Closed
Bug 864033
Opened 12 years ago
Closed 12 years ago
crash in js::ArgumentsObject::trace @ MarkInternal
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 864002
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | unaffected |
| firefox23 | --- | affected |
People
(Reporter: scoobidiver, Assigned: djvj)
References
Details
(5 keywords, Whiteboard: [native-crash])
Crash Data
With the stack trace below, it first showed up in 23.0a1/20130420 where it's #1 top crasher. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=64d6d002e888&tochange=dd03d42b01b1
It's likely a regression from bug 706885.
Signature MarkInternal<JSObject> More Reports Search
UUID 9366489d-eb6a-4b95-8848-3fbf32130420
Date Processed 2013-04-20 16:00:58
Uptime 219
Last Crash more than 3 months before submission
Install Age 3.6 minutes since version was first installed.
Install Time 2013-04-20 15:56:55
Product Firefox
Version 23.0a1
Build ID 20130420031010
Release Channel nightly
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 37 stepping 2
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x542444c7
App Notes
AdapterVendorID: 0x1002, AdapterDeviceID: 0x68c1, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.672.1.2000
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+
Processor Notes sp-processor08.phx1.mozilla.com_19982:2012; exploitability tool failed: 127
EMCheckCompatibility True
Adapter Vendor ID 0x1002
Adapter Device ID 0x68c1
Total Virtual Memory 4294836224
Available Virtual Memory 3693658112
System Memory Use Percentage 22
Available Page File 14842105856
Available Physical Memory 6569525248
Frame Module Signature Source
0 mozjs.dll MarkInternal<JSObject> js/src/gc/Marking.cpp:187
1 mozjs.dll js::ArgumentsObject::trace js/src/vm/ArgumentsObject.cpp:566
2 mozjs.dll js::GCMarker::processMarkStackTop js/src/gc/Marking.cpp:1412
3 mozjs.dll js::GCMarker::drainMarkStack js/src/gc/Marking.cpp:1465
4 mozjs.dll IncrementalCollectSlice js/src/jsgc.cpp:4289
5 mozjs.dll GCCycle js/src/jsgc.cpp:4447
6 mozjs.dll Collect js/src/jsgc.cpp:4606
7 ntdll.dll KiUserApcDispatcher
8 mozjs.dll js::GCSlice js/src/jsgc.cpp:4642
9 mozjs.dll JS::IncrementalGC js/src/jsfriendapi.cpp:192
10 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:2493
11 xul.dll InterSliceGCTimerFired dom/base/nsJSEnvironment.cpp:2818
12 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:543
13 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:630
14 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:627
15 xul.dll NS_ProcessNextEvent obj-firefox/xpcom/build/nsThreadUtils.cpp:238
16 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82
17 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:212
18 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:186
19 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163
20 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:113
21 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:288
22 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3881
23 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3948
24 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:4160
25 firefox.exe do_main browser/app/nsBrowserApp.cpp:271
26 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:105
27 firefox.exe __tmainCRTStartup crtexe.c:552
28 kernel32.dll BaseThreadInitThunk
29 ntdll.dll __RtlUserThreadStart
30 ntdll.dll _RtlUserThreadStart
More reports at:
https://crash-stats.mozilla.com/report/list?signature=MarkInternal%3CJSObject%3E
https://crash-stats.mozilla.com/report/list?signature=MarkInternal%3Cjs%3A%3AArgumentsObject%3E
|
||
Comment 2•12 years ago
|
||
I think bug 860145 or maybe bug 861841 are more likely, because they involve the arguments object.
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
Whiteboard: [native-crash]
|
||
Comment 3•12 years ago
|
||
me bp-d83a9b62-5306-45ca-bcc6-8bef92130421 just opened gmail from g-calendar. hadn't yet clicked on the gmail page.
|
|
||
Comment 4•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #2)
> I think bug 860145 or maybe bug 861841 are more likely, because they involve
> the arguments object.
quite crashy
shortly after restoring session. closed a few tabs including gmail a couple minutes before crash. bp-31f5a569-0309-4028-bc63-005dd2130421 cites a URL. Will drop back to yesterday's build
Keywords: dogfood
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom> ]
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom> ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
|
||
Comment 5•12 years ago
|
||
Crashes on Nightly, when surfing gmail.com
bp-0a2c6676-33be-4035-a8b0-747452130422
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20130421 Firefox/23.0
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind) ]
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind) ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)]
|
|
||
Comment 7•12 years ago
|
||
> Can I get access to 861841?
Done. Thanks for looking into this.
|
|
Assignee | |
Updated•12 years ago
|
Assignee: general → kvijayan
|
|
Assignee | |
Comment 8•12 years ago
|
||
I'd advise making this bug secure, as well.
|
|
||
Comment 9•12 years ago
|
||
There's nothing here people can't see from going to crash-stats, so I think it doesn't matter.
|
||
Comment 10•12 years ago
|
||
Could it be related to bug 668583? I suddenly get a lot of crashes and signature correspond to either 668583 or 864033.
|
|
Assignee | |
Comment 11•12 years ago
|
||
(In reply to Mathieu Marquer from comment #10)
> Could it be related to bug 668583? I suddenly get a lot of crashes and
> signature correspond to either 668583 or 864033.
Unlikely. I think the issue is known now and there is a patch for it on a related bug, which should be pushed soon.
|
|
Reporter | |
Updated•12 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ MarkInternal<JSFunction>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)]
|
|
||
Comment 13•12 years ago
|
||
Reproducible easily via the steps at bug 865941.
/be
|
|
||
Updated•12 years ago
|
Group: javascript-core-security
|
|
||
Comment 14•12 years ago
|
||
The new security groups aren't actually set up yet, despite their tempting presence on bugzilla.
Group: javascript-core-security → core-security
|
|
||
Updated•12 years ago
|
Keywords: reproducible
|
|
Assignee | |
Comment 15•12 years ago
|
||
(In reply to Brendan Eich [:brendan] from comment #13)
> Reproducible easily via the steps at bug 865941.
>
> /be
Is this using latest nightly (Apr 25 build or later)? I'm trying to repro it as stated in bug 865941 on an OSX nightly as of today, and not having any luck.
|
|
||
Comment 16•12 years ago
|
||
April 22 build is the last build where I encountered this crash, it seems to be gone since April 23 (or April 24 in case I missed a release).
|
|
Assignee | |
Comment 17•12 years ago
|
||
(In reply to Mathieu Marquer from comment #16)
> April 22 build is the last build where I encountered this crash, it seems to
> be gone since April 23 (or April 24 in case I missed a release).
Yeah the ArgsObj patch got backed out on Apr 22, so the Apr 23 build would have not shown the problem. The issue with the patch was identified, and both the argsobj patch and fix was pushed back in on Apr 24.
I was planning on marking this bug a dup of bug 864002, but if it's reproing on a April25 nightly (or later), then it's a separate issue.
|
|
Assignee | |
Comment 18•12 years ago
|
||
Taking silence as indication that this is not showing up anymore.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•12 years ago
|
tracking-firefox23:
? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•