Open Bug 1869676 Opened 9 months ago Updated 6 months ago

Crash in [@ JS::Realm::unsafeUnbarrieredMaybeGlobal]

Categories

(Core :: JavaScript: GC, defect, P5)

Other
Windows
defect

Tracking

()

Tracking Status
firefox122 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: crash, stalled)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/5607d92b-c519-472c-bb52-a38880231212

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  JS::Realm::unsafeUnbarrieredMaybeGlobal const  js/src/vm/Realm.h:495
0  xul.dll  js::BaseShape::traceChildren  js/src/gc/TraceMethods-inl.h:304
0  xul.dll  js::gc::TraceCycleCollectorChildren  js/src/gc/Tracer.cpp:99
0  xul.dll  JS_TraceShapeCycleCollectorChildren  js/src/jsfriendapi.cpp:188
0  xul.dll  TraversalTracer::onChild  xpcom/base/CycleCollectedJSRuntime.cpp:439
1  xul.dll  JS::CallbackTracer::onEdge  js/public/TracingAPI.h:245
1  xul.dll  js::GenericTracerImpl<JS::CallbackTracer>::onObjectEdge  js/public/TracingAPI.h:219
1  xul.dll  js::gc::TraceEdgeInternal  js/src/gc/Tracer.h:109
1  xul.dll  TraceTaggedPtrEdge<JS::Value>::<lambda_1>::operator const  js/src/gc/Marking.cpp:666
1  xul.dll  js::MapGCThingTyped  js/public/Value.h:1458

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-12-06
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: No
  • Is use after free crash: Yes - 1 out of 2 crashes happened on or near an allocator poison value
Group: core-security
Component: General → JavaScript: GC

A fair amount of potential bit-flips and plenty old machines in the reports, this is likely caused by flaky hardware.

Severity: -- → S4
Priority: -- → P5
Blocks: GCCrashes
Keywords: stalled
You need to log in before you can comment on or make changes to this bug.