1888797 - Crash in [@ JS::Realm::enter]

Status: NEW

(Core :: JavaScript Engine, defect, P3)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/785192f0-a285-4910-9f33-f209e0240327

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0  xul.dll  JS::Realm::enter  js/src/vm/Realm.h:543
0  xul.dll  JSContext::enterRealm  js/src/vm/JSContext-inl.h:285
0  xul.dll  JSContext::enterRealmOf  js/src/vm/JSContext-inl.h:298
0  xul.dll  JSAutoRealm::JSAutoRealm  js/src/jsapi.cpp:519
0  xul.dll  xpc::XrayTraits::resolveOwnProperty  js/xpconnect/wrappers/XrayWrapper.cpp:1632
1  xul.dll  xpc::JSXrayTraits::resolveOwnProperty  js/xpconnect/wrappers/XrayWrapper.cpp:509
2  xul.dll  xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::JSXrayTraits>::getOwnPropertyDescriptor const  js/xpconnect/wrappers/XrayWrapper.cpp:1909
3  xul.dll  js::BaseProxyHandler::hasOwn const  js/src/proxy/BaseProxyHandler.cpp:71
4  xul.dll  js::Proxy::hasOwn  js/src/proxy/Proxy.cpp:460
4  xul.dll  js::HasOwnProperty  js/src/vm/JSObject.cpp:1707

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2024-02-21
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 2 out of 4 crashes happened on null or near null memory address

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Matthew Gaudet (he/him) [:mgaudet]]

There's a whole diversity of proto signatures that make this perhaps a less useful signature for this bug.

The specific crash report does suggest one possible road. This could be the result of getTargetObject returning nullptr; while the holder object is null checked, the target is not.