1875956 - Crash in [@ JS::shadow::Object::numFixedSlots]

Status: NEW

(Core :: JavaScript: GC, defect, P5)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/6a195579-0797-4e9a-9326-a878d0240121

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  JS::shadow::Object::numFixedSlots const  js/public/shadow/Object.h:45
0  xul.dll  js::NativeObject::numFixedSlots const  js/src/vm/NativeObject.h:904
0  xul.dll  js::NativeObject::getSlotAddressUnchecked  js/src/vm/NativeObject.h:1144
0  xul.dll  js::NativeObject::getSlotAddress  js/src/vm/NativeObject.h:1160
0  xul.dll  js::NativeObject::getSlotRef  js/src/vm/NativeObject.h:1175
0  xul.dll  JSObject::traceChildren  js/src/vm/JSObject.cpp:3417
1  ?  @0x0afaf3ff  
2  xul.dll  <unknown in xul.pdb>  
3  mozglue.dll  Mutex::Unlock  memory/build/Mutex.h:102
3  mozglue.dll  MaybeMutex::Unlock  memory/build/Mutex.h:206

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2024-01-21
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 1 out of 2 crashes happened on null or near null memory address

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Nicolas B. Pierron [:nbp]]

I do not think this bug is actionable without any additional information, such as when was it allocated and freed/cleared in the past.
These crashes are only saying something wrong happened before, and we just crash while trying to manipulate the leftover data.