Closed Bug 1191503 Opened 9 years ago Closed 6 years ago

Crash [@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)]

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Version:
40 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE
Tracking Flags:
Tracking Status
firefox40 --- affected
firefox41 --- affected
firefox42 --- affected
firefox43 --- affected
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected
firefox52 --- wontfix
firefox53 --- affected
firefox61 --- affected

People

(Reporter: ehoogeveen, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-a820fffd-0e04-41ee-9bf2-af82c2150805. ============================================================= Got this crash today; I wasn't doing anything in particular - in fact it crashed while Firefox did not have focus. I don't know that I was necessarily idle, as I was reading some things and may have been moving my mouse. Crash stats show over 1500 crashes with this signature in the past month, with Firefox 40 being the earliest affected version, and all crashing users are running some variant of Windows. Unfortunately mine is the only crash with a comment, and I don't know how to reproduce.
FWIW I don't usually crash (my last report was 2 months ago), so my crash might also be related to the spike in GC crashes on Nightly today (e.g. bug 1191465).
This signature spiked on the August 5 build and is very likely the same root cause as bug 1191465. If the volume goes back down in tomorrow's nightly (which is expected to have a fix) then I'll resolve this.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
https://crash-stats.mozilla.com/report/list?signature=DispatchToTracer%3CT%3E%28JSTracer*%2C+JSString**%2C+char+const*%29&range_value=7&range_unit=days&date=2015-10-03 Crash Reports for DispatchToTracer<T>(JSTracer*, JSString**, char const*) (Last 7 days) Operating System Percentage Number Of Crashes Windows 7 62.30% 1112 Windows 10 11.32% 202 Windows 8.1 10.87% 194 Windows XP 10.36% 185 Windows Vista 3.02% 54 Windows 8 2.07% 37 Windows Unknown 0.06% 1
Status: RESOLVED → REOPENED
status-firefox43: --- → affected
Resolution: DUPLICATE → ---
Summary: crash in DispatchToTracer<T>(JSTracer*, JSString**, char const*) → Crash [@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)]
Version: Trunk → 40 Branch
https://crash-stats.mozilla.com/report/index/6367ed22-5647-43df-92b4-656052151003 Crashing Thread Frame Module Signature Source 0 xul.dll DispatchToTracer<JSString*>(JSTracer*, JSString**, char const*) js/src/gc/Marking.cpp 1 xul.dll TraceChildrenFunctor::operator()<JSScript>(JSTracer*, void*) js/src/gc/Tracer.cpp 2 xul.dll UnmarkGrayTracer::onChild(JS::GCCellPtr const&) js/src/gc/Marking.cpp 3 xul.dll DispatchToTracer<JSScript*>(JSTracer*, JSScript**, char const*) js/src/gc/Marking.cpp 4 xul.dll TraceChildrenFunctor::operator()<JSObject>(JSTracer*, void*) js/src/gc/Tracer.cpp 5 xul.dll UnmarkGrayTracer::onChild(JS::GCCellPtr const&) js/src/gc/Marking.cpp 6 xul.dll JS::CallbackTracer::onObjectEdge(JSObject**) js/public/TracingAPI.h 7 xul.dll DoCallback<JSObject*>(JS::CallbackTracer*, JSObject**, char const*) js/src/gc/Tracer.cpp 8 xul.dll TraceChildrenFunctor::operator()<js::ObjectGroup>(JSTracer*, void*) js/src/gc/Tracer.cpp 9 xul.dll UnmarkGrayTracer::onChild(JS::GCCellPtr const&) js/src/gc/Marking.cpp 10 xul.dll DispatchToTracer<js::ObjectGroup*>(JSTracer*, js::ObjectGroup**, char const*) js/src/gc/Marking.cpp 11 xul.dll UnmarkGrayCellRecursivelyFunctor::operator()<JSObject>(JSObject*) js/src/gc/Marking.cpp 12 xul.dll JS::UnmarkGrayGCThingRecursively(JS::GCCellPtr) js/src/gc/Marking.cpp 13 xul.dll CycleCollectorMarkListeners dom/base/nsFrameMessageManager.cpp 14 xul.dll nsBaseHashtable<nsStringHashKey, nsAutoPtr<nsAutoTObserverArray<nsMessageListenerInfo, 1> >, nsAutoTObserverArray<nsMessageListenerInfo, 1>*>::EnumerateRead(PLDHashOperator (*)(nsAString_internal const&, nsAutoTObserverArray<nsMessageListenerInfo, 1>*, void*), void*) xpcom/glue/nsBaseHashtable.h 15 xul.dll nsFrameMessageManager::MarkForCC() dom/base/nsFrameMessageManager.cpp 16 xul.dll mozilla::dom::TabChildGlobal::MarkForCC() dom/ipc/TabChild.cpp 17 xul.dll MarkWindowList(nsISimpleEnumerator*, bool, bool) dom/base/nsCCUncollectableMarker.cpp 18 xul.dll nsCCUncollectableMarker::Observe(nsISupports*, char const*, wchar_t const*) dom/base/nsCCUncollectableMarker.cpp 19 xul.dll nsObserverList::NotifyObservers(nsISupports*, char const*, wchar_t const*) xpcom/ds/nsObserverList.cpp 20 xul.dll nsObserverService::NotifyObservers(nsISupports*, char const*, wchar_t const*) xpcom/ds/nsObserverService.cpp 21 xul.dll XPCJSRuntime::PrepareForForgetSkippable() js/xpconnect/src/XPCJSRuntime.cpp 22 xul.dll nsCycleCollector::ForgetSkippable(bool, bool) xpcom/base/nsCycleCollector.cpp 23 xul.dll nsCycleCollector_forgetSkippable(bool, bool) xpcom/base/nsCycleCollector.cpp 24 xul.dll FireForgetSkippable dom/base/nsJSEnvironment.cpp 25 xul.dll CCTimerFired dom/base/nsJSEnvironment.cpp 26 xul.dll nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp 27 xul.dll nsTimerEvent::Run() xpcom/threads/TimerThread.cpp 28 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 29 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 30 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 31 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 32 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 33 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp 34 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp 35 xul.dll XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp 36 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 37 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 38 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 39 xul.dll XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp 40 plugin-container.exe wmain toolkit/xre/nsWindowsWMain.cpp 41 plugin-container.exe __tmainCRTStartup f:/dd/vctools/crt/crtw32/startup/crt0.c:255 Ø 42 kernel32.dll kernel32.dll@0x159dc Ø 43 ntdll.dll ntdll.dll@0x2a630
https://crash-stats.mozilla.com/report/list?signature=DispatchToTracer%3CT%3E%28JSTracer*%2C+JSString**%2C+char+const*%29#tab-comments Comments 49. It just crashed while viewing Classmates.com page. Submitted: 2015-09-28T14:51:07+00:00 This is the third time in the last hour and all I'm doing is listening to music on Youtube Submitted: 2015-10-02T11:58:16+00:00 I just changed operating systems to WIN 10 09/28/2015 This morning I had a game, - Face Book Hidden Express. Other game sites have the same issue. My program says it is up to date. What do I do next? Help Mike @ (email removed) 09/29/15 Submitted: 2015-09-29T14:35:58+00:00 Always crashes on POGO>COM Submitted: 2015-09-29T18:47:21+00:00 Shockwave Plugin is the issue Submitted: 2015-09-28T16:23:46+00:00 Shockwave is not working since I have windows 10 Submitted: 2015-09-30T02:14:19+00:00
URL: https://crash-stats.mozilla.com/repor...
Crash Signature: [@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)] → [@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)] [@ DispatchToTracer<T>]
#60 crash for 44.0.2. So not a topcrash. But not a slouch either. Many users with this crash also have severalother js crash sigs, like chandan DispatchToTracer<T> bp-6eec3949-7d46-4276-a30b-31aa12160303 js::gc::StoreBuffer::MonoTypeBuffer<T>::trace bp-4d5c94b6-8971-4de0-9dfa-f38f12160302 js::GCMarker::eagerlyMarkChildren bp-70d38588-8cef-4f20-8f55-2d7192160303 PtrToNodeMatchEntry bp-54ff235f-6d22-49e7-9f13-1facf2160303
Do we need str for this crash, I'm able to crash constantly Nightly with this crash sig: https://crash-stats.mozilla.com/report/index/a3d93ec1-2958-4232-8d44-1b8fd2160325 More info here: https://bugzilla.mozilla.org/show_bug.cgi?id=1192988#c1 Ignore crash sigs from there, since it is already past.
#8 content process top crash on beta 47 build 1.
Blocks: e10s-crashes
semtex2@o2.pl, are you still able to reproduce this?
Flags: needinfo?(semtex2)
Nope, I don't see this crash anymore.
Flags: needinfo?(semtex2)
Crash volume for signature 'DispatchToTracer<T>': - nightly (version 50): 64 crashes from 2016-06-06. - aurora (version 49): 117 crashes from 2016-06-07. - beta (version 48): 4526 crashes from 2016-06-06. - release (version 47): 19072 crashes from 2016-05-31. - esr (version 45): 468 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 6 16 8 11 9 4 9 - aurora 19 16 24 23 20 10 4 - beta 893 824 861 753 583 383 122 - release 3058 3077 2988 2936 3069 2700 944 - esr 65 73 59 45 70 62 19 Affected platforms: Windows, Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'DispatchToTracer<T>': - nightly (version 51): 38 crashes from 2016-08-01. - aurora (version 50): 55 crashes from 2016-08-01. - beta (version 49): 977 crashes from 2016-08-02. - release (version 48): 1872 crashes from 2016-07-25. - esr (version 45): 770 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 8 13 14 - aurora 19 18 8 - beta 321 317 107 - release 631 532 308 - esr 66 73 66 Affected platforms: Windows, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #265 #138 - aurora #144 #44 - beta #49 #25 - release #31 #17 - esr #125
status-firefox51: --- → affected
Crash volume for signature 'DispatchToTracer<T>': - nightly (version 52): 13 crashes from 2016-09-19. - aurora (version 51): 9 crashes from 2016-09-19. - beta (version 50): 256 crashes from 2016-09-20. - release (version 49): 1284 crashes from 2016-09-05. - esr (version 45): 1256 crashes from 2016-06-01. Crash volume on the last weeks (Week N is from 10-03 to 10-09): W. N-1 W. N-2 - nightly 6 7 - aurora 8 1 - beta 211 45 - release 1043 240 - esr 117 122 Affected platforms: Windows, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #253 #220 - aurora #371 #175 - beta #95 #64 - release #68 #25 - esr #101
status-firefox52: --- → affected
Crash volume for signature 'DispatchToTracer<T>': - nightly (version 53): 41 crashes from 2016-11-14. - aurora (version 52): 65 crashes from 2016-11-14. - beta (version 51): 1860 crashes from 2016-11-14. - release (version 50): 5190 crashes from 2016-11-01. - esr (version 45): 2811 crashes from 2016-07-06. Crash volume on the last weeks (Week N is from 01-02 to 01-08): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 6 1 9 7 3 7 8 - aurora 7 17 12 6 8 14 0 - beta 264 266 336 316 261 224 102 - release 787 916 804 793 684 698 242 - esr 145 175 156 135 126 124 133 Affected platforms: Windows, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #239 #130 - aurora #350 #107 - beta #70 #32 - release #103 #63 - esr #114
status-firefox53: --- → affected
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
This just happened to me while remote debugging a website and trying to inspect a style sheet on the page using the DevTools within the WebIDE: https://crash-stats.mozilla.com/report/index/79273a87-eebe-4d47-8139-d8e5d0170505 Sebastian
Weirdly enough this crash has generated two crash reports simultaneously. https://crash-stats.mozilla.com/report/index/2f380373-7716-4326-8db8-15e5e0171117 Is it normal? Why two, not one crash report? Can anyone look, please?
Crash Signature: [@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)] [@ DispatchToTracer<T>] → [@ DispatchToTracer<T>]
Crash Signature: [@ DispatchToTracer<T>] → [@ DispatchToTracer<T>] [@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)]
OS: Windows → All
It looks like it's a MacOS only crash those days. There are no results on crash-stats for `[@ DispatchToTracer<T>(JSTracer*, JSString**, char const*)]`. 0 XUL void DispatchToTracer<js::BaseShape*>(JSTracer*, js::BaseShape**, char const*) js/src/gc/Cell.h:225 1 XUL js::BaseShape::traceChildren(JSTracer*) js/src/vm/Shape.cpp:1471 2 XUL js::GCMarker::eagerlyMarkChildren(js::Shape*) js/src/gc/Marking.cpp:1106 3 XUL js::GCMarker::processMarkStackTop(js::SliceBudget&) js/src/gc/Marking.cpp:909 4 XUL js::GCMarker::drainMarkStack(js::SliceBudget&) js/src/gc/Marking.cpp:1631 5 XUL js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::gc::AutoTraceSession&) js/src/gc/GC.cpp:5836 6 XUL js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) js/src/gc/GC.cpp:7392 7 XUL js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) js/src/gc/GC.cpp:7535 8 XUL js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::gcreason::Reason, long long) js/src/gc/GC.cpp:0 9 XUL nsJSContext::GarbageCollectNow(JS::gcreason::Reason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long long) dom/base/nsJSEnvironment.cpp:1240
URL: https://crash-stats.mozilla.com/repor...https://crash-stats.mozilla.com/signa...
status-firefox61: --- → affected

Since December crash rate is 20-30% less for Firefox perhaps because the crash rate appears to be much lower in v60 - https://crash-stats.mozilla.com/signature/?product=Firefox&signature=DispatchToTracer%3CT%3E&date=%3E%3D2018-10-29T14%3A20%3A00.000Z&date=%3C2019-04-29T14%3A20%3A00.000Z#graphs

None of the few crashes I sampled have (js::Shape) on the stack, including Mac crashes.

And currently not Mac-only as noted in comment 22.

I suggest the current signatures are unrelated to the original report and so perhaps this bug should be closed

Flags: needinfo?(jcoppeard)

This function has been replaced so I'll dupe this to bug 1474623.

Status: REOPENED → RESOLVED
Closed: 9 years ago6 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE

(In reply to Jon Coppeard (:jonco) from comment #24)

This function has been replaced so I'll dupe this to bug 1474623.

*** This bug has been marked as a duplicate of bug 1474623 ***

We use Spidermonkey 45 embedded in a server process. We can easily trigger a crash in DispatchToTracer<JSString*> and a stack:

#0  0x00007f18c6d979d8 in DispatchToTracer<JSObject*> (trc=0x7f188c4c9390, thingp=0x0, name=0x7f18c6fb5f30 "parser.object") at ../../dist/include/js/TracingAPI.h:281
#1  0x00007f18c6d98cc5 in js::TraceRoot<JSObject*> (trc=<optimized out>, thingp=<optimized out>, name=<optimized out>)
#2  0x00007f18c6d7220c in js::frontend::ObjectBox::trace (this=<optimized out>, trc=trc@entry=0x7f188c4c9390)
#3  0x00007f18c685a19c in js::frontend::Parser<js::frontend::FullParseHandler>::trace (this=this@entry=0x7f18a5ff92e8, trc=trc@entry=0x7f188c4c9390)
#4  0x00007f18c684d879 in js::frontend::MarkParser (trc=trc@entry=0x7f188c4c9390, parser=parser@entry=0x7f18a5ff92f0)
#5  0x00007f18c6d8bfbb in trace (trc=0x7f188c4c9390, this=0x7f18a5ff92f0)
#6  traceAllInContext<JSContext> (cx=0x7f188db2c930, trc=0x7f188c4c9390)
#7  JS::AutoGCRooter::traceAll (trc=trc@entry=0x7f188c4c9390)
#8  0x00007f18c6d8dd26 in js::gc::GCRuntime::markRuntime (this=this@entry=0x7f188c4c7548, trc=trc@entry=0x7f188c4c9390, traceOrMark=traceO
#9  0x00007f18c6b7d0d0 in js::gc::GCRuntime::beginMarkPhase (this=this@entry=0x7f188c4c7548, reason=reason@entry=JS::gcreason::LAST_DITCH)
#10 0x00007f18c6b83ab7 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7f188c4c7548, budget=..., reason=reason@entry=JS::
#11 0x00007f18c6b84a61 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7f188c4c7548, nonincrementalByAPI=nonincrementalByAPI@entry=true,
#12 0x00007f18c6b84e57 in js::gc::GCRuntime::collect (this=this@entry=0x7f188c4c7548, nonincrementalByAPI=nonincrementalByAPI@entry=true,
#13 0x00007f18c6b85148 in js::gc::GCRuntime::gc (this=this@entry=0x7f188c4c7548, gckind=gckind@entry=GC_SHRINK, reason=reason@entry=JS::gc
#14 0x00007f18c6d7c89e in tryNewTenuredThing<js::LazyScript, (js::AllowGC)1> (kind=js::gc::LAZY_SCRIPT, thingSize=64, cx=0x7f188db2c930)
#15 js::Allocate<js::LazyScript, (js::AllowGC)1> (cx=cx@entry=0x7f188db2c930)
#16 0x00007f18c6bd4887 in js::LazyScript::CreateRaw (cx=0x7f188db2c930, fun=..., packedFields=<optimized out>, begin=21, end=51, lineno=li
#17 0x00007f18c6bd4ba3 in js::LazyScript::CreateRaw (cx=<optimized out>, fun=..., fun@entry=..., numFreeVariables=<optimized out>, numInne
#18 0x00007f18c68528be in js::frontend::Parser<js::frontend::SyntaxParseHandler>::finishFunctionDefinition (this=this@entry=0x7f18a5ff92e8
#19 0x00007f18c686ee4b in finishFunctionDefinition (body=<optimized out>, funbox=0x7f188c402840, pn=js::frontend::SyntaxParseHandler::Node
#20 js::frontend::Parser<js::frontend::SyntaxParseHandler>::functionArgsAndBodyGeneric (this=this@entry=0x7f18a5ff92e8, inHandling=inHandl
#21 0x00007f18c68542c4 in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBody (this=this@entry=0x7f18a5ff97d8, inHan

Is that something described in bug: 1474623? (I don't have permissions to open it.)
When we disabled compiler optimization the problem went away. Our compiler is gcc version 8.3.1 20190311 (Red Hat 8.3.1-3).

Flags: needinfo?(jcoppeard)

That bug is a general signature so I don't think there's anything related to this there.

The thing that sticks out is thingp=0x0 in the first line. This shouldn't be a null pointer. Can you catch the crash in rr (https://rr-project.org/)? That might help see where this is coming from.

Also that code has changed quite a bit since the version you're using, and although I couldn't find any specific bugs we've fixed that might cause this it's possible that using a more recent version might help.

Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.