Closed Bug 1167244 Opened 8 years ago Closed 8 years ago

crash in js::UnboxedLayout::makeNativeGroup(JSContext*, js::ObjectGroup*)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla41
Tracking Flags:
Tracking Status
firefox41 --- fixed

People

(Reporter: snorp, Assigned: sstangl)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

0001-Bug-1167244-Handle-nullptr-return-from-maybeGetPrope.patch
886 bytes, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-f02a1255-4c46-4809-b823-7f3562150521.
=============================================================

Got this crash today under Nightly e10s. Not sure which tab caused the issue, but I opened Google Maps most recently.
Brian, this one might be different from bug 1166700?
Flags: needinfo?(bhackett1024)
Based on the fact that the STR involves Google Maps, this might be a dupe of bug 1166542.
I got this again just now without having Google Maps open.
Do you have any STR?  This looks like a NULL deref that should be easy to fix but it would be nice to know why the pointer involved is NULL (since it shouldn't be).
I don't, sorry. I'll try to come up with some if it happens again (so far no more instances).
Crashed an e10s tab with today's Nightly with a similar stack trace:

00c66232-f4dc-4a4c-8275-af6d02150527
OS: Mac OS X → All
Version: unspecified → Trunk
https://crash-stats.mozilla.com/report/index/70e9f401-753b-4d49-a0bf-8fddc2150603

crashed an e10s nightly tab with this. I think it was the slate.com homepage. It doesn't reproduce.
My Nightly is about a week out of date, but I just crashed on Amazon doing something in the shopping cart view:
https://crash-stats.mozilla.com/report/index/fdc1a179-ba77-41b4-ae48-dd0902150610
Saw this bug as the top JS crasher. maybeGetProperty() is missing a nullptr check.

There are a few other uses of maybeGetProperty() in the codebase that also don't have a check, but most of them look safe. Probably a 5-minute auditing job for bhackett just to make sure :)
Attachment #8620554 - Flags: review?(bhackett1024)
Attachment #8620554 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/30e375742c0a
Assignee: nobody → sstangl
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox41: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Flags: needinfo?(bhackett1024)
You need to log in before you can comment on or make changes to this bug.