Closed Bug 1028904 Opened 7 years ago Closed 5 years ago
crash in js::String
Object::set String This(JSString*)
This bug was filed from the Socorro interface and is report bp-3f38fecb-8d7d-41d7-9b48-0a6a62140623. ============================================================= Top frames: 0 mozjs.dll js::StringObject::setStringThis(JSString *) js/src/vm/StringObject.h 1 mozjs.dll js::StringObject::init(JSContext *,JS::Handle<JSString *>) js/src/vm/StringObject-inl.h 2 mozjs.dll js::StringObject::create(JSContext *,JS::Handle<JSString *>,js::NewObjectKind) js/src/vm/StringObject-inl.h 3 mozjs.dll js::PrimitiveToObject(JSContext *,JS::Value const &) js/src/jsobj.cpp 4 mozjs.dll js::jit::DoGetPropFallback js/src/jit/BaselineIC.cpp This started to happen on Nightly with the 6/20 build, across all Windows versions on 32bit builds. Based on this being the first nightly build it happens with, the regression range is http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f78e532e8a10&tochange=bdac18bd6c74 More reports at https://crash-stats.mozilla.com/report/list?signature=js%3A%3AStringObject%3A%3AsetStringThis%28JSString%2A%29 This bug might have the same root cause as bug 1028902, which started at the same time.
Also note that https://crash-stats.mozilla.com/report/list?signature=EnterBaseline spiked at the same time as well.
Jan: could this crash be fallout from your Latin1 string changes? Could it be related to GetLengthProperty crash bug 1028902?
(In reply to Chris Peterson (:cpeterson) from comment #2) > Jan: could this crash be fallout from your Latin1 string changes? Could it > be related to GetLengthProperty crash bug 1028902? This seems to be the same issue as bug 1028902, just a different signature. My string changes in this range are all pretty straight-forward; I double-checked them at least 5 times yesterday and nothing stands out. Also see bug 1028902 comment 5, these crashes only happen for users with a weird malware addon installed; I think it's more likely that addon is misbehaving somehow...
Crash Signature: [@ js::StringObject::setStringThis(JSString*)] → [@ js::StringObject::setStringThis(JSString*)] [@ js::StringObject::setStringThis]
like bug 1028902, there are almost no crashes here for any current version https://crash-stats.mozilla.com/signature/?signature=js%3A%3AStringObject%3A%3AsetStringThis so I think this can be closed. Please reopen if you disagree.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.