Closed Bug 1800984 Opened 3 years ago Closed 2 years ago

Crash in [@ js::gc::HeaderWord::get]

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1799300

People

(Reporter: aryx, Unassigned)

Details

(4 keywords)

Crash Data

26 crashes from 23 installations. v108 and v109 affected

Crash report: https://crash-stats.mozilla.org/report/index/16e204f4-635b-4786-a98d-0cddf0221116

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  js::gc::HeaderWord::get const  js/src/gc/Cell.h:145
0  xul.dll  js::gc::CellWithTenuredGCPointer<js::gc::Cell, js::Shape>::headerPtr const  js/src/gc/Cell.h:826
0  xul.dll  JSObject::shape const  js/src/vm/JSObject.h:91
0  xul.dll  JSObject::getClass const  js/src/vm/JSObject.h:112
0  xul.dll  JSObject::getOpsDefineProperty const  js/src/vm/JSObject.h:119
0  xul.dll  js::DefineAccessorProperty  js/src/vm/JSObject.cpp:2062
0  xul.dll  js::DefineAccessorProperty  js/src/vm/JSObject.cpp:2084
1  xul.dll  InitGetterSetterOperation  js/src/vm/Interpreter.cpp:5050
1  xul.dll  js::InitElemGetterSetterOperation  js/src/vm/Interpreter.cpp:5075
2  ?  @0x00000142e41f487b
Flags: qe-verify-
Flags: needinfo?(jdemooij)

This is likely a signature change from an existing bad memory crash caused by work in this area.

The bug is marked as tracked for firefox108 (beta). However, the bug still isn't assigned.

:sdetar, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Flags: needinfo?(sdetar)

(In reply to Jon Coppeard (:jonco) from comment #1)

This is likely a signature change from an existing bad memory crash caused by work in this area.

Yeah, bug 1798284 changed the signature for loading the header word. As far as we can tell, this isn't a new regression but just a signature change.

Flags: needinfo?(jdemooij)
Flags: needinfo?(sdetar)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 content process crashes on beta

:sdetar, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sdetar)
Keywords: topcrash

The bug is linked to a topcrash signature, which matches the following criteria:

  • Top 20 desktop browser crashes on beta (startup)
  • Top 10 content process crashes on beta

:sdetar, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sdetar)
Keywords: topcrash-startup
Flags: needinfo?(sdetar)

Jan, I'd like to merge this with the bug with the previous crash signature, but I don't see any open bugs with similar signatures.

Can you help me find it?

Flags: needinfo?(jdemooij)
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1799300
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
No longer regressed by: 1798284
You need to log in before you can comment on or make changes to this bug.