Crash in [@ js::ReportRuntimeLexicalError]
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: sefeng, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [not-a-fission-bug])
Crash Data
Maybe Fission related. (DOMFissionEnabled=1)
Crash report: https://crash-stats.mozilla.org/report/index/189e0003-025c-4edc-b590-1993b0210105
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(idx < storage_.size())
Top 10 frames of crashing thread:
0 XUL js::ReportRuntimeLexicalError js/src/vm/Interpreter.cpp:5224
1 XUL Interpret js/src/vm/Interpreter.cpp:3635
2 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:619
3 XUL js::jit::InvokeFromInterpreterStub js/src/jit/VMFunctions.cpp:773
4 @0x2cfa3135dfa3
5 @0x177e90207
6 @0x2cfa3135d56e
7 XUL js::jit::MaybeEnterJit js/src/jit/Jit.cpp:197
8 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:619
9 XUL JS_CallFunctionValue js/src/jsapi.cpp:2798
Filing because the reason is MOZ_RELEASE_ASSERT(idx < storage_.size()) which is invalid access for Span, however, I couldn't figure where we access the span.
|
||
Comment 1•3 years ago
|
||
Jan, do you have any input on the analysis of this bug?
|
||
Comment 2•3 years ago
|
||
(In reply to Sean Feng [:sefeng] from comment #0)
Filing because the reason is
MOZ_RELEASE_ASSERT(idx < storage_.size())which is invalid access forSpan, however, I couldn't figure where we access the span.
The Span is likely from PrivateScriptData::gcthings. I don't see how this could happen and it's the only crash I can find for the past few weeks so it could be memory corruption or so.
I don't think there's anything we can/should do here, unless we get more reports.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Comment 3•8 months ago
|
||
Closing because no crashes reported for 12 weeks.
Description
•