Closed Bug 1585264 Opened 5 years ago Closed 5 years ago

Crash in [@ js::ValueToId<T>]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- fixed

People

(Reporter: pascalc, Assigned: iain)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-eb4ef511-d319-43dd-9f2c-f5b390190930.

Top 10 frames of crashing thread:

0 libxul.so bool js::ValueToId< js/src/vm/JSAtom-inl.h
1 libxul.so mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRObjectLiteral< js/src/vm/JSObject.cpp:1667
2 libxul.so mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::PrivateScriptData::XDR< js/src/vm/JSScript.cpp:456
3 libxul.so mozilla::Result<mozilla::Ok, JS::TranscodeResult> js::XDRScript< js/src/vm/JSScript.cpp:1176
4 libxul.so js::XDRState< js/src/vm/Xdr.cpp:311
5 libxul.so JS::DecodeScript js/src/jsapi.cpp:5876
6 libxul.so nsJSUtils::ExecutionContext::Decode dom/base/nsJSUtils.cpp:294
7 libxul.so mozilla::dom::ScriptLoader::EvaluateScript dom/script/ScriptLoader.cpp:2783
8 libxul.so mozilla::dom::ScriptLoader::ProcessRequest dom/script/ScriptLoader.cpp:2315
9 libxul.so mozilla::dom::ScriptLoader::ProcessExternalScript dom/script/ScriptLoader.cpp:1745

Not all of the crashes are in XDR decoding, but some are. Could there be a bug in XDRScriptConst, such that it produces a bad Value on invalid input?

I don't see that any of this has been touched recently. Iain?

Flags: needinfo?(iireland)
Priority: -- → P1

This spike is consistent with being caused by the atom deduplication code we backed out. There's only been 1 nightly crash since the 1008 build when the backout landed.

Flags: needinfo?(iireland)
Crash Signature: [@ js::ValueToId<T>] → [@ js::ValueToId<T>] [@ js::irregexp::RegExpParser<T>::ParseDisjunction]

No crash on Nightly over the last 6 days so I'll mark 71 as fixed by the backout. We have crashes with these signatures on other channels in low volume probably for other reasons so I am not closing the bug.

Crash Signature: [@ js::ValueToId<T>] [@ js::irregexp::RegExpParser<T>::ParseDisjunction] → [@ js::ValueToId<T>] [@ js::irregexp::RegExpParser<T>::ParseDisjunction]
status-firefox71: affectedfixed

I opened this bug because of the spike in Nightly, let's mark the bug fixed now as the backout in bug 1584820 solved the issue. I'll file a separate bug for the recurring low-volume crashes across channels with this signature that do not depend on the recent atom deduplication code changes in Nightly.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Assignee: nobody → iireland
status-firefox67: --- → unaffected
status-firefox68: --- → unaffected
status-firefox69: affectedunaffected
status-firefox70: affectedunaffected
status-firefox-esr60: affectedunaffected
status-firefox-esr68: --- → unaffected
Depends on: 1584820
Keywords: regression
Regressed by: 1575370
Target Milestone: --- → mozilla71
See Also: → 1589091
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.