937903 - crash in js::GCMarker::markBufferedGrayRoots(JS::Zone*)

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Wayne Mery (:wsmwk)]

#17 crash for version 25. Windows only afaict

This bug was filed from the Socorro interface and is 
report bp-50bbfdaf-6687-4b2c-975f-23c462131108.
=============================================================
0	mozjs.dll	js::GCMarker::markBufferedGrayRoots(JS::Zone *)	js/src/jsgc.cpp
1	mozjs.dll	MarkGrayReferences<js::gc::GCZoneGroupIter,js::CompartmentsIterT<js::gc::GCZoneGroupIter> >	js/src/jsgc.cpp
2	mozjs.dll	EndMarkingZoneGroup	js/src/jsgc.cpp
3	mozjs.dll	BeginSweepPhase	js/src/jsgc.cpp
4	mozjs.dll	IncrementalCollectSlice	js/src/jsgc.cpp
5	mozjs.dll	GCCycle	js/src/jsgc.cpp
6	mozjs.dll	Collect	js/src/jsgc.cpp
7	mozjs.dll	js::GCSlice(JSRuntime *,js::JSGCInvocationKind,JS::gcreason::Reason,__int64)	js/src/jsgc.cpp
8	mozjs.dll	js_InvokeOperationCallback(JSContext *)	js/src/jscntxt.cpp
9	mozjs.dll	js_HandleExecutionInterrupt(JSContext *)	js/src/jscntxt.cpp
10	mozjs.dll	Interpret	js/src/vm/Interpreter.cpp 

I examined 3 crashes. All have same source line http://hg.mozilla.org/releases/mozilla-release/annotate/d86ad7db1de3/js/src/jsgc.cpp#l1853

Comment 1

[Robert Kaiser]

This seems to be rising in topcrash ranks, now #14 on 25 release, right now #37 on 26 but might go high there on release as well.

More crashes at https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3AGCMarker%3A%3AmarkBufferedGrayRoots%28JS%3A%3AZone%2A%29

I don't see any interesting correlations, and URLs are mostly https://www.facebook.com/ so also nothing interesting. :(

Comment 2

[Lukas Blakk [:lsblakk] use ?needinfo]

Naveed: anything landed in 25 timeframe that might be a culprit here given the code in comment #0?

Comment 3

[Lukas Blakk [:lsblakk] use ?needinfo]

Tracking since it's a topcrash - finding a backout would be ideal here given how late we are in the Beta cycle.

Comment 4

[Lukas Blakk [:lsblakk] use ?needinfo]

Too late for anything speculative - wontfixing for FF26.

Comment 5

[Jon Coppeard (:jonco)]

I can't see anything in the JS engine that would cause this.  We don't do any checking of the gray roots passed in from the browser though, so my guess is that an invalid pointer is coming from there.

(I filed bug 943827 for broken OOM handling wrt gray root buffering, but I don't think that's related because the crash stats show this happens even when there is a lot of memory free).

Andrew, do you have any ideas?

Comment 6

[Jon Coppeard (:jonco)]

Unassigning myself as I'm not actively working on this at the moment.

Comment 7

[Andrew McCreight [:mccr8]]

Sorry for not getting to this more quickly.  As you said, this is probably somebody passing in a bad pointer.  The best path forward here is probably to immediately touch the object that is being saved away into the buffered gray roots, so we'd get the crash right away.  You'd want to do this in a way that the actual C++ callback is still on the stack, so we could see if there was a particular class that was doing it.  The cycle collector has had similar problems in the past, and it is nice to be able to see that one particular class is passing in junk.

Comment 8

[Tracy Walker [:tracy]]

Removed topcrash keyword as this has fallen outside of the top 100 on both Aurora(27) and Nightly(28)

Comment 9

[u279076]

7 Day Ranking:
> Firefox 26: #67 @ 0.17% (+9 positions)
> Firefox 27: #73 @ 0.15% (+0 positions)
> Firefox 28: N/A
> Firefox 29: #291 @ 0.05% (+0 positions)

Given the volume I'm wondering if it's worth keeping this bug open any longer.

Comment 10

[bhavana bajaj [:bajaj]]

Given the ranking and volume, untracking this form release.

Comment 11

[Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)]

I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) [except some obsolete <39 versions, no crashes starting since 39 version].