Closed
Bug 730700
Opened 13 years ago
Closed 10 years ago
crash in UnmarkGrayChildren during MarkXBLInCCGeneration
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mccr8, Unassigned)
References
Details
(Keywords: crash)
Crash Data
This is a pretty rare crash (#136 in Nightly), but the stacks are very regular. Every crash is a write to address 0xcfc0f4. No STR, but maybe there's something obvious we can fix just from seeing the crash stacks.
Of the half dozen crashes, most have stacks like this:
https://crash-stats.mozilla.com/report/index/a6e5951b-acc4-4bbc-9051-419692120219
UnmarkGrayChildren js/xpconnect/src/nsXPConnect.cpp:747
pkix_Build_BuildSelectorAndParams security/nss/lib/libpkix/pkix/top/pkix_build.c:1543
UnmarkProtos content/xbl/src/nsXBLDocumentInfo.cpp:502
hashEnumerate xpcom/ds/nsHashtable.cpp:130
PL_DHashTableEnumerate obj-firefox/xpcom/build/pldhash.cpp:754
MarkXBLInCCGeneration content/xul/document/src/nsXULPrototypeCache.cpp:705
but there's also one that looks like this:
https://crash-stats.mozilla.com/report/index/0d2fda20-eaff-4f06-91ca-5a1152120224
UnmarkGrayChildren js/xpconnect/src/nsXPConnect.cpp:747
pkix_Build_BuildSelectorAndParams security/nss/lib/libpkix/pkix/top/pkix_build.c:1543
nsEventListenerManager::UnmarkGrayJSListeners content/events/src/nsEventListenerManager.cpp:1031
MarkContentViewer content/base/src/nsCCUncollectableMarker.cpp:193
MarkDocShell content/base/src/nsCCUncollectableMarker.cpp:251
nsGlobalChromeWindow::QueryInterface dom/base/nsGlobalWindow.cpp:10333
nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:96
MarkWindowList content/base/src/nsCCUncollectableMarker.cpp:289
nsCCUncollectableMarker::Observe content/base/src/nsCCUncollectableMarker.cpp:340
Reporter | ||
Comment 2•13 years ago
|
||
Yeah, good point. I guess it could be something akin to bug 724284. The pkix_Build_BuildSelectorAndParams looks like total garbage. Uptime for all of these crashes is around 6, which I guess means this is a startup crash?
Comment 3•13 years ago
|
||
Is the latter stack related to the not-marking things black when using it.
Reporter | ||
Comment 4•13 years ago
|
||
I'm not sure what you mean. It looks like the uncollectable marker observer is being triggered by a nsCycleCollector_forgetSkippable.
Comment 5•13 years ago
|
||
Sure, but I expect that just happens to make some existing badness visible.
Reporter | ||
Comment 6•13 years ago
|
||
Ah. Yeah, definitely. As you said, probably a freed proto in the list.
Comment 7•13 years ago
|
||
So, I think the XBL part of this is the same as bug 723455.
Comment 8•13 years ago
|
||
Comment 9•13 years ago
|
||
The first crash in comment 0 has uptime 36 and the URL was about:sessionrestore
The second crash in comment 0 has uptime 8 and the URL was (reported as) about:blank
Something bad is going on, but more likely to get helped by being open rather than treated as a security bug.
Group: core-security
Assignee | ||
Updated•12 years ago
|
Component: DOM: Mozilla Extensions → DOM
Reporter | ||
Comment 10•10 years ago
|
||
I don't see any UnmarkGrayChildren on crash stats for Nightly.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•