1919929 - Crash in [@ js::NativeShape::propMapLength]

Status: NEW

(Core :: JavaScript Engine, defect, P5)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/449fd8fa-fd6f-47ff-ad9c-f86070240826

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  js::NativeShape::propMapLength const  js/src/vm/Shape.h:506
0  xul.dll  js::SharedShape::lastPropertyMatchesForAdd const  js/src/vm/Shape.h:561
0  xul.dll  LookupShapeForAdd  js/src/vm/Shape.cpp:264
0  xul.dll  js::NativeObject::addProperty  js/src/vm/Shape.cpp:324
1  xul.dll  js::AddDataPropertyToPlainObject  js/src/vm/NativeObject-inl.h:902
1  xul.dll  NewPlainObjectWithProperties  js/src/vm/PlainObject.cpp:307
1  xul.dll  js::NewPlainObjectWithMaybeDuplicateKeys  js/src/vm/PlainObject.cpp:330
1  xul.dll  js::JSONFullParseHandlerAnyChar::finishObject  js/src/vm/JSONParser.cpp:692
1  xul.dll  js::JSONPerHandlerParser<unsigned char, js::JSONFullParseHandler<unsigned char> >::parseImpl<JS::Rooted<JS::Value>, `lambda at /builds/worker/checkouts/gecko/js/src/vm/JSONParser.cpp:1066:26'>  js/src/vm/JSONParser.cpp:871
2  xul.dll  js::JSONParser<unsigned char>::parse  js/src/vm/JSONParser.cpp:1065

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2024-07-30
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 2 out of 9 crashes happened on null or near null memory address

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.