Closed Bug 1689497 Opened 3 years ago Closed 3 years ago

Release assert crash in [@ JSScript::innermostScope]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
87 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox85 --- unaffected
firefox86 --- unaffected
firefox87 --- fixed

People

(Reporter: mccr8, Unassigned)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/cbf1e24b-7607-4a02-bfcb-ce5df0210128

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(idx < storage_.size())

Top 10 frames of crashing thread:

0 XUL JSScript::innermostScope const js/src/vm/JSScript.cpp:4829
1 XUL js::EnvironmentIter::EnvironmentIter js/src/vm/EnvironmentObject.cpp:1284
2 XUL js::InterpreterFrame::epilogue js/src/vm/Stack.cpp:220
3 XUL Interpret js/src/vm/Interpreter.cpp:4561
4 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:619
5 XUL JS_CallFunctionValue js/src/jsapi.cpp:2798
6 XUL nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:970
7 XUL PrepareAndDispatch xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_darwin.cpp:117
8 XUL SharedStub 
9 XUL mozilla::dom:: dom/base/Document.cpp:16034

The crash volume is low, but there's a release assert so I'd figured I'd file it. Only about a third of the crashes with this signature have the assert.

The new crashes look related to the crash in Bug 1689505.

Regressed by: 1627111
Has Regression Range: --- → yes

Fixed by backout:
https://hg.mozilla.org/mozilla-central/rev/751ecfca72b1fd7e210cfa845e008e6e5d9ca107

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 87 Branch
You need to log in before you can comment on or make changes to this bug.