The attached testcase crashes Firefox nightly. A similar crash is triggered in bug #882897. I am filling this as well, as there is not too much commonality in the testcases and stack traces. ASAN output: READ of size 8 at 0x7fee68e43860 thread T0 #0 0x7fee8869f2dc in JS_GetGlobalForScopeChain(JSContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:2267:0 #1 0x7fee85677e42 in xpc_UnmarkGrayContext(JSContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/xpcpublic.h:200:0 #2 0x7fee85f77dec in nsCxPusher::DoPush(JSContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/nsCxPusher.cpp:138:0 #3 0x7fee854da767 in nsXBLBinding::AllowScripts() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/xbl/src/nsXBLBinding.cpp:1267:0 #4 0x7fee854de192 in nsXBLBinding::ExecuteDetachedHandler() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/xbl/src/nsXBLBinding.cpp:844:0 #5 0x7fee854d3069 in nsBindingManager::ExecuteDetachedHandlers() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/xbl/src/nsBindingManager.cpp:1016:0 #6 0x7fee856043db in nsGlobalWindow::PostHandleEvent(nsEventChainPostVisitor&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/dom/base/nsGlobalWindow.cpp:3079:0 #7 0x7fee850e01f1 in nsEventTargetChainItem::PostHandleEvent(nsEventChainPostVisitor&, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:276:0 #8 0x7fee850e060f in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:332:0 #9 0x7fee850e09ca in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:382:0 #10 0x7fee850e2212 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:632:0 #11 0x7fee8488f817 in nsDocumentViewer::PageHide(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/base/nsDocumentViewer.cpp:1296:0 #12 0x7fee85fe3b6f in nsDocShell::FirePageHideNotification(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:1623:0 #13 0x7fee85fe3ec3 in non-virtual thunk to nsDocShell::FirePageHideNotification(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:1648:0 #14 0x7fee85fe3ca3 in nsDocShell::FirePageHideNotification(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:1639:0 #15 0x7fee8600ebf6 in nsDocShell::CreateContentViewer(char const*, nsIRequest*, nsIStreamListener**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:7942:0 #16 0x7fee85fd2a8c in nsDSURIContentListener::DoContent(char const*, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDSURIContentListener.cpp:123:0 #17 0x7fee86047659 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsURILoader.cpp:658:0 #18 0x7fee86045ad9 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsURILoader.cpp:360:0 #19 0x7fee86045037 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsURILoader.cpp:252:0 #20 0x7fee841770f0 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/netwerk/base/src/nsBaseChannel.cpp:720:0 #21 0x7fee841a71d1 in nsInputStreamPump::OnStateStart() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/netwerk/base/src/nsInputStreamPump.cpp:418:0 #22 0x7fee841a6d82 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/netwerk/base/src/nsInputStreamPump.cpp:369:0 #23 0x7fee8724eabd in nsInputStreamReadyEvent::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/io/nsStreamUtils.cpp:82:0 #24 0x7fee8727f28b in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/threads/nsThread.cpp:626:0 #25 0x7fee871cb931 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238:0 #26 0x7fee8677b05b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/glue/MessagePump.cpp:82:0 #27 0x7fee8732c051 in MessageLoop::RunInternal() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/chromium/src/base/message_loop.cc:219:0 #28 0x7fee8732bf4e in MessageLoop::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/chromium/src/base/message_loop.cc:186:0 #29 0x7fee865ce851 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/widget/xpwidgets/nsBaseAppShell.cpp:163:0 #30 0x7fee8617367f in nsAppStartup::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/components/startup/nsAppStartup.cpp:269:0 #31 0x7fee83f4ca39 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:3851:0 #32 0x7fee83f4dd77 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:3919:0 #33 0x7fee83f4e701 in XRE_main /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:4121:0 #34 0x40c7e6 in do_main(int, char**, nsIFile*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/browser/app/nsBrowserApp.cpp:272:0 #35 0x40bd0f in main /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/browser/app/nsBrowserApp.cpp:632:0 #36 0x7fee90d67ea4 in ?? ??:0 0x7fee68e43860 is located 32 bytes inside of 1112-byte region [0x7fee68e43840,0x7fee68e43c98) freed by thread T0 here: #0 0x43b0e0 in __interceptor_free ??:? #1 0x7fee887a108e in SweepCompartments(js::FreeOp*, JS::Zone*, bool, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:2524:0 #2 0x7fee887a0a6a in SweepZones(js::FreeOp*, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:2558:0 #3 0x7fee8879fc79 in EndSweepPhase(JSRuntime*, js::JSGCInvocationKind, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:3906:0 #4 0x7fee8879db7e in IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4308:0 #5 0x7fee8879c993 in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4422:0 #6 0x7fee8878f10e in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4581:0 #7 0x7fee85e8d26a in nsXPCComponents_Utils::ForceGC() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCComponents.cpp:4012:0 #8 0x7fee872b7b05 in NS_InvokeByIndex /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162:0 #9 0x7fee85f0cc63 in CallMethodHelper::Call() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2267:0 #10 0x7fee85f0c913 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2233:0 #11 0x7fee85f21be7 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1480:0 #12 0x7fee8853cc48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0 #13 0x7fee8853c395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0 #14 0x7fee885367fa in previously allocated by thread T0 here: #0 0x43b1a0 in malloc ??:? #1 0x7fee884e3f59 in js::MallocProvider<JSContext>::malloc_(unsigned long) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxt.h:558:0 #2 0x7fee8878fd73 in JSCompartment* js::MallocProvider<JSContext>::new_<JSCompartment, JS::Zone*>(JS::Zone*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxt.h:623:0 #3 0x7fee8878f99e in js::NewCompartment(JSContext*, JS::Zone*, JSPrincipals*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4724:0 #4 0x7fee886a53fb in JS_NewGlobalObject(JSContext*, JSClass*, JSPrincipals*, unsigned long) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:3446:0 #5 0x7fee85f7be60 in xpc::CreateGlobalObject(JSContext*, JSClass*, nsIPrincipal*, unsigned long) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/nsXPConnect.cpp:994:0 #6 0x7fee85f0180a in XPCWrappedNative::WrapNewGlobal(xpcObjectHelper&, nsIPrincipal*, bool, unsigned long, XPCWrappedNative**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNative.cpp:318:0 #7 0x7fee85f7c72e in nsXPConnect::InitClassesWithNewWrappedGlobal(JSContext*, nsISupports*, nsIPrincipal*, unsigned int, unsigned long, nsIXPConnectJSObjectHolder**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/nsXPConnect.cpp:1050:0 #8 0x7fee855ffffb in CreateNativeGlobalForInner(JSContext*, nsGlobalWindow*, nsIURI*, nsIPrincipal*, JSObject**, nsIXPConnectJSObjectHolder**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/dom/base/nsGlobalWindow.cpp:2142:0 Shadow byte and word: 0x1ffdcd1c870c: fd 0x1ffdcd1c8708: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ffdcd1c86e8: fa fa fa fa fa fa fa fa 0x1ffdcd1c86f0: fa fa fa fa fa fa fa fa 0x1ffdcd1c86f8: fa fa fa fa fa fa fa fa 0x1ffdcd1c8700: fa fa fa fa fa fa fa fa =>0x1ffdcd1c8708: fd fd fd fd fd fd fd fd 0x1ffdcd1c8710: fd fd fd fd fd fd fd fd 0x1ffdcd1c8718: fd fd fd fd fd fd fd fd 0x1ffdcd1c8720: fd fd fd fd fd fd fd fd 0x1ffdcd1c8728: fd fd fd fd fd fd fd fd Stats: 231M malloced (212M for red zones) by 284666 calls Stats: 35M realloced by 16709 calls Stats: 205M freed by 159343 calls Stats: 169M really freed by 111083 calls Stats: 229M (58691 full pages) mmaped in 432 calls mmaps by size class: 7:110565; 8:45034; 9:15345; 10:8176; 11:7395; 12:1280; 13:1152; 14:512; 15:192; 16:656; 17:456; 18:26; 19:36; 20:21; 21:1; mallocs by size class: 7:160022; 8:59865; 9:24891; 10:17948; 11:13230; 12:2243; 13:2093; 14:1456; 15:345; 16:1108; 17:1364; 18:36; 19:41; 20:22; 21:2; frees by size class: 7:80895; 8:27261; 9:17245; 10:15280; 11:11502; 12:1450; 13:1710; 14:1302; 15:241; 16:1018; 17:1350; 18:30; 19:37; 20:21; 21:1; rfrees by size class: 7:56525; 8:16915; 9:10444; 10:12104; 11:9578; 12:1021; 13:993; 14:1136; 15:180; 16:801; 17:1323; 18:27; 19:34; 20:1; 21:1; Stats: malloc large: 2918 small slow: 4471 ==15667== ABORTING

I'll assign this to Bobby as he's fixing the other similar bug. Probably this can wait until the other one is understood.

This symptom became detectable due to bug 868130, but bholley says the underlying GC problem (which he's fixing in bug 887334) has been around for a while. I'm going to leave this open until bug 887334 is fixed to make sure it's the same issue, but changing sec keywords so we don't inflate our bug count.

(In reply to Daniel Veditz [:dveditz] from comment #2) > This symptom became detectable due to bug 868130, but bholley says the > underlying GC problem (which he's fixing in bug 887334) has been around for > a while. Well, "detectable" is a strong word. I'm sure it's detectable without that change too, I just think that made it _more_ detectable. Marking it as a dep is a bit questionable, IMO.

Matt, could you confirm that this is fixed? Thanks.

I was able to see this crash an ASan build from 2013-06-06, but not with an ASan build from today, 2013-08-22.

Thanks Matt!