1881870 - Crash in [@ JSClass::hasFinalize]

Status: NEW

(Core :: JavaScript: GC, defect, P3)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/ae5c3450-333e-44af-b576-eec5d0240128

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  JSClass::hasFinalize const  js/public/Class.h:639
0  xul.dll  JSObject::finalize  js/src/vm/JSObject-inl.h:98
0  xul.dll  js::gc::Arena::finalize<JSObject>  js/src/gc/Sweeping.cpp:133
1  xul.dll  FinalizeTypedArenas  js/src/gc/Sweeping.cpp:200
1  xul.dll  FinalizeArenas  js/src/gc/Sweeping.cpp:231
2  xul.dll  js::gc::GCRuntime::foregroundFinalize  js/src/gc/Sweeping.cpp:1761
2  xul.dll  js::gc::GCRuntime::finalizeAllocKind  js/src/gc/Sweeping.cpp:1962
3  xul.dll  sweepaction::SweepActionForEach<ContainerIter<mozilla::EnumSet<js::gc::AllocKind, unsigned long long> >, mozilla::EnumSet<js::gc::AllocKind, unsigned long long> >::run  js/src/gc/Sweeping.cpp:2188
4  xul.dll  sweepaction::SweepActionSequence::run  js/src/gc/Sweeping.cpp:2153
5  xul.dll  sweepaction::SweepActionForEach<js::gc::SweepGroupZonesIter, JSRuntime*>::run  js/src/gc/Sweeping.cpp:2188

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2024-01-10
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 1 out of 5 crashes happened on null or near null memory address

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript: GC' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Matthew Gaudet (he/him) [:mgaudet]]

Lots of different kinds of crashes, but I'd say the null hypothesis of bad hardware is a good fit here.