Open Bug 801516 Opened 7 years ago Updated 4 years ago

crash in js::gc::IsObjectMarked with AdBlock Plus


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox16 - ---
firefox17 - ---


(Reporter: marcia, Unassigned)



(Keywords: crash, steps-wanted)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-cf55f01d-4d7a-4023-b985-81bc22121014 .

Seen while looking at Mac trunk crash stats. Low volume crash which started showing up in crash stats using the 2012101003 build. All the reports seem to have Version 2.1.2 of Adblock Plus.

More Mac and Linux reports:,%20unsigned%20long%3E*%29

Possible regression range based on crash stats:

Frame 	Module 	Signature 	Source
0 	XUL 	js::gc::IsObjectMarked 	Heap.h:1017
1 	XUL 	js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned long>, js::RelocatableValue, 	Marking.h:276
2 	XUL 	js::WeakMapBase::markAllIteratively 	jsweakmap.cpp:32
3 	XUL 	IncrementalCollectSlice 	jsgc.cpp:3442
4 	XUL 	GCCycle 	jsgc.cpp:4533
5 	XUL 	Collect 	jsgc.cpp:4647
6 	XUL 	js::NotifyDidPaint 	jsfriendapi.cpp:809
7 	XUL 	nsXPConnect::NotifyDidPaint 	nsXPConnect.cpp:2729
8 	XUL 	PresShell::Paint 	nsPresShell.cpp:5212
9 	XUL 	nsViewManager::Refresh 	nsViewManager.cpp:370
10 	XUL 	nsViewManager::PaintWindow 	nsViewManager.cpp:704
11 	XUL 	non-virtual thunk to nsView::PaintWindow 	
12 	XUL 	XUL@0x6e4f0f 	
13 	XUL 	nsChildView::PaintWindow
14 	XUL 	-[ChildView drawRect:inContext:]
15 	XUL 	-[ChildView drawRect:]
16 	AppKit 	AppKit@0x542cd 	
17 	AppKit 	AppKit@0x501c9 	
18 	CoreFoundation 	CoreFoundation@0x12579 	
19 	AppKit 	AppKit@0x102f5 	
20 	Foundation 	Foundation@0x3d55e 	
21 	AppKit 	AppKit@0x8149a 	
22 	libobjc.A.dylib 	libobjc.A.dylib@0xd299 	
23 	libobjc.A.dylib 	libobjc.A.dylib@0xd254 	
24 	CoreFoundation 	CoreFoundation@0x309a8 	
25 	CoreFoundation 	CoreFoundation@0x4ca74 	
26 	CoreFoundation 	CoreFoundation@0x4f7bf 	
27 	CoreFoundation 	CoreFoundation@0x4f566 	
28 	AppKit 	AppKit@0x4de87 	
29 	AppKit 	AppKit@0x818c6 	
30 	AppKit 	AppKit@0x5053d 	
31 	AppKit 	AppKit@0x42e83 	
32 	AppKit 	AppKit@0x42d3d 	
33 	AppKit 	AppKit@0x42e83 	
34 	CoreFoundation 	CoreFoundation@0x167b97 	
35 	AppKit 	AppKit@0x5323c 	
36 	AppKit 	AppKit@0x42b79 	
37 	CoreFoundation 	CoreFoundation@0x8370b 	
38 	AppKit 	AppKit@0x9880ef 	
39 	AppKit 	AppKit@0x518a8 	
40 	AppKit 	AppKit@0x94f731 	
41 	libobjc.A.dylib 	libobjc.A.dylib@0xd2c5 	
42 	libobjc.A.dylib 	libobjc.A.dylib@0xd4f8 	
43 	AppKit 	AppKit@0x547e3 	
44 	libmozglue.dylib 	je_malloc 	jemalloc.c:4217
45 	AppKit 	AppKit@0x52b5d 	
46 	AppKit 	AppKit@0x94f731 	
47 	CarbonCore 	CarbonCore@0x2b380 	
48 	CarbonCore 	CarbonCore@0x2b29f 	
49 	HIToolbox 	HIToolbox@0x65516 	
50 	HIToolbox 	HIToolbox@0x18812 	
51 	libmozglue.dylib 	arena_malloc 	jemalloc.c:1694
52 	AppKit 	AppKit@0x50da2 	
53 	libobjc.A.dylib 	libobjc.A.dylib@0xd566 	
54 	libmozglue.dylib 	arena_dalloc 	jemalloc.c:1679
55 	AppKit 	AppKit@0x4c1ba 	
56 	CoreFoundation 	CoreFoundation@0x4d80d 	
57 	CoreFoundation 	CoreFoundation@0x167b97 	
58 	libmozglue.dylib 	arena_dalloc 	jemalloc.c:1679
59 	AppKit 	AppKit@0x44c34 	
60 	libsystem_c.dylib 	libsystem_c.dylib@0x4d46f 	
61 	libsystem_c.dylib 	libsystem_c.dylib@0x3e1ef 	
62 	CoreFoundation 	CoreFoundation@0x4fd92 	
63 	libnspr4.dylib 	dstParams 	
64 	AppKit 	AppKit@0x4162c 	
65 	AppKit 	AppKit@0x44374 	
66 	CoreFoundation 	CoreFoundation@0x638e6 	
67 	CoreFoundation 	CoreFoundation@0x63845 	
68 	CoreFoundation 	CoreFoundation@0x6372f 	
69 	CoreFoundation 	CoreFoundation@0x38af8 	
70 	XUL 	nsIHttpHeaderVisitor::COMTypeInfo<int>::kIID 	
71 	CarbonCore 	CarbonCore@0x18087 	
72 	libsystem_c.dylib 	libsystem_c.dylib@0x4d6aa 	
73 	AppKit 	AppKit@0x98f82f 	
74 	Foundation 	Foundation@0xa4b6 	
75 	Foundation 	Foundation@0xa1f2 	
76 	CoreFoundation 	CoreFoundation@0x8bb3 	
77 	XUL 	XUL@0xdb0a6f 	
78 	CoreFoundation 	CoreFoundation@0x2a04 	
79 	libobjc.A.dylib 	libobjc.A.dylib@0xea22 	
80 	CoreFoundation 	CoreFoundation@0xf0cf 	
81 	libmozglue.dylib 	arena_malloc 	jemalloc.c:1694
82 	CoreFoundation 	CoreFoundation@0x38485 	
83 	HIToolbox 	HIToolbox@0x22be 	
84 	HIToolbox 	HIToolbox@0x94be 	
85 	CoreFoundation 	CoreFoundation@0x12579 	
86 	HIToolbox 	HIToolbox@0x93f9 	
87 	AppKit 	AppKit@0x8778 	
88 	CoreFoundation 	CoreFoundation@0x218d 	
89 	libmozglue.dylib 	arena_dalloc 	jemalloc.c:4568
90 	AppKit 	AppKit@0x807c 	
91 	AppKit 	AppKit@0x94922b 	
92 	AppKit 	AppKit@0x732ca
From 19.0a1/20101009, Mac crash signatures have a Windows look, so it's not a new crash.
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 774070
Oops! bug 774070 is Android only.

Previous reports at:
Crash Signature: [@ js::gc::IsObjectMarked(js::EncapsulatedPtr<JSObject, unsigned long>*)] → [@ js::gc::IsObjectMarked(js::EncapsulatedPtr<JSObject, unsigned long>*)] [@ js::gc::IsObjectMarked]
Keywords: regression
Resolution: DUPLICATE → ---
Version: 19 Branch → Trunk
Crash Signature: [@ js::gc::IsObjectMarked(js::EncapsulatedPtr<JSObject, unsigned long>*)] [@ js::gc::IsObjectMarked] → [@ js::gc::IsObjectMarked(js::EncapsulatedPtr<JSObject, unsigned long>*)] [@ js::gc::IsObjectMarked] [@ js::WeakMap<js::EncapsulatedPtr<JSObject, unsigned int>, js::RelocatableValue, js::DefaultHasher<js::EncapsulatedPtr<JSObject unsigned int> > >::mark…
It's #1 top browser crasher on Mac in 16.0.1, 17.0b1, 18.0a2 and 19.0a1.

It's correlated to ABP 2.1.2 in all channels:
    100% (83/83) vs.  29% (233/803) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus,
  js::gc::IsObjectMarked|EXC_BAD_ACCESS / KERN_INVALID_ADDRESS (22 crashes)
    100% (22/22) vs.  52% (50/97) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus,
Keywords: topcrash
Summary: crash in js::gc::IsObjectMarked → crash in js::gc::IsObjectMarked with AdBlock Plus
Blocks: abp
May be a spike caused by yesterday's live streaming event.

"Waiting for the near-orbital jump press conference, watching the YouTube stream via the official site. It was in the background (on desktop 3 of 4; I was working in another desktop) and I didn't even notice the crash."
"Just tried to go to Am running NoScript"
"i show the jump from space record !!"
"i watching flash video + javascript page."

The fact that 16.0b6 and 15.0.1 are unaffected, while 16.0.1 is points at a new change. bholley - could this have been caused by your recent security change in 16.0.1?
QA Contact:
(In reply to Alex Keybl [:akeybl] from comment #4)
> The fact that 16.0b6 and 15.0.1 are unaffected, while 16.0.1 is points at a
> new change. bholley - could this have been caused by your recent security
> change in 16.0.1?

Nothing jumps out at me.
OK - our last plan of action then is to test on 10.8 with ABP 2.1.2, on YouTube (preferably streaming) and other streaming Flash content.
Juan, can you have a look at this? I don't have access to a Mac OSX 10.8 machine.
QA Contact: → jbecerra
Bug 798678 is weakmap-related and may be the fix for this. ABP switched over to weak maps recently-ish, so they are probably the heaviest user of them, and thus more prone to finding problems there.
Depends on: 798678
That said, I don't see anything in that range that seems related to weak maps, so I'm not sure how that could have caused problems here.
(In reply to Andrew McCreight [:mccr8] from comment #9)
> That said, I don't see anything in that range that seems related to weak
> maps, so I'm not sure how that could have caused problems here.
It can be related to a new filter added around October 15 in one of the locale lists.
I've been trying to reproduce this on Mac OS X 10.8 using Nightly, Aurora, and Beta with AdBlock Plus 2.1.2. I've added all the filters available in the ABP preferences, and I have several tabs open including one with a youtube video, one with a live steam on ustream, and some cat videos.

I've been trying on and off for a couple of days and I haven't been able to crash. During the streaming I remember having seen the player progress widget spin and spin while it was trying to get the stream, but other than that I don't remember anything out of the ordinary.

I'll leave the machine running for now with a live stream. I'll report back if and when it crashes.
Thanks for testing juan.

In the one day view for Mac OS X, this is no longer a top crasher.
Removing QAwanted since QA can't reproduce this issue locally. Please re-add it if you have more details about how it can be reproduced.
Keywords: qawanted
Assignee: general → nobody
Crash Signature: , unsigned int> > >::markIteratively(JSTracer*)] → , unsigned int> > >::markIteratively(JSTracer*)] [@ js::WeakMap<T>::markIteratively]
You need to log in before you can comment on or make changes to this bug.