Closed Bug 786742 Opened 13 years ago Closed 4 years ago

Firefox EXCEPTION_INVALID_HANDLE crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
16 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [platform-rel-yandex])

Crash Data

This bug was filed from the Socorro interface and is report bp-50ba3c22-00a3-4fae-b6b2-17c182120829 . ============================================================= Seen while looking at crash stats. This crash so far seems to only affect Firefox 15. https://crash-stats.mozilla.com/report/list?signature=RtlUlonglongByteSwap%20|%20RtlpDeCommitFreeBlock%20|%20je_free%20|%20js::GCHelperThread::doSweep%28%29 Correlation report points to Yandex Bar, and it seems different versions of the Yandex bar are implicated in this crash (6.9.1 and 7.1.1 ATM. Frame Module Signature Source 0 ntdll.dll RtlUlonglongByteSwap 1 ntdll.dll RtlpDeCommitFreeBlock 2 mozglue.dll je_free memory/jemalloc/jemalloc.c:6567 3 mozjs.dll js::GCHelperThread::doSweep js/src/jsgc.cpp:2854 4 mozjs.dll js::GCHelperThread::threadLoop js/src/jsgc.cpp:2715 5 mozjs.dll js::GCHelperThread::threadMain js/src/jsgc.cpp:2694 6 nspr4.dll _PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c:394 7 nspr4.dll pr_root nsprpub/pr/src/md/windows/w95thred.c:90 8 msvcr100.dll _callthreadstartex f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314 9 msvcr100.dll _threadstartex f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292 10 kernel32.dll BaseThreadInitThunk 11 ntdll.dll __RtlUserThreadStart 12 ntdll.dll _RtlUserThreadStart RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()|EXCEPTION_INVALID_HANDLE (20 crashes) 95% (19/20) vs. 2% (1242/72157) yasearch@yandex.ru (Yandex.Bar, https://addons.mozilla.org/addon/3495) 60% (12/20) vs. 0% (208/72157) vb@yandex.ru 25% (5/20) vs. 7% (4936/72157) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865) 10% (2/20) vs. 0% (261/72157) translator@zoli.bod
Assignee: nobody → general
Component: Extension Compatibility → JavaScript Engine
Product: Firefox → Core
Summary: [Win7] Firefox crash in RtlUlonglongByteSwap (Correlation to Yandex Bar) → [Win7] Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)
Version: unspecified → 15 Branch
[@ RtlRaiseStatus | SHATransformP3 ] seems to be the Win XP version of this crash based on the stack.
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3]
Summary: [Win7] Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar) → Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)
Whiteboard: [js:inv:p1]
Firefox 10.0.8ESR crashed on win XP while restarting the browser during crash-me add-on install: http://crash-stats.mozilla.com/report/index/bp-35a2f55c-de28-4b9a-8015-996dc2121008
It's #8 top browser crasher in 16.0.
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin]
Depends on: 793430
Keywords: topcrash
Summary: Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar) → Firefox EXCEPTION_INVALID_HANDLE crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)
Version: 15 Branch → 16 Branch
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] [@ zzz_AsmCodeRange_End]
It's #51 top browser crasher w/o hangs in 17.0, #41 in 18.0b1, and #45 in 19.0a2, so no longer a top crasher.
Keywords: topcrash
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] [@ zzz_AsmCodeRange_End] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] [@ zzz_AsmCodeRange_Begin | EtwEventEnabled | je_free | js::GCHelperThread::doSweep()] [@ zzz_Asm…
Is [@ RtlRaiseStatus | TransformMD5] related to this? https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-09-06&signature=RtlRaiseStatus+%7C+TransformMD5&version=Firefox%3A25.0a2 Note that [@ RtlRaiseStatus | SHATransformP3] and [@ RtlRaiseStatus | TransformMD5] are sitting at #12 and #14 respectively. This could be bordering on a top crash...
Assignee: general → nobody
Crash Signature: RtlAddAccessAllowedAce | je_free | js::GCHelperThread::doSweep()] → RtlAddAccessAllowedAce | je_free | js::GCHelperThread::doSweep()] [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep] [@ zzz_AsmCodeRange_Begin | EtwEventEnabled | je_free | js::GCHelperThread::doSweep] [@ zzz_AsmC…
platform-rel: --- → ?
Whiteboard: [js:inv:p1] → [platform-rel-yandex]
platform-rel: ? → ---

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.