Closed Bug 821733 (compartment-mismatch) Opened 7 years ago Closed 4 months ago

[meta] crash in js::CompartmentChecker::fail

Categories

(Core :: JavaScript Engine, defect, critical)

20 Branch
All
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: scoobidiver, Assigned: mccr8)

References

(Depends on 2 open bugs)

Details

(Keywords: crash, meta, Whiteboard: [please file new bugs marked as security sensitive and blocking this one])

Crash Data

It first showed up in 20.0a1/20121214 and is #1 top crasher in this build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=edd45de440ba&tochange=b11065872128
It's likely a regression from bug 782818.
One comment says it happens when previewing print.

Signature 	js::CompartmentChecker::fail(JSCompartment*, JSCompartment*) More Reports Search
UUID	a862a6de-4ba8-475f-ab60-011742121214
Date Processed	2012-12-14 16:27:59
Uptime	2531
Last Crash	2.3 weeks before submission
Install Age	42.2 minutes since version was first installed.
Install Time	2012-12-14 15:45:38
Product	Firefox
Version	20.0a1
Build ID	20121214030827
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 45 stepping 6
Crash Reason	EXCEPTION_BREAKPOINT
Crash Address	0x697c493c
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x1180, AdapterSubsysID: 26823842, AdapterDriverVersion: 9.18.13.1070
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x1180
Total Virtual Memory	4294836224
Available Virtual Memory	3091460096
System Memory Use Percentage	22
Available Page File	29547761664
Available Physical Memory	13258416128

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::CompartmentChecker::fail 	js/src/jscntxtinlines.h:204
1 	mozjs.dll 	JS_GetGlobalForObject 	js/src/jsapi.cpp:2233
2 	xul.dll 	mozilla::dom::URLBinding::revokeObjectURL 	obj-firefox/dom/bindings/URLBinding.cpp:268
3 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:389
4 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2348
5 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:338
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:404
7 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
8 	mozjs.dll 	js::CrossCompartmentWrapper::call 	js/src/jswrapper.cpp:633
9 	xul.dll 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:1002
10 	xul.dll 	XPCCallContext::`scalar deleting destructor' 	
11 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
12 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5792
13 	xul.dll 	mozilla::dom::EventHandlerNonNull::Call 	obj-firefox/dom/bindings/EventHandlerBinding.cpp:46
14 	xul.dll 	mozilla::dom::EventHandlerNonNull::Call<nsISupports*> 	obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:59
15 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:249
16 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:994
...

More reports at;
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ACompartmentChecker%3A%3Afail%28JSCompartment*%2C+JSCompartment*%29
Can we skiplist js::CompartmentChecker::* and assertSameCompartment? bug 782818 was basically just turning on extra assertions for release builds. The more interesting part is _where_ the compartment check fails, which should show up in the stacks as caller of those functions.

This particular stack looks interesting for bz.
I kind of like having all compartment mismatches show up in one bin. They're usually really easy to fix when we have a stack, so hopefully we can get them down to zero and then just watch this signature for any new ones.
(In reply to Bill McCloskey (:billm) from comment #2)
> I kind of like having all compartment mismatches show up in one bin. They're
> usually really easy to fix when we have a stack, so hopefully we can get
> them down to zero and then just watch this signature for any new ones.

Fair enough.
Tracking the fix in bug 821760, leaving this open per Bill's request so people can find it while searching for dups.
Depends on: 821842
I've looked at every one of these crashes that have been reported so far, and bug 821760 should account for almost all of them, so once the patch for that is landed, this shouldn't be a top crash any more.
The signatures from bug 821760 have gone away. Unfortunately, the signatures from bug 821842 appear to be fairly common. There are about 15 on the 12-16 build.
Tracking this since it's a topcrasher.
Depends on: 826392
Depends on: 826471
I've been categorizing and filing bugs for these crashes, so I'll just assign myself.
Assignee: general → continuation
These crashes are intentional, and will only happen on Nightly and maybe Aurora. Though without them, they may turn into other crashes. Basically, the goal here is to turn random weird crashes into things we can identify and fix.
Depends on: 827962
(In reply to Andrew McCreight [:mccr8] from comment #9)
> These crashes are intentional, and will only happen on Nightly and maybe
> Aurora. Though without them, they may turn into other crashes. Basically,
> the goal here is to turn random weird crashes into things we can identify
> and fix.

Ah, good. I hope this instrumentation works out in showing us the real problems, then. :)
No longer depends on: 825380
Depends on: 830389
Depends on: 830399
No longer depends on: 821842
Depends on: 817342
Depends on: 830595
Yes, that's the plan, after some more testing is done.
Depends on: 831742
Depends on: 831846
I can reproduce the crash.

Steps to reproduce:
0. Start Aurora20.0a2 with Newly created profile
1. Install https://addons.mozilla.org/en-US/firefox/addon/custom-buttons/
2. Restart
3. Print Preview

Actual results:
Crash
bp-cfc29fb6-5094-4cb2-b32b-5cfb82130118
Keywords: reproducible
That's fixed by the patch in bug 817342, which will land in Aurora when there's been enough testing, and when Aurora is open again for patch landing.
Keywords: reproduciblemeta
Summary: crash in js::CompartmentChecker::fail → [meta] crash in js::CompartmentChecker::fail
Depends on: 832435
Depends on: 832377
No longer depends on: 832377
Duplicate of this bug: 832287
It's only #41 top browser crasher in 20.0a2 and #68 in 21.0a1 over the last three days, because of the various fixes in dependent bugs, so no longer a top crasher.
Yes, there's no reason to track this anyhow as it's a meta bug, so I'm just unsetting this. Even the status flag doesn't make sense, as this is Nightly/Aurora-only tooling, so it won't live the whole train.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #17)
> this is Nightly/Aurora-only tooling, so it won't live the whole train.
It's no longer true.
(In reply to Scoobidiver from comment #18)
> (In reply to Robert Kaiser (:kairo@mozilla.com) from comment #17)
> > this is Nightly/Aurora-only tooling, so it won't live the whole train.
> It's no longer true.

From all I understand, if this signature leaks into beta or release, that's a bug.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #19)
> From all I understand, if this signature leaks into beta or release, that's
> a bug.

That's correct.  It might be worth tracking just to check that it doesn't happen at all in beta.  I'll also check if I remember a few weeks after 20 gets into beta.
Depends on: 857238
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] → [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*) ]
OS: Windows 7 → All
OS: All → Windows 7
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*) ] → [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*)]
Got repeatable crash by visiting this page on the latest Nightly :

http://qt-project.org/downloads
Can you please link to the crash report that shows up in about:crashes?  Thanks.
I also got a crash on that page, but with the signature JSRope::flatten
  https://crash-stats.mozilla.com/report/index/bp-8eb0023b-c561-4bba-8414-f276c2130421
(In reply to mayankleoboy1 from comment #21)
> http://qt-project.org/downloads

Look like this crash is already filed as bug 864037.  Thanks for the report!
Depends on: 864495
Depends on: 868823
Depends on: 869027
Depends on: 867771
Depends on: 869567
Depends on: 880697
Depends on: 881291
Depends on: 881854
Depends on: 882164
Depends on: 893519
Alias: compartment-mismatch
Depends on: 893527
Depends on: 894912
Depends on: 896900
Whiteboard: [firebug-p1]
(In reply to Jan Honza Odvarko from comment #28)
> https://crash-stats.mozilla.com/report/index/01dbc791-168c-4d54-8e74-
> ea1fb2130723
It's bug 896900.
(In reply to Jan Honza Odvarko from comment #28)
> Here is another STR I found yesterday:
This is a tracking bug for a large class of issues.  Please file new bugs blocking this one.
Whiteboard: [firebug-p1] → [please file new bugs blocking this one]
Depends on: 897043
Depends on: 897621
No longer depends on: 897621
Whiteboard: [please file new bugs blocking this one] → [please file new bugs marked as security sensitive and blocking this one]
Depends on: 919118
Depends on: 925019
Depends on: 925029
Depends on: 937191
Depends on: 936327
Depends on: 949940
Depends on: 960768
Depends on: 973629
Depends on: 973683
I don't see any of these crashes on Nightly or Aurora which is a little concerning.  I wonder if they got disabled somehow.
Depends on: 1154923
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*)] → [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*)] [@ js::CompartmentChecker::fail]
This bug has been tagged for regression and or closure.

https://addons.mozilla.org/en-US/firefox/addon/custom-buttons/ [Print Preview]
http://www.qt.io/download/
Version 	46.0.1 - Good
Build ID 	20160502172042
Version 	48.0a2 - Good
Build ID 	20160513004028

Version 	49.0a1 - Oops
Build ID 	20160513030539
User Agent 	Mozilla/5.0 (Windows NT 5.1; rv:49.0) Gecko/20100101 Firefox/49.0
Produces: only when applying Print Preview while on about:addons 
[Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIWebBrowserPrint.printPreview]"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: chrome://global/content/browser-content.js :: enterPrintPreview :: line 485"  data: no]

However no crash as reported earlier. Bug 1154921 is denied for me. Please let me know if can close, or if there are additional steps QA can assist with.
Thanks. This is just a meta bug. It doesn't really need the regression tag, so I'll remove that. There's nothing for QA to do here.
Keywords: regression
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*)] [@ js::CompartmentChecker::fail] → [@ js::CompartmentChecker::fail]
Depends on: 1372992
Depends on: 1412876

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → WORKSFORME

The signature changed for the compartment checker at some point, and I think it just hasn't been happening enough for anybody to bother updating the signature, so I think it is okay to close this.

You need to log in before you can comment on or make changes to this bug.