1348508 - Crash in js::AddTypePropertyId

Status: RESOLVED INVALID

(Core :: JavaScript Engine, defect, P3)

Description

[baffclan]

This bug was filed from the Socorro interface and is 
report bp-6ac64986-7dbb-4fd7-a35b-6614e2170318.
=============================================================


Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 		@0x1b044bd5f00 	
1 	xul.dll 	js::AddTypePropertyId(JSContext*, JSObject*, jsid, JS::Value const&) 	js/src/vm/TypeInference-inl.h:444
2 	xul.dll 	UpdateShapeTypeAndValue 	js/src/vm/NativeObject.cpp:1143
3 	xul.dll 	AddOrChangeProperty 	js/src/vm/NativeObject.cpp:1264
4 	xul.dll 	js::NativeDefineProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) 	js/src/vm/NativeObject.cpp:1484
5 	xul.dll 	js::DefineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, JS::ObjectOpResult&), unsigned int, JS::ObjectOpResult&) 	js/src/jsobj.cpp:2754
6 	xul.dll 	JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>) 	js/src/vm/StructuredClone.cpp:2464
7 	xul.dll 	ReadStructuredClone(JSContext*, JSStructuredCloneData&, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) 	js/src/vm/StructuredClone.cpp:556
8 	xul.dll 	JS_ReadStructuredClone(JSContext*, JSStructuredCloneData&, unsigned int, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) 	js/src/vm/StructuredClone.cpp:2491
9 	xul.dll 	JSAutoStructuredCloneBuffer::read(JSContext*, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) 	js/src/vm/StructuredClone.cpp:2649
10 	xul.dll 	mozilla::dom::StructuredCloneHolderBase::Read(JSContext*, JS::MutableHandle<JS::Value>) 	dom/base/StructuredCloneHolder.cpp:207
11 	xul.dll 	xpc::StackScopedClone(JSContext*, xpc::StackScopedCloneOptions&, JS::MutableHandle<JS::Value>) 	js/xpconnect/src/ExportHelpers.cpp:233
12 	xul.dll 	xpc::CloneInto(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) 	js/xpconnect/src/XPCComponents.cpp:3253
13 	xul.dll 	nsXPCComponents_Utils::CloneInto(JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JSContext*, JS::MutableHandle<JS::Value>) 	js/xpconnect/src/XPCComponents.cpp:3265
14 	xul.dll 	XPTC__InvokebyIndex 	xpcom/reflect/xptcall/md/win32/xptcinvoke_asm_x86_64.asm:97
15 		@0x34d93ee0df 	
16 	xul.dll 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	js/xpconnect/src/XPCWrappedNative.cpp:1296
17 	xul.dll 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:983
18 	xul.dll 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp:448
19 	xul.dll 	Interpret 	js/src/vm/Interpreter.cpp:2954
20 	xul.dll 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp:394
21 	xul.dll 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp:466
22 	xul.dll 	js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) 	js/src/proxy/Wrapper.cpp:165
23 	xul.dll 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp:436
24 	xul.dll 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp:2347
25 		@0x2b5e4dbc8b6 	



Application Basics:
Name: Firefox
Version: 55.0a1
Build ID: 20170317111607
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101
Firefox/55.0

STR:
1. open a Options
2. disable e10s and restart
3. appear Firefox
4. open a Options
5. enable a e10s and restart
6. crash a Firefox
not always.

Comment 2

[Jan de Mooij [:jandem]]

Signature no longer exists.