Closed Bug 1874574 Opened 5 months ago Closed 5 months ago

Crash in [@ js::GlobalObject::hasConstructor]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox123 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/56338671-55f9-4f59-b3da-25a370231227

Reason: EXCEPTION_BREAKPOINT

Top 10 frames of crashing thread:

0  xul.dll  js::GlobalObject::hasConstructor const  js/src/vm/GlobalObject.h:322
0  xul.dll  js::GlobalObject::isStandardClassResolved const  js/src/vm/GlobalObject.h:426
0  xul.dll  js::GlobalObject::ensureConstructor  js/src/vm/GlobalObject.h:340
0  xul.dll  js::GlobalObject::getOrCreateStringPrototype  js/src/vm/GlobalObject.h:551
0  xul.dll  js::GetProperty  js/src/vm/Interpreter.cpp:4413
0  xul.dll  GetPropertyOperation  js/src/vm/Interpreter.cpp:245
0  xul.dll  js::Interpret  js/src/vm/Interpreter.cpp:2715
1  xul.dll  MaybeEnterInterpreterTrampoline  js/src/vm/Interpreter.cpp:393
1  xul.dll  js::RunScript  js/src/vm/Interpreter.cpp:451
1  xul.dll  js::InternalCallOrConstruct  js/src/vm/Interpreter.cpp:605

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-12-05
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: No

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine
Crash Signature: [@ IPCError-browser | RecvLoadValueAndMoreItems mLoadedAllItems already set!] → [@ js::GlobalObject::hasConstructor]

I'm not sure why we assigned the previous signature. The actual crash is in GlobalObject::hasConstructor, in the following assembly sequence:

mov    0xb0(%rax),%rbx // Load the realm from the context
mov    0x60(%rbx),%rax // Load the global from the realm
mov    0x40(%rax),%rax // Load the global object data from the global
cmpq   $0x0,0xc0(%rax) // Check whether data->builtinConstructors[JSProto_String].constructor is null

We crash on the last instruction. This all seems pretty bogus; if we're running in the interpreter, those should all be valid pointers. We should always have a context/realm/global available, and we only free the global data when the global is no longer reachable.

Sorting the crashes over the last six months by install time, I see a lot of repeated installs, which I generally associate with bad hardware / a corrupted binary, rather than an actual bug.

I don't think this is actionable.

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → WONTFIX
Summary: Crash in [@ IPCError-browser | RecvLoadValueAndMoreItems mLoadedAllItems already set!] → Crash in [@ js::GlobalObject::hasConstructor]
You need to log in before you can comment on or make changes to this bug.