1494938 - Crash in _security_check_cookie inside TenuringTracer::traceObject

Status: RESOLVED WORKSFORME

(Core :: JavaScript: GC, defect, P3)

Description

[baffclan]

This bug was filed from the Socorro interface and is
report bp-bee110ec-3772-408e-860c-f653a0180928.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll _security_check_cookie 
1 xul.dll union JS::Value js::DispatchTyped<js::TenuringTraversalFunctor<JS::Value>, js::TenuringTracer*> js/public/Value.h:1470
2 xul.dll js::TenuringTracer::traceObject js/src/gc/Marking.cpp:3037
3 xul.dll js::Nursery::doCollection js/src/gc/Nursery.cpp:970
4 xul.dll js::Nursery::collect js/src/gc/Nursery.cpp:790
5 xul.dll js::gc::GCRuntime::minorGC js/src/gc/GC.cpp:8354
6 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7888
7 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:8121
8 xul.dll JS::IncrementalGCSlice js/src/gc/GC.cpp:9111
9 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:1214

=============================================================


Application Basics: 
Name: Firefox
Version: 64.0a1
Build ID: 20180927220034
Update Channel: nightly
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
OS: Windows_NT 10.0

Comment 1

[Jon Coppeard (:jonco)]

_security_check_cookie appears to be a stack overwrite protection mechanism on Windows.

I can't find any instances of this specific crash in the last three months and js::DispatchTyped has been removed from the codebase so I'm going to close this.

Comment 2

[Andrew McCreight [:mccr8]]

Bug 1608076 is another instance of _security_check_cookie. I wrote a patch in bug 1609247 so this won't be included as part of crash signatures, so I think it would show up as one of our other standard GC crash signatures.