With combined signatures, it's #5 top crasher in today's build. It first appeared in 16.0a1/20120606. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917 Signature JSObject::getGeneric(JSContext*, JS::Handle<int>, JS::Value*) More Reports Search UUID 6f6984e3-1ca2-4dec-9a85-c48932120606 Date Processed 2012-06-06 18:45:30 Uptime 156 Last Crash more than 3 months before submission Install Age 19.1 minutes since version was first installed. Install Time 2012-06-06 18:25:56 Product Firefox Version 16.0a1 Build ID 20120606030528 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 37 stepping 5 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x69727453 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 043f1028, AdapterDriverVersion: 126.96.36.19922 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Adapter Device ID Total Virtual Memory 2147352576 Available Virtual Memory 1530040320 System Memory Use Percentage 40 Available Page File 4256292864 Available Physical Memory 1836113920 Frame Module Signature Source 0 @0x69727453 1 mozjs.dll JSObject::getGeneric js/src/jsobjinlines.h:177 2 mozjs.dll JSObject::getProperty js/src/jsobjinlines.h:183 3 mozjs.dll js::Interpret js/src/jsinterp.cpp:1489 4 mozjs.dll js::types::TypeSet::addType js/src/jsinferinlines.h:1116 5 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:690 6 mozjs.dll js::Execute js/src/jsinterp.cpp:493 More reports at: https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetGeneric%28JSContext*%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29 https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetGeneric%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29 https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetProperty%28JSContext*%2C+js%3A%3APropertyName*%2C+JS%3A%3AValue*%29
This shows as highly exploitable on Windows in crash automation. I'll see about reproducing. Debug pseudo-stack: JSObject::getGeneric(JSContext*, JS::Handle<jsid>, JS::Value*) JSObject::getProperty(JSContext*, js::PropertyName*, JS::Value*) js::GetObjectElementOperation js::GetElementOperation js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)
The url is: http://www.google.com.vn/imgres?q=TravelMate%2B4750&hl=vi&biw=1366&bih=567&tbm=isch&tbnid=crk98WCtEsQ8IM:&imgrefurl=http://www.dienmay.com/laptop/acer-travelmate-4750-2332g50-%28039%29&docid=RyoM3kcMDg0D9M&imgurl=http://cdn.thegioididong.com/Products/Images/44/ I haven't been able to reproduce locally however. Note that Mac has a different stack/assertion: Assertion failure: (ptrBits & 0x7) == 0 JSVAL_TO_OBJECT_IMPL JS::Value::toObject js::CompartmentChecker::check js::assertSameCompartment<JS::Value> js::Interpret Windows XP once gave the following stack: js::EncapsulatedPtr<js::types::TypeObject, unsigned int>::operator->() js::ObjectImpl::hasSingletonType() js::types::Type::ObjectType(JSObject*) js::types::GetValueType(JSContext*, JS::Value const&) js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) Note the crash reason for the exploitable windows crashes was EXCEPTION_ACCESS_VIOLATION_EXEC
I was able to repro the crash with one of the URLs (http://www.factorydirect.ca/), but I get a slightly different stack: https://crash-stats.mozilla.com/report/index/bp-8ca67003-fb21-4766-914e-b6ca12120607
I wasn't able to reproduce this crash, it is to randomly, I've try to keep my attention on Error Console without luck, any way this crash happen for me on one very popular Polish IT Forums, only during navigation between sub forums and Forum -> Portal page, never on Portal, forum is based on phpBB with their own Mods. Since I'm completely new on Bugzilla I will not post link now, if someone need it, please let me know in comment.
This is odd, almost whole day without single crash, no I got 3 in 15 minutes, last two in almost same time: https://crash-stats.mozilla.com/report/index/bp-4381c12e-b49a-4948-b881-f9d662120609 https://crash-stats.mozilla.com/report/index/bp-c0375f18-0388-49da-ba55-d42d32120609 Some steps to reproduce: 1. Go to this Forum: http://forum.dobreprogramy.pl/ 2. navigate a bit on site, sub forums etc. 3. On top of Page You can find header with "Forum Dobreprogramy" 4. "Dobreprogramy" lead to Portal page, use it, 99% times crash happen form me on this link. This is very not regular, You can browse there few hours without single crash and suddenly when You use this link browser crash. Hope this can help a bit.
Given the regression range, could this be bug 659577?
Yes, there was definitely a big spike in this crash caused by bug 659577. However, the fix landed a few days later and the crashes practically all went away. If I look at crash-stats now, this is #42 and dropping; there is only one crash after 20120608, so I think we can resolve fixed here?
(In reply to Luke Wagner [:luke] from comment #8) > If I look at crash-stats now, this is #42 and dropping; there is > only one crash after 20120608, so I think we can resolve fixed here? There are still crashes in 15.0a2 and 16.0a1 at a very low volume.
Can we make the bug public?
OK news is this appears fixed on 16 via bug 659577! Thanks Naveed, Luke, and Brian for checking :)