Open
Bug 1875956
Opened 4 months ago
Updated 4 months ago
Crash in [@ JS::shadow::Object::numFixedSlots]
Categories
(Core :: JavaScript: GC, defect, P5)
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox124 | --- | affected |
People
(Reporter: release-mgmt-account-bot, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/6a195579-0797-4e9a-9326-a878d0240121
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll JS::shadow::Object::numFixedSlots const js/public/shadow/Object.h:45
0 xul.dll js::NativeObject::numFixedSlots const js/src/vm/NativeObject.h:904
0 xul.dll js::NativeObject::getSlotAddressUnchecked js/src/vm/NativeObject.h:1144
0 xul.dll js::NativeObject::getSlotAddress js/src/vm/NativeObject.h:1160
0 xul.dll js::NativeObject::getSlotRef js/src/vm/NativeObject.h:1175
0 xul.dll JSObject::traceChildren js/src/vm/JSObject.cpp:3417
1 ? @0x0afaf3ff
2 xul.dll <unknown in xul.pdb>
3 mozglue.dll Mutex::Unlock memory/build/Mutex.h:102
3 mozglue.dll MaybeMutex::Unlock memory/build/Mutex.h:206
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2024-01-21
- Process type: Content
- Is startup crash: No
- Has user comments: No
- Is null crash: Yes - 1 out of 2 crashes happened on null or near null memory address
Reporter | ||
Comment 1•4 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Component: General → JavaScript Engine
Comment 2•4 months ago
|
||
I do not think this bug is actionable without any additional information, such as when was it allocated and freed/cleared in the past.
These crashes are only saying something wrong happened before, and we just crash while trying to manipulate the leftover data.
Blocks: sm-defects-crashes
Severity: -- → S4
Component: JavaScript Engine → JavaScript: GC
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•