Closed Bug 653561 Opened 13 years ago Closed 7 years ago

Firefox 6.0a1 Crash Report [@ JSObject::allocSlot ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Seen while reviewing crash stats and chofmann's report. This is a Linux and Mac only crash that is present on the trunk. Crashes started showing up using the 2011042700 build. Crashes so far: http://tinyurl.com/6z5fkhp

https://crash-stats.mozilla.com/report/index/0a42fe59-6465-4879-8508-67c352110428

Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	JSObject::allocSlot 	js/src/jsvalue.h:711
1 	libxul.so 	JSObject::getChildProperty 	js/src/jsscope.cpp:476
2 	libxul.so 	JSObject::addPropertyInternal 	js/src/jsscope.cpp:750
3 	libxul.so 	JSObject::putProperty 	js/src/jsscope.cpp:835
4 	libxul.so 	js_DefineNativeProperty 	js/src/jsobj.cpp:4767
5 	libxul.so 	js_DefineProperty 	js/src/jsobj.cpp:4611
6 	libxul.so 	JS_DefineUCProperty 	js/src/jsobj.h:1230
7 	libxul.so 	nsDOMConstructor::Install 	dom/base/nsDOMClassInfo.cpp:5879
8 	libxul.so 	ResolvePrototype 	dom/base/nsDOMClassInfo.cpp:6276
9 	libxul.so 	nsDOMClassInfo::PostCreatePrototype 	dom/base/nsDOMClassInfo.cpp:4966
10 	libxul.so 	XPCWrappedNativeProto::Init 	js/src/xpconnect/src/xpcwrappednativeproto.cpp:143
11 	libxul.so 	XPCWrappedNativeProto::GetNewOrUsed 	js/src/xpconnect/src/xpcwrappednativeproto.cpp:264
12 	libxul.so 	XPCWrappedNative::GetNewOrUsed 	js/src/xpconnect/src/xpcwrappednative.cpp:579
13 	libxul.so 	XPCWrappedNative::GetNewOrUsed 	js/src/xpconnect/src/xpcwrappednative.cpp:498
14 	libxul.so 	XPCConvert::NativeInterface2JSObject 	js/src/xpconnect/src/xpcconvert.cpp:1283
15 	libxul.so 	XPCConvert::NativeData2JS 	js/src/xpconnect/src/xpcconvert.cpp:485
16 	libxul.so 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcprivate.h:3203
17 	libxul.so 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1610
18 	libxul.so 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:697
19 	libxul.so 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:429
20 		@0x7f3d918d0185 	
21 	libxul.so 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:684
22 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:630
23 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:713
24 	libxul.so 	js::ExternalInvoke 	js/src/jsinterp.cpp:836
25 	libxul.so 	JS_CallFunctionValue 	js/src/jsapi.cpp:5078
26 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1662
27 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:586
28 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
29 	libxul.so 	libxul.so@0x108555a 	
30 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:427
31 	libxul.so 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:516
32 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
33 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:250
34 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
35 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:202
36 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:189
37 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:224
38 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3765
39 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:158
40 	libc-2.13.so 	libc-2.13.so@0x1eefe 	
41 	firefox-bin 	Output 	browser/app/nsBrowserApp.cpp:77
42 		@0x7fffa74d66c5
Saw this a couple of times now. Today I had just opened a tab and started typing into the url bar.
Actually, seen this 4 times so far this morning with a slightly different stack to that below, maybe this has changed or gotten worse?

https://crash-stats.mozilla.com/report/index/bp-dd62bc25-9198-46c4-8554-fec9b2110504
Crashes are pretty low volume so far - only a handful a day. Will keep an eye out for any spikes.
I have a testcase that triggers a crash [@ JSObject::allocSlot], but only under Valgrind. When I use a debug build, I get the assertion in bug 651030 before (instead of) the crash. I will retest my testcase after bug 651030 is fixed.
Depends on: 651030
Crash Signature: [@ JSObject::allocSlot ]
This seems to have dropped off the top 300 in Firefox 5+.
Assignee: general → nobody
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) in Firefox (except some obsolete Fx <35).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.