Status

()

Core
JavaScript Engine
--
critical
7 years ago
4 years ago

People

(Reporter: Robert Kaiser, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

7 years ago
This bug was filed from the Socorro interface and is 
report bp-f405af85-c167-4170-a497-e35432110725 .
============================================================= 

This is crashing in http://hg.mozilla.org/mozilla-central/annotate/19348341366b/js/src/jsscript.cpp#l1317 which is a line added for bug 671113.

More similar crashes are at https://crash-stats.mozilla.com/report/list?signature=DestroyScript - Bill, is this your instrumentation showing what's actually going on? Related to bug 670702?
(Reporter)

Comment 1

7 years ago
BTW, this bug is for the rise of such cases in 8.0a1 starting with the 20110722 build IDs - there is a residual crash in this function since Firefox 4, which probably is a different thing, I guess.
Yes, all the ones crashing with address 0x0 are intentional crashes. They're places where memory is getting corrupted somehow--usually when we try to free a script twice. I'm trying to get additional data in bug 673625 to track down the cause.
(Assignee)

Updated

4 years ago
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.