| CARVIEW |
Select Language
HTTP/2 200
accept-ranges: bytes
content-type: text/html; charset=UTF-8
set-cookie: Bugzilla_login_request_cookie=fGkbjX8BmJhI; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: github_token=83pXPDmtdM6MbTIAu9LQoZxf6mLHp5EQasuYUNCSaokGkXBfHCyx8J3VECbcWTLPTJHQTPNyL0hyOhlTNNtRWjThKJZbBZL9WDSedFpVLdhMsej4ijwATZWZSF5A44O3S7hX6yY982INRQTqXNFkrUbsutMhZ9VRxvcKCehGrG6mKVcsOoqnwq6273bAD8m5rL7L8eZ3tnlnskNMO2OyegzmQuSC5BA2pqg7YqT575mEoeC2yRz8ZqT47yBpdp8Y; path=/; secure; HttpOnly; SameSite=Lax
via: 1.1 google, 1.1 varnish, 1.1 varnish
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000; includeSubDomains
content-encoding: gzip
referrer-policy: same-origin
server: nginx
x-frame-options: SAMEORIGIN
content-security-policy: default-src 'self'; worker-src 'none'; connect-src 'self' https://product-details.mozilla.org https://treeherder.mozilla.org/api/failurecount/; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://secure.gravatar.com https://bug1982134.bmoattachments.org/; media-src 'self' https://bug1982134.bmoattachments.org/; object-src 'none'; script-src 'self' 'nonce-D9SROACBsOKGYYTLiY7MvQ7opslsN8NEt6d8t4Y0ZHXMno5h' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://crash-stop-addon.herokuapp.com; frame-ancestors 'self'; form-action 'self' https://www.google.com/search https://github.com/login/oauth/authorize https://github.com/login https://phabricator.services.mozilla.com/ https://people.mozilla.org
date: Fri, 03 Oct 2025 06:17:37 GMT
x-served-by: cache-bom-vanm7210097-BOM, cache-bom-vanm7210067-BOM
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1759472256.984192,VS0,VE1417
vary: Accept-Encoding
1982134 - JS_RemoveExtraGCRootsTracer removes incorrect tracer
JS
Closed
Bug 1982134
Opened 2 months ago
Closed 2 months ago
JS_RemoveExtraGCRootsTracer removes incorrect tracer
*
Summary:
JS_RemoveExtraGCRootsTracer removes incorrect tracer
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
RESOLVED
FIXED
143 Branch
Iteration:
---
| Accessibility Severity | |
| Webcompat Priority | |
| Webcompat Score | |
| Size Estimate | |
| Performance Impact | |
| a11y-review |
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr128 | --- | wontfix |
| firefox-esr140 | --- | fixed |
| firefox141 | --- | wontfix |
| firefox142 | --- | wontfix |
| firefox143 | --- | fixed |
| Tracking | Status | |
|---|---|---|
| relnote-firefox | ||
| thunderbird_esr115 | ||
| thunderbird_esr140 | ||
| firefox-esr115 | ||
| firefox-esr128 | ||
| firefox-esr140 | ||
| firefox141 | ||
| firefox142 | ||
| firefox143 | ||
| firefox144 | ||
| firefox145 |
People
(Reporter: Itms, Assigned: Itms)
References
(Regression)
Details
(Keywords: regression)
---
---
QA Whiteboard:
---
Has STR:
---
Change Request:
---
0
Bug Flags:
|
| ||||
Crash Data
Signature:
None
Security
(public)
This bug is publicly visible.
User Story
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr140+
|
Details | Review |
Steps to reproduce:
We embed SpiderMonkey ESR, and we have multiple instances of a class that contains JS::Heap<JSObject*> references. We use JS_AddExtraGCRootsTracer and JS_RemoveExtraGCRootsTracer to trace these JS objects.
Actual results:
When upgrading from ESR 115 to ESR 128, SpiderMonkey creates segfaults in our code by calling the Trace method of objects that are no longer in memory.
#1 IGUIObject::Trace (trc=0x5555561bd630, data=0x555574d560c0) at ../../../source/gui/ObjectBases/IGUIObject.h:498
#2 0x00007ffff765cb6c in js::gc::GCRuntime::traceEmbeddingBlackRoots (this=0x5555561e4e98, trc=0x5555561bd630)
at libraries/source/spidermonkey/mozjs-128.13.0/js/src/gc/RootMarking.cpp:383
#3 js::gc::GCRuntime::traceRuntimeCommon (this=0x5555561e4e98, trc=0x5555561bd630, traceOrMark=js::gc::GCRuntime::MarkRuntime)
at libraries/source/spidermonkey/mozjs-128.13.0/js/src/gc/RootMarking.cpp:367
#4 0x00007ffff765c7c8 in js::gc::GCRuntime::traceRuntimeForMajorGC (this=0x5555561e4e98, trc=0x5555561bd630, session=...)
at libraries/source/spidermonkey/mozjs-128.13.0/js/src/gc/RootMarking.cpp:242
#5 0x00007ffff76299f9 in js::gc::GCRuntime::beginMarkPhase (this=0x5555561e4e98, session=...)
at libraries/source/spidermonkey/mozjs-128.13.0/js/src/gc/GC.cpp:3019
#6 0x00007ffff762b667 in js::gc::GCRuntime::incrementalSlice (this=0x5555561e4e98, budget=..., reason=JS::GCReason::API, budgetWasIncreased=<optimized out>)
at libraries/source/spidermonkey/mozjs-128.13.0/js/src/gc/GC.cpp:3802
#7 0x00007ffff762ca58 in js::gc::GCRuntime::gcCycle (this=0x5555561e4e98, nonincrementalByAPI=false, budgetArg=..., reason=1525896928)
at libraries/source/spidermonkey/mozjs-128.13.0/js/src/gc/GC.cpp:4389
#8 0x00007ffff762d087 in js::gc::GCRuntime::collect (this=0x5555561e4e98, nonincrementalByAPI=<optimized out>, budget=..., reason=JS::GCReason::API)
at libraries/source/spidermonkey/mozjs-128.13.0/js/src/gc/GC.cpp:4580
Expected results:
This issue is caused by GCRuntime::removeBlackRootsTracer which removes the callback for a wrong instance of our object. This is a regression introduced by Bug 1846835, in which the behavior of that method was modified during a refactoring.
Originally, the method compared the value of data in order to remove the callback for the correct object. Now, the method removes the first instance of the callback it finds.
|
Assignee | |
Comment 1•2 months ago
|
||
This fixes a regression introduced in the refactoring at Bug 1846835 / D185307
|
||
Updated•2 months ago
|
Assignee: nobody → na.itms76
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Updated•2 months ago
|
Keywords: regression
Regressed by: 1846835
|
||
Comment 2•2 months ago
|
||
Set release status flags based on info from the regressing bug 1846835
status-firefox141:
--- → affected
status-firefox142:
--- → affected
status-firefox143:
--- → affected
status-firefox-esr128:
--- → affected
status-firefox-esr140:
--- → affected
|
|
||
Comment 3•2 months ago
•
|
||
(This fix is landable and good, but I commented on the implied setup on the matrix channel)
|
||
Updated•2 months ago
|
|
|
||
Updated•2 months ago
|
Pushed by rvandermeulen@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/bf1994b05bae
https://hg.mozilla.org/integration/autoland/rev/2e6388013463
Choose specific callback in removeBlackRootsTracer. r=sfink
|
||
Comment 5•2 months ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → 143 Branch
|
|
Assignee | |
Comment 6•2 months ago
|
||
This fixes a regression introduced in the refactoring at Bug 1846835 / D185307
Original Revision: https://phabricator.services.mozilla.com/D260541
|
|
||
Updated•2 months ago
|
Attachment #9506279 -
Flags: approval-mozilla-esr140?
|
|
||
Comment 7•2 months ago
|
||
firefox-esr140 Uplift Approval Request
- User impact if declined: Embedders of SpiderMonkey ESR need to apply this patch in order to use the ExtraGCRootsTracer API without segfaulting.
- Code covered by automated testing: no
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: Not applicable
- Risk associated with taking this patch: None
- Explanation of risk level: This reverts the behavior of this code to the status of ESR115.
- String changes made/needed: No
- Is Android affected?: no
|
|
||
Updated•2 months ago
|
Attachment #9506279 -
Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
|
||
Updated•2 months ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•