Closed Bug 786742 Opened 12 years ago Closed 4 years ago

Firefox EXCEPTION_INVALID_HANDLE crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
16 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [platform-rel-yandex])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-50ba3c22-00a3-4fae-b6b2-17c182120829 .
============================================================= 

Seen while looking at crash stats. This crash so far seems to only affect Firefox 15. https://crash-stats.mozilla.com/report/list?signature=RtlUlonglongByteSwap%20|%20RtlpDeCommitFreeBlock%20|%20je_free%20|%20js::GCHelperThread::doSweep%28%29

Correlation report points to Yandex Bar, and it seems different versions of the Yandex bar are implicated in this crash (6.9.1 and 7.1.1 ATM.

Frame 	Module 	Signature 	Source
0 	ntdll.dll 	RtlUlonglongByteSwap 	
1 	ntdll.dll 	RtlpDeCommitFreeBlock 	
2 	mozglue.dll 	je_free 	memory/jemalloc/jemalloc.c:6567
3 	mozjs.dll 	js::GCHelperThread::doSweep 	js/src/jsgc.cpp:2854
4 	mozjs.dll 	js::GCHelperThread::threadLoop 	js/src/jsgc.cpp:2715
5 	mozjs.dll 	js::GCHelperThread::threadMain 	js/src/jsgc.cpp:2694
6 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:394
7 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:90
8 	msvcr100.dll 	_callthreadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314
9 	msvcr100.dll 	_threadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292
10 	kernel32.dll 	BaseThreadInitThunk 	
11 	ntdll.dll 	__RtlUserThreadStart 	
12 	ntdll.dll 	_RtlUserThreadStart


RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()|EXCEPTION_INVALID_HANDLE (20 crashes)
     95% (19/20) vs.   2% (1242/72157) yasearch@yandex.ru (Yandex.Bar, https://addons.mozilla.org/addon/3495)
     60% (12/20) vs.   0% (208/72157) vb@yandex.ru
     25% (5/20) vs.   7% (4936/72157) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
     10% (2/20) vs.   0% (261/72157) translator@zoli.bod
Assignee: nobody → general
Component: Extension Compatibility → JavaScript Engine
Product: Firefox → Core
Summary: [Win7] Firefox crash in RtlUlonglongByteSwap (Correlation to Yandex Bar) → [Win7] Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)
Version: unspecified → 15 Branch
[@ RtlRaiseStatus | SHATransformP3 ] seems to be the Win XP version of this crash based on the stack.
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3]
Summary: [Win7] Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar) → Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)
Whiteboard: [js:inv:p1]
Firefox 10.0.8ESR crashed on win XP while restarting the browser during crash-me add-on install:
http://crash-stats.mozilla.com/report/index/bp-35a2f55c-de28-4b9a-8015-996dc2121008
It's #8 top browser crasher in 16.0.
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin]
Depends on: 793430
Keywords: topcrash
Summary: Firefox crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar) → Firefox EXCEPTION_INVALID_HANDLE crash in js::GCHelperThread::doSweep (Correlation to Yandex Bar)
Version: 15 Branch → 16 Branch
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] [@ zzz_AsmCodeRange_End]
It's #51 top browser crasher w/o hangs in 17.0, #41 in 18.0b1, and #45 in 19.0a2, so no longer a top crasher.
Keywords: topcrash
Crash Signature: [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] [@ zzz_AsmCodeRange_End] → [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep()] [@ RtlRaiseStatus | SHATransformP3] [@ zzz_AsmCodeRange_Begin] [@ zzz_AsmCodeRange_Begin | EtwEventEnabled | je_free | js::GCHelperThread::doSweep()] [@ zzz_Asm…
Is [@ RtlRaiseStatus | TransformMD5] related to this?
https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2013-09-06&signature=RtlRaiseStatus+%7C+TransformMD5&version=Firefox%3A25.0a2

Note that [@ RtlRaiseStatus | SHATransformP3] and [@ RtlRaiseStatus | TransformMD5] are sitting at #12 and #14 respectively. This could be bordering on a top crash...
Assignee: general → nobody
Crash Signature: RtlAddAccessAllowedAce | je_free | js::GCHelperThread::doSweep()] → RtlAddAccessAllowedAce | je_free | js::GCHelperThread::doSweep()] [@ RtlUlonglongByteSwap | RtlpDeCommitFreeBlock | je_free | js::GCHelperThread::doSweep] [@ zzz_AsmCodeRange_Begin | EtwEventEnabled | je_free | js::GCHelperThread::doSweep] [@ zzz_AsmC…
platform-rel: --- → ?
Whiteboard: [js:inv:p1] → [platform-rel-yandex]
platform-rel: ? → ---

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.