Crash in [@ js::NativeObject::getElementsHeader]
Categories
(Core :: JavaScript Engine, defect, P5)
Tracking
()
People
(Reporter: ash153311, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/80128f89-58ab-4d44-9bf1-f564f0221027
Reason: EXCEPTION_ACCESS_VIOLATION_READTop 10 frames of crashing thread:
0 xul.dll js::NativeObject::getElementsHeader const js/src/vm/NativeObject.h:1287
0 xul.dll js::NativeObject::setDenseInitializedLengthInternal js/src/vm/NativeObject.h:1346
0 xul.dll js::NativeObject::setDenseInitializedLength js/src/vm/NativeObject.h:1354
0 xul.dll InitElemArrayOperation js/src/vm/Interpreter.cpp:1879
0 xul.dll Interpret js/src/vm/Interpreter.cpp:4044
1 xul.dll js::RunScript js/src/vm/Interpreter.cpp:431
2 xul.dll js::ExecuteKernel js/src/vm/Interpreter.cpp:825
3 xul.dll js::Execute js/src/vm/Interpreter.cpp:857
4 xul.dll js::ModuleObject::execute js/src/builtin/ModuleObject.cpp:1257
5 xul.dll InnerModuleEvaluation js/src/vm/Modules.cpp:1510
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•2 years ago
|
||
Crashing in getElementsHeader implies that the elements_ pointer is bogus, which seems likely to be memory corruption rather than a real bug.
Looking at the crash report, this would have been categorized as a failure in Interpret before precise inlining stacks.
|
||
Comment 4•2 years ago
|
||
Iain, does your comment in comment 2 indicate this is not an actionable bug? Or does this need more analysis.
|
|
||
Comment 5•2 years ago
|
||
I don't think this bug is actionable. Unless we see a significant spike in crashes with this signature, more analysis is unnecessary.
|
||
Updated•2 years ago
|
Description
•