Bug 821733 (compartment-mismatch)

[meta] crash in js::CompartmentChecker::fail

NEW
Assigned to

Status

()

Core
JavaScript Engine
--
critical
4 years ago
a year ago

People

(Reporter: Scoobidiver (away), Assigned: mccr8)

Tracking

(Depends on: 1 bug, {crash, meta})

20 Branch
All
Windows 7
crash, meta
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [please file new bugs marked as security sensitive and blocking this one], crash signature)

(Reporter)

Description

4 years ago
It first showed up in 20.0a1/20121214 and is #1 top crasher in this build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=edd45de440ba&tochange=b11065872128
It's likely a regression from bug 782818.
One comment says it happens when previewing print.

Signature 	js::CompartmentChecker::fail(JSCompartment*, JSCompartment*) More Reports Search
UUID	a862a6de-4ba8-475f-ab60-011742121214
Date Processed	2012-12-14 16:27:59
Uptime	2531
Last Crash	2.3 weeks before submission
Install Age	42.2 minutes since version was first installed.
Install Time	2012-12-14 15:45:38
Product	Firefox
Version	20.0a1
Build ID	20121214030827
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 45 stepping 6
Crash Reason	EXCEPTION_BREAKPOINT
Crash Address	0x697c493c
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x1180, AdapterSubsysID: 26823842, AdapterDriverVersion: 9.18.13.1070
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x1180
Total Virtual Memory	4294836224
Available Virtual Memory	3091460096
System Memory Use Percentage	22
Available Page File	29547761664
Available Physical Memory	13258416128

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::CompartmentChecker::fail 	js/src/jscntxtinlines.h:204
1 	mozjs.dll 	JS_GetGlobalForObject 	js/src/jsapi.cpp:2233
2 	xul.dll 	mozilla::dom::URLBinding::revokeObjectURL 	obj-firefox/dom/bindings/URLBinding.cpp:268
3 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:389
4 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2348
5 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:338
6 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:404
7 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
8 	mozjs.dll 	js::CrossCompartmentWrapper::call 	js/src/jswrapper.cpp:633
9 	xul.dll 	XPCConvert::NativeInterface2JSObject 	js/xpconnect/src/XPCConvert.cpp:1002
10 	xul.dll 	XPCCallContext::`scalar deleting destructor' 	
11 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
12 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5792
13 	xul.dll 	mozilla::dom::EventHandlerNonNull::Call 	obj-firefox/dom/bindings/EventHandlerBinding.cpp:46
14 	xul.dll 	mozilla::dom::EventHandlerNonNull::Call<nsISupports*> 	obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:59
15 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:249
16 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:994
...

More reports at;
https://crash-stats.mozilla.com/report/list?signature=js%3A%3ACompartmentChecker%3A%3Afail%28JSCompartment*%2C+JSCompartment*%29
Can we skiplist js::CompartmentChecker::* and assertSameCompartment? bug 782818 was basically just turning on extra assertions for release builds. The more interesting part is _where_ the compartment check fails, which should show up in the stacks as caller of those functions.

This particular stack looks interesting for bz.
I kind of like having all compartment mismatches show up in one bin. They're usually really easy to fix when we have a stack, so hopefully we can get them down to zero and then just watch this signature for any new ones.
(In reply to Bill McCloskey (:billm) from comment #2)
> I kind of like having all compartment mismatches show up in one bin. They're
> usually really easy to fix when we have a stack, so hopefully we can get
> them down to zero and then just watch this signature for any new ones.

Fair enough.
Depends on: 821760
Tracking the fix in bug 821760, leaving this open per Bill's request so people can find it while searching for dups.
(Assignee)

Updated

4 years ago
Depends on: 821842
(Assignee)

Comment 5

4 years ago
I've looked at every one of these crashes that have been reported so far, and bug 821760 should account for almost all of them, so once the patch for that is landed, this shouldn't be a top crash any more.
(Assignee)

Comment 6

4 years ago
The signatures from bug 821760 have gone away. Unfortunately, the signatures from bug 821842 appear to be fairly common. There are about 15 on the 12-16 build.
Tracking this since it's a topcrasher.
tracking-firefox20: ? → +
Depends on: 825380
(Assignee)

Updated

4 years ago
Depends on: 826392
(Assignee)

Updated

4 years ago
Depends on: 826471
(Assignee)

Comment 8

4 years ago
I've been categorizing and filing bugs for these crashes, so I'll just assign myself.
Assignee: general → continuation
(Assignee)

Comment 9

4 years ago
These crashes are intentional, and will only happen on Nightly and maybe Aurora. Though without them, they may turn into other crashes. Basically, the goal here is to turn random weird crashes into things we can identify and fix.
(Assignee)

Updated

4 years ago
Depends on: 827962

Comment 10

4 years ago
(In reply to Andrew McCreight [:mccr8] from comment #9)
> These crashes are intentional, and will only happen on Nightly and maybe
> Aurora. Though without them, they may turn into other crashes. Basically,
> the goal here is to turn random weird crashes into things we can identify
> and fix.

Ah, good. I hope this instrumentation works out in showing us the real problems, then. :)
(Assignee)

Updated

4 years ago
No longer depends on: 825380
(Assignee)

Updated

4 years ago
Depends on: 830389
(Assignee)

Updated

4 years ago
Depends on: 830399
(Assignee)

Updated

4 years ago
No longer depends on: 821842
(Assignee)

Updated

4 years ago
Depends on: 817342
(Assignee)

Updated

4 years ago
Depends on: 830595
(Reporter)

Comment 11

4 years ago
Crashes have almost completely stopped since 21.0a1/20130111:
https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A20.0a1&version=Firefox%3A21.0a1&query_search=signature&query_type=contains&reason_type=contains&range_value=4&range_unit=weeks&do_query=1&signature=js%3A%3ACompartmentChecker%3A%3Afail%28JSCompartment*%2C%20JSCompartment*%29

The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0a6e5a67c4e8&tochange=8592c41069c2

It seems the fix of bug 817342 is the one that has drastically improved the situation.
Can you uplift it to Aurora and maybe Beta (if they were other crashes previously)?
(Assignee)

Comment 12

4 years ago
Yes, that's the plan, after some more testing is done.
(Assignee)

Updated

4 years ago
Depends on: 831742
(Assignee)

Updated

4 years ago
Depends on: 831846

Comment 13

4 years ago
I can reproduce the crash.

Steps to reproduce:
0. Start Aurora20.0a2 with Newly created profile
1. Install https://addons.mozilla.org/en-US/firefox/addon/custom-buttons/
2. Restart
3. Print Preview

Actual results:
Crash
bp-cfc29fb6-5094-4cb2-b32b-5cfb82130118
Keywords: reproducible
(Assignee)

Comment 14

4 years ago
That's fixed by the patch in bug 817342, which will land in Aurora when there's been enough testing, and when Aurora is open again for patch landing.
(Reporter)

Updated

4 years ago
Keywords: reproducible → meta
(Reporter)

Updated

4 years ago
Summary: crash in js::CompartmentChecker::fail → [meta] crash in js::CompartmentChecker::fail

Updated

4 years ago
Depends on: 832435
(Reporter)

Updated

4 years ago
Depends on: 832377
(Assignee)

Updated

4 years ago
No longer depends on: 832377
Duplicate of this bug: 832287
(Reporter)

Comment 16

4 years ago
It's only #41 top browser crasher in 20.0a2 and #68 in 21.0a1 over the last three days, because of the various fixes in dependent bugs, so no longer a top crasher.
tracking-firefox20: + → ?
Keywords: topcrash

Comment 17

4 years ago
Yes, there's no reason to track this anyhow as it's a meta bug, so I'm just unsetting this. Even the status flag doesn't make sense, as this is Nightly/Aurora-only tooling, so it won't live the whole train.
status-firefox20: affected → ---
tracking-firefox20: ? → ---
(Reporter)

Comment 18

4 years ago
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #17)
> this is Nightly/Aurora-only tooling, so it won't live the whole train.
It's no longer true.

Comment 19

4 years ago
(In reply to Scoobidiver from comment #18)
> (In reply to Robert Kaiser (:kairo@mozilla.com) from comment #17)
> > this is Nightly/Aurora-only tooling, so it won't live the whole train.
> It's no longer true.

From all I understand, if this signature leaks into beta or release, that's a bug.
(Assignee)

Comment 20

4 years ago
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #19)
> From all I understand, if this signature leaks into beta or release, that's
> a bug.

That's correct.  It might be worth tracking just to check that it doesn't happen at all in beta.  I'll also check if I remember a few weeks after 20 gets into beta.
(Assignee)

Updated

4 years ago
Depends on: 857238
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] → [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*) ]
(Reporter)

Updated

4 years ago
OS: Windows 7 → All
(Reporter)

Updated

4 years ago
OS: All → Windows 7
(Reporter)

Updated

4 years ago
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*) ] → [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*)]

Comment 21

4 years ago
Got repeatable crash by visiting this page on the latest Nightly :

http://qt-project.org/downloads
(Assignee)

Comment 22

4 years ago
Can you please link to the crash report that shows up in about:crashes?  Thanks.
(Assignee)

Comment 23

4 years ago
I also got a crash on that page, but with the signature JSRope::flatten
  https://crash-stats.mozilla.com/report/index/bp-8eb0023b-c561-4bba-8414-f276c2130421
(Assignee)

Comment 24

4 years ago
(In reply to mayankleoboy1 from comment #21)
> http://qt-project.org/downloads

Look like this crash is already filed as bug 864037.  Thanks for the report!
(Reporter)

Updated

4 years ago
Depends on: 864495
Depends on: 868823
(Reporter)

Updated

4 years ago
Depends on: 869027
(Assignee)

Updated

4 years ago
Depends on: 867771
Depends on: 869567
Depends on: 880697
Depends on: 881291
(Reporter)

Updated

4 years ago
Depends on: 881854
(Reporter)

Updated

4 years ago
Depends on: 882164

Updated

4 years ago
Depends on: 893519

Updated

4 years ago
Alias: compartment-mismatch

Updated

4 years ago
Depends on: 893527
Depends on: 894912
(Reporter)

Updated

4 years ago
Depends on: 896900
Whiteboard: [firebug-p1]
(Reporter)

Comment 29

4 years ago
(In reply to Jan Honza Odvarko from comment #28)
> https://crash-stats.mozilla.com/report/index/01dbc791-168c-4d54-8e74-
> ea1fb2130723
It's bug 896900.
(Assignee)

Comment 30

4 years ago
(In reply to Jan Honza Odvarko from comment #28)
> Here is another STR I found yesterday:
This is a tracking bug for a large class of issues.  Please file new bugs blocking this one.
(Assignee)

Updated

4 years ago
Whiteboard: [firebug-p1] → [please file new bugs blocking this one]
(Assignee)

Updated

4 years ago
Depends on: 897043

Updated

4 years ago
Depends on: 897621
(Assignee)

Updated

4 years ago
No longer depends on: 897621
(Reporter)

Updated

4 years ago
Whiteboard: [please file new bugs blocking this one] → [please file new bugs marked as security sensitive and blocking this one]
(Assignee)

Updated

4 years ago
Depends on: 919118
(Assignee)

Updated

4 years ago
Depends on: 925019
(Assignee)

Updated

4 years ago
Depends on: 925029

Updated

4 years ago
Depends on: 937191
(Assignee)

Updated

4 years ago
Depends on: 936327

Updated

3 years ago
Depends on: 949940
(Assignee)

Updated

3 years ago
Depends on: 960768
(Assignee)

Updated

3 years ago
Depends on: 973629
(Assignee)

Updated

3 years ago
Depends on: 973683
(Assignee)

Comment 32

2 years ago
I don't see any of these crashes on Nightly or Aurora which is a little concerning.  I wonder if they got disabled somehow.
(Assignee)

Updated

2 years ago
Depends on: 1154923

Updated

2 years ago
Crash Signature: [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*)] → [@ js::CompartmentChecker::fail(JSCompartment*, JSCompartment*)] [@ js::CompartmentChecker::fail(JS::Zone*, JS::Zone*)] [@ js::CompartmentChecker::fail]
This bug has been tagged for regression and or closure.

https://addons.mozilla.org/en-US/firefox/addon/custom-buttons/ [Print Preview]
http://www.qt.io/download/
Version 	46.0.1 - Good
Build ID 	20160502172042
Version 	48.0a2 - Good
Build ID 	20160513004028

Version 	49.0a1 - Oops
Build ID 	20160513030539
User Agent 	Mozilla/5.0 (Windows NT 5.1; rv:49.0) Gecko/20100101 Firefox/49.0
Produces: only when applying Print Preview while on about:addons 
[Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIWebBrowserPrint.printPreview]"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: chrome://global/content/browser-content.js :: enterPrintPreview :: line 485"  data: no]

However no crash as reported earlier. Bug 1154921 is denied for me. Please let me know if can close, or if there are additional steps QA can assist with.
(Assignee)

Comment 34

a year ago
Thanks. This is just a meta bug. It doesn't really need the regression tag, so I'll remove that. There's nothing for QA to do here.
Keywords: regression
You need to log in before you can comment on or make changes to this bug.