Closed
Bug 864033
Opened 9 years ago
Closed 9 years ago
crash in js::ArgumentsObject::trace @ MarkInternal
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 864002
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | unaffected |
| firefox23 | --- | affected |
People
(Reporter: scoobidiver, Assigned: djvj)
References
Details
(5 keywords, Whiteboard: [native-crash])
Crash Data
With the stack trace below, it first showed up in 23.0a1/20130420 where it's #1 top crasher. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=64d6d002e888&tochange=dd03d42b01b1 It's likely a regression from bug 706885. Signature MarkInternal<JSObject> More Reports Search UUID 9366489d-eb6a-4b95-8848-3fbf32130420 Date Processed 2013-04-20 16:00:58 Uptime 219 Last Crash more than 3 months before submission Install Age 3.6 minutes since version was first installed. Install Time 2013-04-20 15:56:55 Product Firefox Version 23.0a1 Build ID 20130420031010 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 37 stepping 2 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x542444c7 App Notes AdapterVendorID: 0x1002, AdapterDeviceID: 0x68c1, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.672.1.2000 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+ Processor Notes sp-processor08.phx1.mozilla.com_19982:2012; exploitability tool failed: 127 EMCheckCompatibility True Adapter Vendor ID 0x1002 Adapter Device ID 0x68c1 Total Virtual Memory 4294836224 Available Virtual Memory 3693658112 System Memory Use Percentage 22 Available Page File 14842105856 Available Physical Memory 6569525248 Frame Module Signature Source 0 mozjs.dll MarkInternal<JSObject> js/src/gc/Marking.cpp:187 1 mozjs.dll js::ArgumentsObject::trace js/src/vm/ArgumentsObject.cpp:566 2 mozjs.dll js::GCMarker::processMarkStackTop js/src/gc/Marking.cpp:1412 3 mozjs.dll js::GCMarker::drainMarkStack js/src/gc/Marking.cpp:1465 4 mozjs.dll IncrementalCollectSlice js/src/jsgc.cpp:4289 5 mozjs.dll GCCycle js/src/jsgc.cpp:4447 6 mozjs.dll Collect js/src/jsgc.cpp:4606 7 ntdll.dll KiUserApcDispatcher 8 mozjs.dll js::GCSlice js/src/jsgc.cpp:4642 9 mozjs.dll JS::IncrementalGC js/src/jsfriendapi.cpp:192 10 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:2493 11 xul.dll InterSliceGCTimerFired dom/base/nsJSEnvironment.cpp:2818 12 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:543 13 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:630 14 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:627 15 xul.dll NS_ProcessNextEvent obj-firefox/xpcom/build/nsThreadUtils.cpp:238 16 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 17 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:212 18 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:186 19 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 20 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:113 21 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:288 22 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3881 23 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3948 24 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:4160 25 firefox.exe do_main browser/app/nsBrowserApp.cpp:271 26 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:105 27 firefox.exe __tmainCRTStartup crtexe.c:552 28 kernel32.dll BaseThreadInitThunk 29 ntdll.dll __RtlUserThreadStart 30 ntdll.dll _RtlUserThreadStart More reports at: https://crash-stats.mozilla.com/report/list?signature=MarkInternal%3CJSObject%3E https://crash-stats.mozilla.com/report/list?signature=MarkInternal%3Cjs%3A%3AArgumentsObject%3E
|
||
Comment 2•9 years ago
|
||
I think bug 860145 or maybe bug 861841 are more likely, because they involve the arguments object.
|
Reporter | |
Updated•9 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
Whiteboard: [native-crash]
|
||
Comment 3•9 years ago
|
||
me bp-d83a9b62-5306-45ca-bcc6-8bef92130421 just opened gmail from g-calendar. hadn't yet clicked on the gmail page.
|
|
||
Comment 4•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #2) > I think bug 860145 or maybe bug 861841 are more likely, because they involve > the arguments object. quite crashy shortly after restoring session. closed a few tabs including gmail a couple minutes before crash. bp-31f5a569-0309-4028-bc63-005dd2130421 cites a URL. Will drop back to yesterday's build
Keywords: dogfood
|
|
Reporter | |
Updated•9 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom> ]
|
|
Reporter | |
Updated•9 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom> ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
|
||
Comment 5•9 years ago
|
||
Crashes on Nightly, when surfing gmail.com bp-0a2c6676-33be-4035-a8b0-747452130422 Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20130421 Firefox/23.0
|
|
Reporter | |
Updated•9 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind) ]
|
|
Reporter | |
Updated•9 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind) ] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)]
|
|
||
Comment 7•9 years ago
|
||
> Can I get access to 861841?
Done. Thanks for looking into this.
|
Assignee | |
Updated•9 years ago
|
Assignee: general → kvijayan
|
|
Assignee | |
Comment 8•9 years ago
|
||
I'd advise making this bug secure, as well.
|
|
||
Comment 9•9 years ago
|
||
There's nothing here people can't see from going to crash-stats, so I think it doesn't matter.
|
||
Comment 10•9 years ago
|
||
Could it be related to bug 668583? I suddenly get a lot of crashes and signature correspond to either 668583 or 864033.
|
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Mathieu Marquer from comment #10) > Could it be related to bug 668583? I suddenly get a lot of crashes and > signature correspond to either 668583 or 864033. Unlikely. I think the issue is known now and there is a patch for it on a related bug, which should be pushed soon.
|
|
Reporter | |
Updated•9 years ago
|
Crash Signature: [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)] → [@ MarkInternal<JSObject>]
[@ MarkInternal<js::ArgumentsObject> ]
[@ MarkInternal<JSString> ]
[@ MarkInternal<JSAtom>]
[@ MarkInternal<JSFunction>]
[@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)]
|
||
Comment 13•9 years ago
|
||
Reproducible easily via the steps at bug 865941. /be
|
||
Updated•9 years ago
|
Group: javascript-core-security
|
|
||
Comment 14•9 years ago
|
||
The new security groups aren't actually set up yet, despite their tempting presence on bugzilla.
Group: javascript-core-security → core-security
|
|
||
Updated•9 years ago
|
Keywords: reproducible
|
|
Assignee | |
Comment 15•9 years ago
|
||
(In reply to Brendan Eich [:brendan] from comment #13) > Reproducible easily via the steps at bug 865941. > > /be Is this using latest nightly (Apr 25 build or later)? I'm trying to repro it as stated in bug 865941 on an OSX nightly as of today, and not having any luck.
|
|
||
Comment 16•9 years ago
|
||
April 22 build is the last build where I encountered this crash, it seems to be gone since April 23 (or April 24 in case I missed a release).
|
|
Assignee | |
Comment 17•9 years ago
|
||
(In reply to Mathieu Marquer from comment #16) > April 22 build is the last build where I encountered this crash, it seems to > be gone since April 23 (or April 24 in case I missed a release). Yeah the ArgsObj patch got backed out on Apr 22, so the Apr 23 build would have not shown the problem. The issue with the patch was identified, and both the argsobj patch and fix was pushed back in on Apr 24. I was planning on marking this bug a dup of bug 864002, but if it's reproing on a April25 nightly (or later), then it's a separate issue.
|
|
Assignee | |
Comment 18•9 years ago
|
||
Taking silence as indication that this is not showing up anymore.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 864002
|
||
Updated•9 years ago
|
tracking-firefox23:
? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•