This one is interesting because about 60% of the 300 crashes in the last 6 months are on the JS_SWEPT_TENURED_PATTERN, 0x4b. The crash in comment 0 has Xrays in the stack, but I don't think that's the most common thing. There are 186 crashes on poison values with this signature in the last 6 months. 107 of them have `Element_Binding::get_classList()` in the proto signature (example: bp-cc77b6cc-a8ce-49b6-bfde-36e200250410), with a stack something like: ``` 0 xul.dll js::GlobalObject::maybeWindowProxy() const js/src/vm/GlobalObject.h:1047 0 xul.dll js::detail::IsWindowSlow(JSObject*) js/src/vm/WindowProxy.cpp:69 0 xul.dll js::IsWindow(JSObject*) js/public/friend/WindowProxy.h:74 0 xul.dll JS::Compartment::getNonWrapperObjectForCurrentCompartment(JSContext*, JS::Han... js/src/vm/Compartment.cpp:248 0 xul.dll JS::Compartment::wrap(JSContext*, JS::MutableHandle<JSObject*>) js/src/vm/Compartment.cpp:360 1 xul.dll JS::Compartment::wrap(JSContext*, JS::MutableHandle<JS::Value>) js/src/vm/Compartment-inl.h:103 1 xul.dll JS_WrapValue(JSContext*, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:579 2 xul.dll mozilla::dom::binding_detail::DoGetOrCreateDOMReflector(JSContext*, nsDOMToke... dom/bindings/BindingUtils.h:1361 2 xul.dll mozilla::dom::GetOrCreateDOMReflector(JSContext*, nsDOMTokenList*, JS::Mutabl... dom/bindings/BindingUtils.h:1380 2 xul.dll mozilla::dom::Element_Binding::get_classList(JSContext*, JS::Handle<JSObject*... dom/bindings/ElementBinding.cpp:2071 ``` 51 of them have Element_Binding::get_attributes in the proto signature (example:bp-ea9c0db0-3e4a-434e-9078-069b60250525#tab-details), with a similar stack to `get_classlist`. I'm not sure if this is a SpiderMonkey issue or a DOM bindings issue.
Bug 1971222 Comment 1 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This one is interesting because about 60% of the 300 crashes in the last 6 months are on the JS_SWEPT_TENURED_PATTERN, 0x4b. The crash in comment 0 has Xrays in the stack, but I don't think that's the most common thing. There are 186 crashes on poison values with this signature in the last 6 months. 107 of them have `Element_Binding::get_classList()` in the proto signature (example: bp-cc77b6cc-a8ce-49b6-bfde-36e200250410), with a stack something like: ``` 0 xul.dll js::GlobalObject::maybeWindowProxy() const js/src/vm/GlobalObject.h:1047 0 xul.dll js::detail::IsWindowSlow(JSObject*) js/src/vm/WindowProxy.cpp:69 0 xul.dll js::IsWindow(JSObject*) js/public/friend/WindowProxy.h:74 0 xul.dll JS::Compartment::getNonWrapperObjectForCurrentCompartment(JSContext*, JS::Han... js/src/vm/Compartment.cpp:248 0 xul.dll JS::Compartment::wrap(JSContext*, JS::MutableHandle<JSObject*>) js/src/vm/Compartment.cpp:360 1 xul.dll JS::Compartment::wrap(JSContext*, JS::MutableHandle<JS::Value>) js/src/vm/Compartment-inl.h:103 1 xul.dll JS_WrapValue(JSContext*, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:579 2 xul.dll mozilla::dom::binding_detail::DoGetOrCreateDOMReflector(JSContext*, nsDOMToke... dom/bindings/BindingUtils.h:1361 2 xul.dll mozilla::dom::GetOrCreateDOMReflector(JSContext*, nsDOMTokenList*, JS::Mutabl... dom/bindings/BindingUtils.h:1380 2 xul.dll mozilla::dom::Element_Binding::get_classList(JSContext*, JS::Handle<JSObject*... dom/bindings/ElementBinding.cpp:2071 ``` 51 of them have `Element_Binding::get_attributes` in the proto signature (example:bp-ea9c0db0-3e4a-434e-9078-069b60250525#tab-details), with a similar stack to `get_classlist`. I'm not sure if this is a SpiderMonkey issue or a DOM bindings issue.
This one is interesting because about 60% of the 300 crashes in the last 6 months are on the JS_SWEPT_TENURED_PATTERN, 0x4b. The crash in comment 0 has Xrays in the stack, but I don't think that's the most common thing. There are 186 crashes on poison values with this signature in the last 6 months. 107 of them have `Element_Binding::get_classList()` in the proto signature (example: bp-cc77b6cc-a8ce-49b6-bfde-36e200250410), with a stack something like: ``` 0 xul.dll js::GlobalObject::maybeWindowProxy() const js/src/vm/GlobalObject.h:1047 0 xul.dll js::detail::IsWindowSlow(JSObject*) js/src/vm/WindowProxy.cpp:69 0 xul.dll js::IsWindow(JSObject*) js/public/friend/WindowProxy.h:74 0 xul.dll JS::Compartment::getNonWrapperObjectForCurrentCompartment(JSContext*, JS::Han... js/src/vm/Compartment.cpp:248 0 xul.dll JS::Compartment::wrap(JSContext*, JS::MutableHandle<JSObject*>) js/src/vm/Compartment.cpp:360 1 xul.dll JS::Compartment::wrap(JSContext*, JS::MutableHandle<JS::Value>) js/src/vm/Compartment-inl.h:103 1 xul.dll JS_WrapValue(JSContext*, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:579 2 xul.dll mozilla::dom::binding_detail::DoGetOrCreateDOMReflector(JSContext*, nsDOMToke... dom/bindings/BindingUtils.h:1361 2 xul.dll mozilla::dom::GetOrCreateDOMReflector(JSContext*, nsDOMTokenList*, JS::Mutabl... dom/bindings/BindingUtils.h:1380 2 xul.dll mozilla::dom::Element_Binding::get_classList(JSContext*, JS::Handle<JSObject*... dom/bindings/ElementBinding.cpp:2071 ``` 51 of them have `Element_Binding::get_attributes` in the proto signature (example:bp-ea9c0db0-3e4a-434e-9078-069b60250525), with a similar stack to `get_classlist`. I'm not sure if this is a SpiderMonkey issue or a DOM bindings issue.