Closed Bug 730700 Opened 13 years ago Closed 10 years ago

crash in UnmarkGrayChildren during MarkXBLInCCGeneration

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This is a pretty rare crash (#136 in Nightly), but the stacks are very regular. Every crash is a write to address 0xcfc0f4. No STR, but maybe there's something obvious we can fix just from seeing the crash stacks. Of the half dozen crashes, most have stacks like this: https://crash-stats.mozilla.com/report/index/a6e5951b-acc4-4bbc-9051-419692120219 UnmarkGrayChildren js/xpconnect/src/nsXPConnect.cpp:747 pkix_Build_BuildSelectorAndParams security/nss/lib/libpkix/pkix/top/pkix_build.c:1543 UnmarkProtos content/xbl/src/nsXBLDocumentInfo.cpp:502 hashEnumerate xpcom/ds/nsHashtable.cpp:130 PL_DHashTableEnumerate obj-firefox/xpcom/build/pldhash.cpp:754 MarkXBLInCCGeneration content/xul/document/src/nsXULPrototypeCache.cpp:705 but there's also one that looks like this: https://crash-stats.mozilla.com/report/index/0d2fda20-eaff-4f06-91ca-5a1152120224 UnmarkGrayChildren js/xpconnect/src/nsXPConnect.cpp:747 pkix_Build_BuildSelectorAndParams security/nss/lib/libpkix/pkix/top/pkix_build.c:1543 nsEventListenerManager::UnmarkGrayJSListeners content/events/src/nsEventListenerManager.cpp:1031 MarkContentViewer content/base/src/nsCCUncollectableMarker.cpp:193 MarkDocShell content/base/src/nsCCUncollectableMarker.cpp:251 nsGlobalChromeWindow::QueryInterface dom/base/nsGlobalWindow.cpp:10333 nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:96 MarkWindowList content/base/src/nsCCUncollectableMarker.cpp:289 nsCCUncollectableMarker::Observe content/base/src/nsCCUncollectableMarker.cpp:340
Strange stack. Is the proto deleted object?
Group: core-security
Yeah, good point. I guess it could be something akin to bug 724284. The pkix_Build_BuildSelectorAndParams looks like total garbage. Uptime for all of these crashes is around 6, which I guess means this is a startup crash?
Is the latter stack related to the not-marking things black when using it.
I'm not sure what you mean. It looks like the uncollectable marker observer is being triggered by a nsCycleCollector_forgetSkippable.
Sure, but I expect that just happens to make some existing badness visible.
Ah. Yeah, definitely. As you said, probably a freed proto in the list.
So, I think the XBL part of this is the same as bug 723455.
The first crash in comment 0 has uptime 36 and the URL was about:sessionrestore The second crash in comment 0 has uptime 8 and the URL was (reported as) about:blank Something bad is going on, but more likely to get helped by being open rather than treated as a security bug.
Group: core-security
Component: DOM: Mozilla Extensions → DOM
I don't see any UnmarkGrayChildren on crash stats for Nightly.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.