Last Comment Bug 762197 - crash in JSObject::getGeneric
: crash in JSObject::getGeneric
: crash, regression, sec-critical
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 16 Branch
: All All
-- critical (vote)
: mozilla16
Assigned To: general
: Jason Orendorff [:jorendorff]
: 763073 (view as bug list)
Depends on: 659577
  Show dependency treegraph
Reported: 2012-06-06 12:37 PDT by Scoobidiver (away)
Modified: 2015-10-16 11:49 PDT (History)
9 users (show)
choller: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Scoobidiver (away) 2012-06-06 12:37:46 PDT
With combined signatures, it's #5 top crasher in today's build.
It first appeared in 16.0a1/20120606. The regression range is:

Signature 	JSObject::getGeneric(JSContext*, JS::Handle<int>, JS::Value*) More Reports Search
UUID	6f6984e3-1ca2-4dec-9a85-c48932120606
Date Processed	2012-06-06 18:45:30
Uptime	156
Last Crash	more than 3 months before submission
Install Age	19.1 minutes since version was first installed.
Install Time	2012-06-06 18:25:56
Product	Firefox
Version	16.0a1
Build ID	20120606030528
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 5
Crash Address	0x69727453
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 043f1028, AdapterDriverVersion:
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Device ID	
Total Virtual Memory	2147352576
Available Virtual Memory	1530040320
System Memory Use Percentage	40
Available Page File	4256292864
Available Physical Memory	1836113920

Frame 	Module 	Signature 	Source
0 		@0x69727453 	
1 	mozjs.dll 	JSObject::getGeneric 	js/src/jsobjinlines.h:177
2 	mozjs.dll 	JSObject::getProperty 	js/src/jsobjinlines.h:183
3 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:1489
4 	mozjs.dll 	js::types::TypeSet::addType 	js/src/jsinferinlines.h:1116
5 	mozjs.dll 	js::types::TypeScript::SetThis 	js/src/jsinferinlines.h:690
6 	mozjs.dll 	js::Execute 	js/src/jsinterp.cpp:493

More reports at:*%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29*%2C+js%3A%3APropertyName*%2C+JS%3A%3AValue*%29
Comment 1 User image Bob Clary [:bc:] 2012-06-06 12:44:59 PDT
This shows as highly exploitable on Windows in crash automation. I'll see about reproducing.
Debug pseudo-stack:

JSObject::getGeneric(JSContext*, JS::Handle<jsid>, JS::Value*) JSObject::getProperty(JSContext*, js::PropertyName*, JS::Value*) js::GetObjectElementOperation js::GetElementOperation js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)
Comment 2 User image Bob Clary [:bc:] 2012-06-06 12:55:16 PDT
The url is:

I haven't been able to reproduce locally however. Note that Mac has a different stack/assertion:

Assertion failure: (ptrBits & 0x7) == 0
JSVAL_TO_OBJECT_IMPL JS::Value::toObject js::CompartmentChecker::check
js::assertSameCompartment<JS::Value> js::Interpret

Windows XP once gave the following stack:
js::EncapsulatedPtr<js::types::TypeObject, unsigned int>::operator->() js::ObjectImpl::hasSingletonType() js::types::Type::ObjectType(JSObject*) js::types::GetValueType(JSContext*, JS::Value const&) js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&)

Note the crash reason for the exploitable windows crashes was EXCEPTION_ACCESS_VIOLATION_EXEC
Comment 3 User image Marcia Knous [:marcia - use ni] 2012-06-07 13:50:31 PDT
I was able to repro the crash with one of the URLs (, but I get a slightly different stack:
Comment 4 User image Semtex 2012-06-08 06:17:44 PDT
I wasn't able to reproduce this crash, it is to randomly, I've try to keep my attention on Error Console without luck, any way this crash happen for me on one very popular Polish IT Forums, only during navigation between sub forums and Forum -> Portal page, never on Portal, forum is based on phpBB with their own Mods.

Since I'm completely new on Bugzilla I will not post link  now, if someone need it, please let me know in comment.
Comment 5 User image Scoobidiver (away) 2012-06-09 00:53:15 PDT
*** Bug 763073 has been marked as a duplicate of this bug. ***
Comment 6 User image Semtex 2012-06-09 13:38:57 PDT
This is odd, almost whole day without single crash, no I got 3 in 15 minutes, last two in almost same time:

Some steps to reproduce:
1. Go to this Forum:
2. navigate a bit on site, sub forums etc.
3. On top of Page You can find header with "Forum Dobreprogramy"
4. "Dobreprogramy" lead to Portal page, use it, 99% times crash happen form me on this link.

This is very not regular, You can browse there few hours without single crash and suddenly when You use this link browser crash.
Hope this can help a bit.
Comment 7 User image Brian Hackett (:bhackett) 2012-06-21 15:43:42 PDT
Given the regression range, could this be bug 659577?
Comment 8 User image Luke Wagner [:luke] 2012-06-21 16:23:24 PDT
Yes, there was definitely a big spike in this crash caused by bug 659577.  However, the fix landed a few days later and the crashes practically all went away.  If I look at crash-stats now, this is #42 and dropping; there is only one crash after 20120608, so I think we can resolve fixed here?
Comment 9 User image Scoobidiver (away) 2012-07-04 09:55:56 PDT
(In reply to Luke Wagner [:luke] from comment #8)
> If I look at crash-stats now, this is #42 and dropping; there is
> only one crash after 20120608, so I think we can resolve fixed here?
There are still crashes in 15.0a2 and 16.0a1 at a very low volume.
Comment 10 User image Luke Wagner [:luke] 2012-07-04 10:34:04 PDT
Can we make the bug public?
Comment 11 User image David Bolter [:davidb] 2012-07-19 13:55:40 PDT
OK news is this appears fixed on 16 via bug 659577! Thanks Naveed, Luke, and Brian for checking :)

Note You need to log in before you can comment on or make changes to this bug.