Open Bug 1913655 Opened 4 months ago Updated 3 months ago

Crash in [@ js::gc::TenuredCellWithFlags::setHeaderFlagBits]

Categories

(Core :: JavaScript: GC, defect, P3)

Other
Windows 11
defect

Tracking

()

Tracking Status
firefox131 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/407167e8-5100-4616-9142-d95b40240816

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  js::gc::TenuredCellWithFlags::setHeaderFlagBits  js/src/gc/Cell.h:727
0  xul.dll  js::SharedPropMap::setHadDictionaryConversion  js/src/vm/PropMap.h:613
0  xul.dll  js::SharedPropMap::toDictionaryMap  js/src/vm/PropMap.cpp:102
0  xul.dll  js::NativeObject::toDictionaryMode  js/src/vm/Shape.cpp:110
1  xul.dll  js::NativeObject::maybeConvertToDictionaryForAdd  js/src/vm/Shape.cpp:166
1  xul.dll  js::NativeObject::addProperty  js/src/vm/Shape.cpp:320
2  xul.dll  js::AddDataPropertyToPlainObject  js/src/vm/NativeObject-inl.h:902
2  xul.dll  NewPlainObjectWithProperties  js/src/vm/PlainObject.cpp:307
2  xul.dll  js::NewPlainObjectWithMaybeDuplicateKeys  js/src/vm/PlainObject.cpp:330
2  xul.dll  js::JSONFullParseHandlerAnyChar::finishObject  js/src/vm/JSONParser.cpp:692

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-07-27
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 2 out of 3 crashes happened on null or near null memory address

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript: GC' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript: GC
Blocks: GCCrashes
Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.