Open
Bug 1994091
Opened 1 month ago
Updated 1 month ago
Crash in [@ mozilla::BitSet<T>::Reference::operator=]
Categories
(Core :: JavaScript: GC, defect, P2)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox146 | --- | affected |
People
(Reporter: release-mgmt-account-bot, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/587e23c7-7b45-4456-88d2-8a6020250929
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 10 frames of crashing thread:
0 XUL mozilla::BitSet< mfbt/BitSet.h:79
0 XUL js::gc::AllocSpace<js::gc::SmallBufferRegion, js/src/gc/BufferAllocator.cpp:312
0 XUL js::gc::BufferAllocator::allocSmall js/src/gc/BufferAllocator.cpp:1885
0 XUL js::gc::BufferAllocator::allocInGC js/src/gc/BufferAllocator.cpp:574
0 XUL js::gc::AllocBufferInGC js/src/gc/BufferAllocator-inl.h:96
0 XUL js::Nursery::maybeMoveRawBufferOnPromotion js/src/gc/Nursery.cpp:2026
1 XUL js::Nursery::maybeMoveBufferOnPromotion<js::ObjectSlots> js/src/gc/Nursery.h:236
1 XUL js::gc::TenuringTracer::moveSlots js/src/gc/Tenuring.cpp:1063
1 XUL js::gc::TenuringTracer::promotePlainObject js/src/gc/Tenuring.cpp:1040
1 XUL js::gc::TenuringTracer::promoteObject js/src/gc/Tenuring.cpp:142
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2025-09-15
- Process type: Content
- Is startup crash: No
- Has user comments: No
- Is null crash: Yes - 2 out of 4 crashes happened on null or near null memory address
|
Reporter | |
Comment 1•1 month ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript: GC' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Component: General → JavaScript: GC
|
||
Updated•1 month ago
|
Severity: -- → S3
Priority: -- → P2
You need to log in
before you can comment on or make changes to this bug.
Description
•