.

It's correlated to AdBlock Plus:
*16.0.1:
  js::gc::IsMarked<js::gc::Cell>|EXCEPTION_ACCESS_VIOLATION_READ (416 crashes)
     96% (400/416) vs.  11% (7032/65825) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
*17.0b1:
  js::gc::IsMarked<js::gc::Cell>|EXCEPTION_ACCESS_VIOLATION_READ (86 crashes)
     90% (77/86) vs.  10% (1860/18965) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
OS: Windows NT → Windows 7
Blocks: abp
Without STR there's nothing we can do about this.
Assignee: terrence → nobody
Crash Signature: [@ js::gc::IsMarked<js::gc::Cell>] [@ js::gc::IsMarked<js::DebugScopeObject>] [@ js::gc::IsMarked<JSScript>] [@ js::gc::IsMarked<js::GlobalObject>] → [@ js::gc::IsMarked<js::gc::Cell>] [@ js::gc::IsMarked<js::DebugScopeObject>] [@ js::gc::IsMarked<JSScript>] [@ js::gc::IsMarked<js::GlobalObject>] [@ js::gc::IsMarked<T>]
For Thunderbird there's nothing newer than version 17 - https://crash-stats.mozilla.com/signature/?signature=js%3A%3Agc%3A%3AIsMarked%3CT%3E&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_sort=-date&page=1#reports

So this is either WFM or signature has morphed.  And FWIW, it's still unclear that this was a bug with "core"
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.