Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a2pre) Gecko/20070114 Firefox/3.0a2pre ID:2007011416 Two crashes, over two days, with a Firefox self-build on Intel Mac. Both times, Google search results were loading in a background tab, once from a context menu search for selected text, once from a bookmark keyword typed in the addressbar, and then backgrounded. No idea whether the site, or the background/foreground is significant. Crashed thread, from Apple crash report: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0 Crashed: 0 org.mozilla.firefox 0x00479f09 nsJSContext::LoadEnd() + 41 1 org.mozilla.firefox 0x00178736 NS_NewDocumentViewer(nsIDocumentViewer**) + 752 2 org.mozilla.firefox 0x0051cfea nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) + 82 3 org.mozilla.firefox 0x0024ec58 nsWebShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned) + 190 4 org.mozilla.firefox 0x00523f7a nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*) + 1706 5 org.mozilla.firefox 0x00250a69 nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned) + 287 6 org.mozilla.firefox 0x00250dc1 nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned) + 49 7 org.mozilla.firefox 0x00250ecd nsDocLoader::DocLoaderIsEmpty() + 229 8 org.mozilla.firefox 0x002512e2 nsDocLoader::doStartDocumentLoad() + 678 9 org.mozilla.firefox 0x0006a925 nsLoadGroup::~nsLoadGroup [in-charge]() + 719 10 org.mozilla.firefox 0x0026bc08 imgRequestProxy::RemoveFromLoadGroup(int) + 66 11 org.mozilla.firefox 0x0026bc7f imgRequestProxy::OnStopRequest(nsIRequest*, nsISupports*, unsigned, int) + 81 12 org.mozilla.firefox 0x005329f9 imgRequest::RemoveProxy(imgRequestProxy*, unsigned, int) + 111 13 org.mozilla.firefox 0x0026b846 imgRequestProxy::ChangeOwner(imgRequest*) + 218 14 org.mozilla.firefox 0x004a2bdb nsImageLoadingContent::DestroyImageLoadingContent() + 39 15 org.mozilla.firefox 0x00190010 nsHTMLImageElement::~nsHTMLImageElement [in-charge deleting]() + 56 16 org.mozilla.firefox 0x004559fe nsNodeUtils::LastRelease(nsINode*, int) + 424 17 org.mozilla.firefox 0x0044a8bc nsGenericElement::LeaveLink(nsPresContext*) + 286 18 org.mozilla.firefox 0x0019005f nsHTMLImageElement::~nsHTMLImageElement [in-charge deleting]() + 135 19 org.mozilla.firefox 0x0034ca4b XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) + 1399 20 libjsd.dylib 0x018dccb8 NSGetModule + 11216 21 org.mozilla.firefox 0x00479f61 nsJSContext::LoadEnd() + 129 22 libmozjs.dylib 0x00d33ae5 js_GC + 2908 23 libmozjs.dylib 0x00d080a2 JS_GC + 66 24 org.mozilla.firefox 0x000abf8f nsXPConnect::BeginCycleCollection() + 201 25 libxpcom_core.dylib 0x00df253c nsCycleCollector::Collect() + 36 26 libxpcom_core.dylib 0x00df2d71 nsCycleCollector_collect() + 35 27 org.mozilla.firefox 0x0047a3f8 nsJSContext::FireGCTimer(int) + 224 28 libxpcom_core.dylib 0x00de8a4b nsTimerImpl::Fire() + 145 29 libxpcom_core.dylib 0x00de8c2a nsTimerImpl::InitCommon(unsigned, unsigned) + 296 30 libxpcom_core.dylib 0x00de66e2 nsThread::nsChainedEventQueue::PutEvent(nsIRunnable*) + 1024 31 libxpcom_core.dylib 0x00db1fd5 NS_ProcessNextEvent_P(nsIThread*, int) + 53 32 org.mozilla.firefox 0x0053383d nsBaseAppShell::DoProcessNextNativeEvent(int) + 103 33 org.mozilla.firefox 0x0026e91d nsAppShell::ProcessNextNativeEvent(int) + 525 34 org.mozilla.firefox 0x0026eb47 nsAppShell::ProcessNextNativeEvent(int) + 1079 35 com.apple.Foundation 0x9260b0c7 __NSFireDelayedPerform + 403 36 com.apple.CoreFoundation 0x90829bc9 CFRunLoopRunSpecific + 3341 37 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 38 com.apple.HIToolbox 0x92dcdb90 RunCurrentEventLoopInMode + 285 39 com.apple.HIToolbox 0x92dcd297 ReceiveNextEventCommon + 385 40 com.apple.HIToolbox 0x92dcd0ee BlockUntilNextEventMatchingListInMode + 81 41 com.apple.AppKit 0x9326f465 _DPSNextEvent + 572 42 com.apple.AppKit 0x9326f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 43 org.mozilla.firefox 0x0026e7ab nsAppShell::ProcessNextNativeEvent(int) + 155 44 org.mozilla.firefox 0x005337f8 nsBaseAppShell::DoProcessNextNativeEvent(int) + 34 45 org.mozilla.firefox 0x005339f0 nsBaseAppShell::Init() + 234 46 org.mozilla.firefox 0x0026e982 nsAppShell::ProcessNextNativeEvent(int) + 626 47 libxpcom_core.dylib 0x00de6681 nsThread::nsChainedEventQueue::PutEvent(nsIRunnable*) + 927 48 libxpcom_core.dylib 0x00db207a NS_ProcessPendingEvents_P(nsIThread*, unsigned) + 70 49 org.mozilla.firefox 0x005337b3 nsBaseAppShell::NativeEventCallback() + 71 50 org.mozilla.firefox 0x0026e5ce nsAppShell::ProcessGeckoEvents() + 176 51 org.mozilla.firefox 0x0026eb23 nsAppShell::ProcessNextNativeEvent(int) + 1043 52 com.apple.Foundation 0x92646a4c __NSFireMachPort + 307 53 com.apple.CoreFoundation 0x90839773 __CFMachPortPerform + 136 54 com.apple.CoreFoundation 0x90829a14 CFRunLoopRunSpecific + 2904 55 com.apple.CoreFoundation 0x90828eb5 CFRunLoopRunInMode + 61 56 com.apple.HIToolbox 0x92dcdb90 RunCurrentEventLoopInMode + 285 57 com.apple.HIToolbox 0x92dcd1ce ReceiveNextEventCommon + 184 58 com.apple.HIToolbox 0x92dcd0ee BlockUntilNextEventMatchingListInMode + 81 59 com.apple.AppKit 0x9326f465 _DPSNextEvent + 572 60 com.apple.AppKit 0x9326f056 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 137 61 com.apple.AppKit 0x93268ddb -[NSApplication run] + 512 62 org.mozilla.firefox 0x0026e8ff nsAppShell::ProcessNextNativeEvent(int) + 495 63 org.mozilla.firefox 0x002dbb21 nsAppStartup::AttemptingQuit(int) + 245 64 org.mozilla.firefox 0x00006a9c XRE_main + 10478 65 org.mozilla.firefox 0x0000244c main + 32 66 org.mozilla.firefox 0x000023d2 start + 270 67 org.mozilla.firefox 0x000022ed start + 41

Apparently background isn't significant; same stack with Google loading in the foreground. /me looks for a new search engine

[@ nsJSContext::LoadEnd] is currently #5 topcrasher. TB stack traces aren't too useful in this case.

(In reply to comment #0) > Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 > > Thread 0 Crashed: > 0 org.mozilla.firefox 0x00479f09 nsJSContext::LoadEnd() + 41 Hmm, must be sGCTimer that's null when sLoadInProgressGCTimer is true with no pending loads. Odd... > 26 libxpcom_core.dylib 0x00df2d71 nsCycleCollector_collect() + > 35 > 27 org.mozilla.firefox 0x0047a3f8 > nsJSContext::FireGCTimer(int) + 224 This however is even more odd. We're calling the cycle collector from nsJSContext::FireGCTimer(), but the only case when we do that is when we fail to create a timer! I can't imagine why that would fail, other than being out of memory which doesn't sound likely. I don't understand why we'd fail to create a timer, but I do see how that could cause crashes if the stack here reflects what's really going on here. I've got a patch that should fix that...

This makes sLoadInProgressGCTimer reflect reality even in error cases etc.

Comment on attachment 252707 [details] [diff] [review] Better book keeping of timer related state. Weird, but the patch is the right thing to do anyway. r/sr=sicking

Fix checked in, let's see if this crasher truly does go away.

No new crashes since 2007012504