Closed Bug 864033 Opened 9 years ago Closed 9 years ago

crash in js::ArgumentsObject::trace @ MarkInternal

Categories

(Core :: JavaScript Engine, defect)

23 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 864002
Tracking Status
firefox22 --- unaffected
firefox23 --- affected

People

(Reporter: scoobidiver, Assigned: djvj)

References

Details

(5 keywords, Whiteboard: [native-crash])

Crash Data

With the stack trace below, it first showed up in 23.0a1/20130420 where it's #1 top crasher. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=64d6d002e888&tochange=dd03d42b01b1
It's likely a regression from bug 706885.

Signature 	MarkInternal<JSObject> More Reports Search
UUID	9366489d-eb6a-4b95-8848-3fbf32130420
Date Processed	2013-04-20 16:00:58
Uptime	219
Last Crash	more than 3 months before submission
Install Age	3.6 minutes since version was first installed.
Install Time	2013-04-20 15:56:55
Product	Firefox
Version	23.0a1
Build ID	20130420031010
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x542444c7
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x68c1, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.672.1.2000
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+ 
Processor Notes 	sp-processor08.phx1.mozilla.com_19982:2012; exploitability tool failed: 127
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x68c1
Total Virtual Memory	4294836224
Available Virtual Memory	3693658112
System Memory Use Percentage	22
Available Page File	14842105856
Available Physical Memory	6569525248

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	MarkInternal<JSObject> 	js/src/gc/Marking.cpp:187
1 	mozjs.dll 	js::ArgumentsObject::trace 	js/src/vm/ArgumentsObject.cpp:566
2 	mozjs.dll 	js::GCMarker::processMarkStackTop 	js/src/gc/Marking.cpp:1412
3 	mozjs.dll 	js::GCMarker::drainMarkStack 	js/src/gc/Marking.cpp:1465
4 	mozjs.dll 	IncrementalCollectSlice 	js/src/jsgc.cpp:4289
5 	mozjs.dll 	GCCycle 	js/src/jsgc.cpp:4447
6 	mozjs.dll 	Collect 	js/src/jsgc.cpp:4606
7 	ntdll.dll 	KiUserApcDispatcher 	
8 	mozjs.dll 	js::GCSlice 	js/src/jsgc.cpp:4642
9 	mozjs.dll 	JS::IncrementalGC 	js/src/jsfriendapi.cpp:192
10 	xul.dll 	nsJSContext::GarbageCollectNow 	dom/base/nsJSEnvironment.cpp:2493
11 	xul.dll 	InterSliceGCTimerFired 	dom/base/nsJSEnvironment.cpp:2818
12 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:543
13 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:630
14 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:627
15 	xul.dll 	NS_ProcessNextEvent 	obj-firefox/xpcom/build/nsThreadUtils.cpp:238
16 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
17 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:212
18 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:186
19 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
20 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:113
21 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:288
22 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3881
23 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3948
24 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:4160
25 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp:271
26 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:105
27 	firefox.exe 	__tmainCRTStartup 	crtexe.c:552
28 	kernel32.dll 	BaseThreadInitThunk 	
29 	ntdll.dll 	__RtlUserThreadStart 	
30 	ntdll.dll 	_RtlUserThreadStart 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=MarkInternal%3CJSObject%3E
https://crash-stats.mozilla.com/report/list?signature=MarkInternal%3Cjs%3A%3AArgumentsObject%3E
Duplicate of this bug: 864030
I think bug 860145 or maybe bug 861841 are more likely, because they involve the arguments object.
Crash Signature: [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] → [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ]
Whiteboard: [native-crash]
me bp-d83a9b62-5306-45ca-bcc6-8bef92130421 just opened gmail from g-calendar. hadn't yet clicked on the gmail page.
(In reply to Andrew McCreight [:mccr8] from comment #2)
> I think bug 860145 or maybe bug 861841 are more likely, because they involve
> the arguments object.

quite crashy

shortly after restoring session. closed a few tabs including  gmail a couple minutes before crash. bp-31f5a569-0309-4028-bc63-005dd2130421 cites a URL. Will drop back to yesterday's build
Keywords: dogfood
Crash Signature: [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] → [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom> ]
Crash Signature: [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom> ] → [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom>]
Crashes on Nightly, when surfing gmail.com
bp-0a2c6676-33be-4035-a8b0-747452130422

Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20130421 Firefox/23.0
Crash Signature: [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom>] → [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom>] [@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind) ]
Crash Signature: [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom>] [@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind) ] → [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom>] [@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)]
> Can I get access to 861841?
Done.  Thanks for looking into this.
Assignee: general → kvijayan
Depends on: 864002
I'd advise making this bug secure, as well.
There's nothing here people can't see from going to crash-stats, so I think it doesn't matter.
Could it be related to bug 668583? I suddenly get a lot of crashes and signature correspond to either 668583 or 864033.
(In reply to Mathieu Marquer from comment #10)
> Could it be related to bug 668583? I suddenly get a lot of crashes and
> signature correspond to either 668583 or 864033.

Unlikely. I think the issue is known now and there is a patch for it on a related bug, which should be pushed soon.
Crash Signature: [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom>] [@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)] → [@ MarkInternal<JSObject>] [@ MarkInternal<js::ArgumentsObject> ] [@ MarkInternal<JSString> ] [@ MarkInternal<JSAtom>] [@ MarkInternal<JSFunction>] [@ js::gc::MarkKind(JSTracer*, void**, JSGCTraceKind)]
Duplicate of this bug: 865941
Reproducible easily via the steps at bug 865941.

/be
Group: javascript-core-security
The new security groups aren't actually set up yet, despite their tempting presence on bugzilla.
Group: javascript-core-security → core-security
(In reply to Brendan Eich [:brendan] from comment #13)
> Reproducible easily via the steps at bug 865941.
> 
> /be

Is this using latest nightly (Apr 25 build or later)?  I'm trying to repro it as stated in bug 865941 on an OSX nightly as of today, and not having any luck.
April 22 build is the last build where I encountered this crash, it seems to be gone since April 23 (or April 24 in case I missed a release).
(In reply to Mathieu Marquer from comment #16)
> April 22 build is the last build where I encountered this crash, it seems to
> be gone since April 23 (or April 24 in case I missed a release).

Yeah the ArgsObj patch got backed out on Apr 22, so the Apr 23 build would have not shown the problem.  The issue with the patch was identified, and both the argsobj patch and fix was pushed back in on Apr 24.

I was planning on marking this bug a dup of bug 864002, but if it's reproing on a April25 nightly (or later), then it's a separate issue.
Taking silence as indication that this is not showing up anymore.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 864002
removing sec-senstive as was done for bug 864002
Group: core-security
You need to log in before you can comment on or make changes to this bug.