Closed
Bug 1038220
Opened 10 years ago
Closed 10 years ago
crash in mozilla::jsipc::JavaScriptParent::IsCPOW(JSObject*)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: u279076, Unassigned)
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is report bp-89d60b9a-95d8-4482-b7d5-eec072140710. ============================================================= 0 xul.dll mozilla::jsipc::JavaScriptParent::IsCPOW(JSObject *) js/ipc/JavaScriptParent.cpp 1 xul.dll XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>,nsIXPConnectJSObjectHolder * *,xpcObjectHelper &,nsID const *,XPCNativeInterface * *,bool,tag_nsresult *) js/xpconnect/src/XPCConvert.cpp 2 xul.dll nsXPConnect::WrapNativeToJSVal(JSContext *,JSObject *,nsISupports *,nsWrapperCache *,nsID const *,bool,JS::MutableHandle<JS::Value>) js/xpconnect/src/nsXPConnect.cpp 3 xul.dll xpc::WrapperFactory::PrepareForWrapping(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,unsigned int) js/xpconnect/wrappers/WrapperFactory.cpp 4 mozjs.dll JSCompartment::wrap(JSContext *,JS::MutableHandle<JSObject *>,JS::Handle<JSObject *>) js/src/jscompartment.cpp 5 mozjs.dll JSCompartment::wrap(JSContext *,JS::MutableHandle<JS::Value>,JS::Handle<JSObject *>) js/src/jscompartmentinlines.h 6 mozjs.dll js::CrossCompartmentWrapper::get(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>) js/src/jswrapper.cpp 7 mozjs.dll js::proxy_GetGeneric(JSContext *,JS::Handle<JSObject *>,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>) js/src/jsproxy.cpp 8 mozjs.dll js::jit::DoGetPropFallback js/src/jit/BaselineIC.cpp 9 mozjs.dll JSObject::defineGeneric(js::ExclusiveContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::Handle<JS::Value>,bool (*)(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,JS::MutableHandle<JS::Value>),bool (*)(JSContext *,JS::Handle<JSObject *>,JS::Handle<jsid>,bool,JS::MutableHandle<JS::Value>),unsigned int) js/src/jsobj.cpp 10 mozjs.dll js::jit::CanEnter(JSContext *,js::RunState &) js/src/jit/Ion.cpp 11 mozjs.dll js::RunScript(JSContext *,js::RunState &) js/src/vm/Interpreter.cpp 12 @0x11a56480 ============================================================= More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Ajsipc%3A%3AJavaScriptParent%3A%3AIsCPOW%28JSObject%2A%29 This seems to be a relatively new crash which is spiking with Firefox 31.0b8. There's one report with Firefox 30, one report with Firefox 31.0b6, and 18 reports with Firefox 31.0b8. It's still very low volume so maybe it's not a huge concern but I thought it curious to be spiking in a specific Beta.
I assume we are ignoring 31.0b7 because all 291 reports are from a single user with serious memory corruption: xul!mozilla::jsipc::JavaScriptParent::IsCPOW: 67a6b7e2 11af11af11af adc dword ptr [edi-50EE50EFh],ebp 67a6b7e8 11af11af11af adc dword ptr [edi-50EE50EFh],ebp 67a6b7ee 11af11af11af adc dword ptr [edi-50EE50EFh],ebp 67a6b7f4 11af11af11af adc dword ptr [edi-50EE50EFh],ebp 67a6b7fa 11af11af11af adc dword ptr [edi-50EE50EFh],ebp That's got to take the prize for most persistent crash reporter though.
So aside from comment 1, the newer crashes are all dereferencing JS-looking pointers of the form: 0x4, 0xffffff81, 0xffffff87, etc. efaust, we debugged something like this a long time ago, do you recall what came of it? (Or this could be totally unrelated)
Flags: needinfo?(efaustbmo)
|
||
Comment 3•10 years ago
|
||
Small volume. Not tracking for now but please resubmit if it starts to spike.
There are no hits after build 20140710141843.
Flags: needinfo?(efaustbmo)
There are three crashes with Firefox 31.0 2014-07-16 but I see nothing following. Since volume here is extremely low I'm going to resolve this as INCOMPLETE.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•