Open Bug 2000124 Opened 22 days ago Updated 1 day ago

Crash in [@ mozilla::BitSet<T>::Reference::operator= | js::gc::AllocSpace<T>::setAllocated]

Categories

(Core :: JavaScript: GC, defect, P2)

Product:
Core
Component:
JavaScript: GC
Platform:
ARM64
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox147 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/dea6eeff-8e41-490d-a903-66f5b0251030

Reason: SIGSEGV / SI_KERNEL

Top 10 frames of crashing thread:

0  libxul.so  mozilla::BitSet<  mfbt/BitSet.h
0  libxul.so  js::gc::AllocSpace<js::gc::SmallBufferRegion,   js/src/gc/BufferAllocator.cpp:311
0  libxul.so  js::gc::BufferAllocator::allocSmall  js/src/gc/BufferAllocator.cpp:1884
0  libxul.so  js::gc::BufferAllocator::allocInGC  js/src/gc/BufferAllocator.cpp:573
0  libxul.so  js::gc::AllocBufferInGC  js/src/gc/BufferAllocator-inl.h:95
0  libxul.so  js::Nursery::maybeMoveRawBufferOnPromotion  js/src/gc/Nursery.cpp:1870
0  libxul.so  js::Nursery::maybeMoveBufferOnPromotion<js::ObjectSlots>  js/src/gc/Nursery.h:236
0  libxul.so  js::gc::TenuringTracer::moveSlots  js/src/gc/Tenuring.cpp:1063
0  libxul.so  js::gc::TenuringTracer::promotePlainObject  js/src/gc/Tenuring.cpp:1040
0  libxul.so  js::gc::TenuringTracer::promoteObject  js/src/gc/Tenuring.cpp:142

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2025-10-30
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 2 out of 3 crashes happened on null or near null memory address

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript: GC' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript: GC

The severity field is not set for this bug.
:sdetar, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sdetar)

Jon, when you have time, could take a look at this bug?

Blocks: GC.stability
Severity: -- → S3
Flags: needinfo?(sdetar) → needinfo?(jcoppeard)
Priority: -- → P2

This is a low volume null pointer crash happening since 143.

The code where it crashes was added in bug 1973033 in version 143. There's no obvious issue in the code (the dereferenced pointer is checked for being null).

Probably a bad memory / heap corruption crash.

Flags: needinfo?(jcoppeard)
You need to log in before you can comment on or make changes to this bug.