Closed Bug 1028904 Opened 7 years ago Closed 5 years ago

crash in js::StringObject::setStringThis(JSString*)

Categories

(Core :: JavaScript Engine, defect)

33 Branch
x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: kairo, Unassigned)

References

Details

(Keywords: crash, topcrash-win)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-3f38fecb-8d7d-41d7-9b48-0a6a62140623.
=============================================================

Top frames:
0 	mozjs.dll 	js::StringObject::setStringThis(JSString *) 	js/src/vm/StringObject.h
1 	mozjs.dll 	js::StringObject::init(JSContext *,JS::Handle<JSString *>) 	js/src/vm/StringObject-inl.h
2 	mozjs.dll 	js::StringObject::create(JSContext *,JS::Handle<JSString *>,js::NewObjectKind) 	js/src/vm/StringObject-inl.h
3 	mozjs.dll 	js::PrimitiveToObject(JSContext *,JS::Value const &) 	js/src/jsobj.cpp
4 	mozjs.dll 	js::jit::DoGetPropFallback 	js/src/jit/BaselineIC.cpp

This started to happen on Nightly with the 6/20 build, across all Windows versions on 32bit builds.
Based on this being the first nightly build it happens with, the regression range is http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f78e532e8a10&tochange=bdac18bd6c74

More reports at https://crash-stats.mozilla.com/report/list?signature=js%3A%3AStringObject%3A%3AsetStringThis%28JSString%2A%29

This bug might have the same root cause as bug 1028902, which started at the same time.
Also note that https://crash-stats.mozilla.com/report/list?signature=EnterBaseline spiked at the same time as well.
Jan: could this crash be fallout from your Latin1 string changes? Could it be related to GetLengthProperty crash bug 1028902?
Flags: needinfo?(jdemooij)
(In reply to Chris Peterson (:cpeterson) from comment #2)
> Jan: could this crash be fallout from your Latin1 string changes? Could it
> be related to GetLengthProperty crash bug 1028902?

This seems to be the same issue as bug 1028902, just a different signature.

My string changes in this range are all pretty straight-forward; I double-checked them at least 5 times yesterday and nothing stands out. Also see bug 1028902 comment 5, these crashes only happen for users with a weird malware addon installed; I think it's more likely that addon is misbehaving somehow...
Flags: needinfo?(jdemooij)
Crash Signature: [@ js::StringObject::setStringThis(JSString*)] → [@ js::StringObject::setStringThis(JSString*)] [@ js::StringObject::setStringThis]
Depends on: 1028902
like bug 1028902, there are almost no crashes here for any current version https://crash-stats.mozilla.com/signature/?signature=js%3A%3AStringObject%3A%3AsetStringThis so I think this can be closed. Please reopen if you disagree.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.