Open Bug 1275185 Opened 6 years ago Updated 2 days ago

Crash in js::LookupOwnPropertyPure

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 7
defect

Tracking

()

Tracking Status
firefox49 --- wontfix
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox60 --- wontfix
firefox61 --- fix-optional
firefox62 --- fix-optional

People

(Reporter: ting, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-926caebf-7ad0-4c54-8ee7-057ee2160523.
=============================================================

#20 of Nightly 20160522030240, 3 crashes from 2 installations. No reports from previous builds.
So far this crash happens only with 0522030240 build, maybe not that important. But do you have any ideas?
Flags: needinfo?(arai.unmht)
In 2 cases, obj->as<NativeObject>()->shape_ is corrupted (==0xffffff8c)
and in 1 case, obj->as<NativeObject>()->shape_ or parent is corrupted (==0xcf0004)
https://hg.mozilla.org/mozilla-central/annotate/16663eb3dcfa/js/src/jsobj.cpp#l2336

1 other case is 64bit and currently I don't have an environment to debug windows 64bit :/

anyway, possible cases are:
  * obj is not JSObject
  * obj->flags contains wrong value and it's not actually NativeObject
  * obj->shape contains wrong value

also, it's inside js::LookupPropertyPure's loop, so there might be the case that `obj->staticPrototype()` returns wrong value,
instead of `obj` itself is wrong in LookupPropertyPure

but not sure how to investigate from here, without testcase.
Flags: needinfo?(arai.unmht)
Crash volume for signature 'js::LookupOwnPropertyPure':
 - nightly (version 50): 6 crashes from 2016-06-06.
 - aurora  (version 49): 43 crashes from 2016-06-07.
 - beta    (version 48): 0 crashes from 2016-06-06.
 - release (version 47): 0 crashes from 2016-05-31.
 - esr     (version 45): 0 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       5       0       0       1       0       0
 - aurora        3       4      11      12      10       1       2
 - beta          0       0       0       0       0       0       0
 - release       0       0       0       0       0       0       0
 - esr           0       0       0       0       0       0       0

Affected platforms: Windows, Mac OS X
Crash volume for signature 'js::LookupOwnPropertyPure':
 - nightly (version 52): 0 crashes from 2016-09-19.
 - aurora  (version 51): 2 crashes from 2016-09-19.
 - beta    (version 50): 98 crashes from 2016-09-20.
 - release (version 49): 237 crashes from 2016-09-05.
 - esr     (version 45): 0 crashes from 2016-06-01.

Crash volume on the last weeks (Week N is from 10-03 to 10-09):
            W. N-1  W. N-2
 - nightly       0       0
 - aurora        1       1
 - beta         78      20
 - release     197      40
 - esr           0       0

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly
 - aurora  #1467
 - beta    #240      #193
 - release #363      #196
 - esr
Crash volume for signature 'js::LookupOwnPropertyPure':
 - nightly (version 52): 2 crashes from 2016-09-19.
 - aurora  (version 51): 7 crashes from 2016-09-19.
 - beta    (version 50): 259 crashes from 2016-09-20.
 - release (version 49): 782 crashes from 2016-09-05.
 - esr     (version 45): 0 crashes from 2016-07-25.

Crash volume on the last weeks (Week N is from 10-17 to 10-23):
            W. N-1  W. N-2  W. N-3  W. N-4
 - nightly       1       1       0       0
 - aurora        4       1       1       1
 - beta         84      58      78      20
 - release     239     223     197      40
 - esr           0       0       0       0

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly
 - aurora  #443
 - beta    #358      #105
 - release #351      #144
 - esr
Too late for firefox 52, mass-wontfix.
QA Whiteboard: qa-not-actionable

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: critical → S3
You need to log in before you can comment on or make changes to this bug.