1491530 - Crash in js::TypeSet::addType

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect)

Description

[Calixte Denizet (:calixte)]

This bug was filed from the Socorro interface and is
report bp-4eb860a8-aad3-45ca-baf6-b0c190180914.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll js::TypeSet::addType js/src/vm/TypeInference.cpp:720
1 xul.dll js::ConstraintTypeSet::addType js/src/vm/TypeInference.cpp:794
2 xul.dll js::AddTypePropertyId js/src/vm/TypeInference.cpp:3124
3 xul.dll js::UnboxedLayout::makeNativeGroup js/src/vm/UnboxedObject.cpp:692
4 xul.dll js::UnboxedPlainObject::convertToNative js/src/vm/UnboxedObject.cpp:734
5 xul.dll js::TypeNewScript::rollbackPartiallyInitializedObjects js/src/vm/TypeInference.cpp:4423
6 xul.dll js::ObjectGroup::clearNewScript js/src/vm/TypeInference.cpp:3388
7 xul.dll js::UnboxedLayout::makeNativeGroup js/src/vm/UnboxedObject.cpp:624
8 xul.dll js::UnboxedPlainObject::convertToNative js/src/vm/UnboxedObject.cpp:734
9 xul.dll js::UnboxedPlainObject::obj_setProperty js/src/vm/UnboxedObject.cpp:1070

=============================================================

There are 99 crashes (from 89 installations) in nightly 64 starting with buildid 20180913222046. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1490042.

[1] https://hg.mozilla.org/mozilla-central/rev?node=aa3c5d257b1e

Comment 1

[Jon Coppeard (:jonco)]

I can confirm that bug 1490042 caused this.

Comment 2

[Ryan VanderMeulen [:RyanVM]]

Bug 1490042 has been backed out to stop the crashes while this bug is being investigated.
https://hg.mozilla.org/integration/autoland/rev/2b3acad1d831076f4936382ba4216c1c9d43ff63

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Merge of backout:
https://hg.mozilla.org/mozilla-central/rev/2b3acad1d831076f4936382ba4216c1c9d43ff63