1514280 - Crash in mozilla::detail::HashTable<T>::Iterator::Iterator | js::jit::JitActivation::~JitActivation

Status: RESOLVED INVALID

(Core :: JavaScript Engine: JIT, defect)

Description

[Calixte Denizet (:calixte)]

This bug was filed from the Socorro interface and is
report bp-5430065f-914d-4b18-98c8-6e1440181214.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so mozilla::detail::HashTable<mozilla::HashMapEntry<unsigned char*, JS::GCVector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy> >, mozilla::HashMap<unsigned char*, JS::GCVector<js::jit::RematerializedFrame*, 0ul, js::TempAllocPolicy>, mozilla::DefaultHasher<unsigned char*>, js::TempAllocPolicy>::MapHashPolicy, js::TempAllocPolicy>::Iterator::Iterator mfbt/HashTable.h:1694
1 libxul.so js::jit::JitActivation::~JitActivation mfbt/HashTable.h:1402
2 libxul.so js::jit::MaybeEnterJit js/src/jit/Jit.cpp:106
3 libxul.so js::RunScript js/src/vm/Interpreter.cpp:408
4 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:563
5 libxul.so InternalConstruct js/src/vm/Interpreter.cpp:636
6 libxul.so js::jit::DoCallFallback js/src/vm/Interpreter.cpp:679
7  @0x98be4dd2cf7 
8  @0x7fe05f5baf2f 
9  @0x98be4dce4de 

=============================================================

There is 1 crash in nightly 66 with buildid 20181214054322. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1508873.

[1] https://hg.mozilla.org/mozilla-central/rev?node=95e3de1d6643

Comment 1

[Nathan Froyd [:froydnj]]

I think this is just a signature change; we have a number of pre-existing crashes under JitActivation::~JitActivation.  But it does look like somebody is accessing a null pointer that they shouldn't be...?

Comment 2

[Marcia Knous [:marcia]]

Last crash was in 2018121405432.