1557283 - Crash in [@ js::UncheckedUnwrapWithoutExpose]

Status: RESOLVED FIXED

(Core :: JavaScript: GC, defect, P1)

Description

[Calixte Denizet (:calixte)]

This bug is for crash report bp-9dac9692-791a-4052-96cf-13df60190606.

Top 10 frames of crashing thread:

0 xul.dll js::UncheckedUnwrapWithoutExpose js/src/proxy/Wrapper.cpp:321
1 xul.dll void js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntry js/src/gc/WeakMap-inl.h:128
2 xul.dll js::GCMarker::enterWeakMarkingMode js/src/gc/Marking.cpp:2600
3 xul.dll js::gc::GCRuntime::markWeakReferences<js::gc::SweepGroupZonesIter> js/src/gc/GC.cpp:4601
4 xul.dll js::gc::GCRuntime::endMarkingSweepGroup js/src/gc/GC.cpp:5503
5 xul.dll js::gc::IncrementalProgress sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run js/src/gc/GC.cpp:6501
6 xul.dll js::gc::IncrementalProgress sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run js/src/gc/GC.cpp:6561
7 xul.dll js::gc::GCRuntime::performSweepActions js/src/gc/GC.cpp:6733
8 xul.dll js::gc::GCRuntime::incrementalSlice js/src/gc/GC.cpp:7262
9 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7628

This crash signature reappeared recently in nightly 69.
It could be related to bug 1167452 fix.
:sfink, could you investigate please?

Comment 1

[Daniel Veditz [:dveditz]]

All the new nightly crashes are at 0x0 -- doesn't look exploitable.

Comment 2

[Gary [:streetwolf52]]

My crash report https://crash-stats.mozilla.org/report/index/07f6ac8f-e67a-44e4-a477-a5be80190607

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Looks like this spike was resolved by backing out bug 1167452.