Closed Bug 1664305 Opened 4 years ago Closed 2 years ago

Crash in [@ js::DebugAPI::destroyDebugScript]

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sefeng, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/f13233f1-2424-4935-8332-dfea20200730

Top 10 frames of crashing thread:

0 xul.dll static js::DebugAPI::destroyDebugScript js/src/debugger/DebugScript.cpp:308
1 xul.dll js::BaseScript::finalize js/src/vm/JSScript.cpp:629
2 xul.dll FinalizeArenas js/src/gc/GC.cpp:561
3 xul.dll js::gc::GCRuntime::finalizeAllocKind js/src/gc/GC.cpp:5819
4 xul.dll sweepaction::SweepActionCall::run js/src/gc/GC.cpp:5940
5 xul.dll sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind, unsigned long long> >, mozilla::EnumSet<js::gc::AllocKind, unsigned long long> >::run js/src/gc/GC.cpp:6045
6 xul.dll sweepaction::SweepActionSequence::run js/src/gc/GC.cpp:6010
7 xul.dll sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*>::run js/src/gc/GC.cpp:6045
8 xul.dll sweepaction::SweepActionSequence::run js/src/gc/GC.cpp:6010
9 xul.dll sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run js/src/gc/GC.cpp:6045

The is a low frequent crash. I guess it could be just some bad memory bits. However, the majority of the crashes happened at address 0x0 and 0xc and the crash reason is EXCEPTION_ACCESS_VIOLATION_READ. Filing this bug just in case this is legit.

Looks valid to me. The crashes hitting address 0xc are actually NULL pointer dereferences (see the contents of eax in the raw data). 32-bit crashes reference 0xc while 64-bit ones reference 0x0 directly, probably an artifact of different code generation on different architectures.

I don't see how this can fail since the JSScript::hasDebugScript flag is only set if everything is set up correctly:

https://searchfox.org/mozilla-central/source/js/src/debugger/DebugScript.cpp#88

Moving this to the main engine component since this is more a script/debugger issue.

Component: JavaScript: GC → JavaScript Engine

Nothing obvious to me, either.

Severity: -- → S3
Priority: -- → P3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.