Closed Bug 1276554 Opened 9 years ago Closed 9 years ago

Crash in `anonymous namespace''::TypeAnalyzer::insertConversions

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Windows 8
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1276558

People

(Reporter: dbaron, Unassigned)

Details

(Keywords: crash, topcrash)

Crash Data

This bug was filed from the Socorro interface and is report bp-e511ea20-bdd3-428e-8df0-1b6d42160529. ============================================================= There are a decent number of crashes with signature `anonymous namespace''::TypeAnalyzer::insertConversions across all channels, although they seem somewhat more prevalent in prerelease channels (proportional to user base). (Maybe it correlates with being a developer or advanced users for some reason?) They're probably at the borderline for whether I could bother with the "topcrash" keyword. I took a quick look at the minidump for this one, bp-e511ea20-bdd3-428e-8df0-1b6d42160529 . In this case the crash appears to be a null-dereference, though I didn't dig through the inlining to figure out what it's a null-dereference of.
Er, actually, the null-dereference is dereferencing a pointer in a vtable, in order to try to call the first virtual function on something. (The object is 0x00007FFE13093DE8, but its vtable is null, and the first parameter to the function call is taken from the 0x10 offset in the object, and is 0x000000DFBC21C020.)
i'm marking this a duplicate of bug 1276558 because that had some followup from the js team.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.