Closed Bug 1585264 Opened 1 year ago Closed 1 year ago

Crash in [@ js::ValueToId<T>]


(Core :: JavaScript Engine, defect, P1)




Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- fixed


(Reporter: pascalc, Assigned: iain)




(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-eb4ef511-d319-43dd-9f2c-f5b390190930.

Top 10 frames of crashing thread:

0 bool js::ValueToId< js/src/vm/JSAtom-inl.h
1 mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRObjectLiteral< js/src/vm/JSObject.cpp:1667
2 mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::PrivateScriptData::XDR< js/src/vm/JSScript.cpp:456
3 mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript< js/src/vm/JSScript.cpp:1176
4 js::XDRState< js/src/vm/Xdr.cpp:311
5 JS::DecodeScript js/src/jsapi.cpp:5876
6 nsJSUtils::ExecutionContext::Decode dom/base/nsJSUtils.cpp:294
7 mozilla::dom::ScriptLoader::EvaluateScript dom/script/ScriptLoader.cpp:2783
8 mozilla::dom::ScriptLoader::ProcessRequest dom/script/ScriptLoader.cpp:2315
9 mozilla::dom::ScriptLoader::ProcessExternalScript dom/script/ScriptLoader.cpp:1745

Not all of the crashes are in XDR decoding, but some are. Could there be a bug in XDRScriptConst, such that it produces a bad Value on invalid input?

I don't see that any of this has been touched recently. Iain?

Flags: needinfo?(iireland)
Priority: -- → P1

This spike is consistent with being caused by the atom deduplication code we backed out. There's only been 1 nightly crash since the 1008 build when the backout landed.

Flags: needinfo?(iireland)
Duplicate of this bug: 1585275
Crash Signature: [@ js::ValueToId<T>] → [@ js::ValueToId<T>] [@ js::irregexp::RegExpParser<T>::ParseDisjunction]

No crash on Nightly over the last 6 days so I'll mark 71 as fixed by the backout. We have crashes with these signatures on other channels in low volume probably for other reasons so I am not closing the bug.

Crash Signature: [@ js::ValueToId<T>] [@ js::irregexp::RegExpParser<T>::ParseDisjunction] → [@ js::ValueToId<T>] [@ js::irregexp::RegExpParser<T>::ParseDisjunction]

I opened this bug because of the spike in Nightly, let's mark the bug fixed now as the backout in bug 1584820 solved the issue. I'll file a separate bug for the recurring low-volume crashes across channels with this signature that do not depend on the recent atom deduplication code changes in Nightly.

Closed: 1 year ago
Resolution: --- → FIXED
Assignee: nobody → iireland
Depends on: 1584820
Keywords: regression
Regressed by: 1575370
Target Milestone: --- → mozilla71
See Also: → 1589091
You need to log in before you can comment on or make changes to this bug.