Crash in [@ js::GlobalObject::hasConstructor]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox123 | --- | affected |
People
(Reporter: release-mgmt-account-bot, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/56338671-55f9-4f59-b3da-25a370231227
Reason: EXCEPTION_BREAKPOINT
Top 10 frames of crashing thread:
0 xul.dll js::GlobalObject::hasConstructor const js/src/vm/GlobalObject.h:322
0 xul.dll js::GlobalObject::isStandardClassResolved const js/src/vm/GlobalObject.h:426
0 xul.dll js::GlobalObject::ensureConstructor js/src/vm/GlobalObject.h:340
0 xul.dll js::GlobalObject::getOrCreateStringPrototype js/src/vm/GlobalObject.h:551
0 xul.dll js::GetProperty js/src/vm/Interpreter.cpp:4413
0 xul.dll GetPropertyOperation js/src/vm/Interpreter.cpp:245
0 xul.dll js::Interpret js/src/vm/Interpreter.cpp:2715
1 xul.dll MaybeEnterInterpreterTrampoline js/src/vm/Interpreter.cpp:393
1 xul.dll js::RunScript js/src/vm/Interpreter.cpp:451
1 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:605
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2023-12-05
- Process type: Content
- Is startup crash: No
- Has user comments: No
- Is null crash: No
Reporter | ||
Comment 1•5 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Updated•5 months ago
|
Comment 2•5 months ago
|
||
I'm not sure why we assigned the previous signature. The actual crash is in GlobalObject::hasConstructor, in the following assembly sequence:
mov 0xb0(%rax),%rbx // Load the realm from the context
mov 0x60(%rbx),%rax // Load the global from the realm
mov 0x40(%rax),%rax // Load the global object data from the global
cmpq $0x0,0xc0(%rax) // Check whether data->builtinConstructors[JSProto_String].constructor is null
We crash on the last instruction. This all seems pretty bogus; if we're running in the interpreter, those should all be valid pointers. We should always have a context/realm/global available, and we only free the global data when the global is no longer reachable.
Sorting the crashes over the last six months by install time, I see a lot of repeated installs, which I generally associate with bad hardware / a corrupted binary, rather than an actual bug.
I don't think this is actionable.
Description
•