762581 - crash in ArgSetter

Status: RESOLVED DUPLICATE of bug 705423

(Core :: JavaScript Engine, defect)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-bc6670d5-d0d5-4f0a-9e49-bfb3d2120607 .
============================================================= 

Seen while looking at crash stats. Mac trunk crash which started showing up in crash stats using the 2012060603 build. https://crash-stats.mozilla.com/report/list?signature=ArgSetter. There are earlier crashes in low volume but the spike started using 2012060603.

STR:

1. Load http://dejure.org/gesetze/AEUV/328.html
2. Click on the "Titelseite" link on the right hand side of the page.
3. Crash

Possible regression range based on crash stats: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917

Frame 	Module 	Signature 	Source
0 	XUL 	ArgSetter 	jsinfer.h:337
1 	XUL 	js_NativeSet 	jscntxtinlines.h:455
2 	XUL 	js::baseops::SetPropertyHelper 	jsobj.cpp:5379
3 	XUL 	js::Interpret 	jsobjinlines.h:96
4 	XUL 	js::RunScript 	jsinterp.cpp:267
5 	XUL 	js::InvokeKernel 	jsinterp.cpp:322
6 	XUL 	js::Invoke 	jsinterp.h:100
7 	XUL 	JS_CallFunctionValue 	jsapi.cpp:5481
8 	XUL 	nsXPCWrappedJSClass::CallMethod 	XPCWrappedJSClass.cpp:1474
9 	XUL 	nsXPCWrappedJS::CallMethod 	XPCWrappedJS.cpp:579
10 	XUL 	PrepareAndDispatch 	xptcstubs_x86_64_darwin.cpp:121
11 	XUL 	XUL@0x103f49a 	
12 	XUL 	nsEventListenerManager::HandleEventInternal 	nsEventListenerManager.cpp:812
13 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	nsEventListenerManager.h:137
14 	XUL 	nsEventDispatcher::Dispatch 	nsEventDispatcher.cpp:643
15 	XUL 	DocumentViewerImpl::PageHide 	nsDocumentViewer.cpp:1276
16 	XUL 	nsDocShell::FirePageHideNotification 	nsDocShell.cpp:1599
17 	XUL 	nsDocShell::CreateContentViewer 	nsDocShell.cpp:7478
18 	XUL 	nsDSURIContentListener::DoContent 	nsDSURIContentListener.cpp:132
19 	XUL 	nsDocumentOpenInfo::TryContentListener 	nsURILoader.cpp:677
20 	XUL 	nsDocumentOpenInfo::DispatchContent 	nsURILoader.cpp:374
21 	XUL 	nsDocumentOpenInfo::OnStartRequest 	nsURILoader.cpp:262
22 	XUL 	mozilla::net::nsHttpChannel::CallOnStartRequest 	nsHttpChannel.cpp:953
23 	XUL 	mozilla::net::nsHttpChannel::ContinueProcessNormal 	nsHttpChannel.cpp:1452
24 	XUL 	mozilla::net::nsHttpChannel::ProcessNormal 	nsHttpChannel.cpp:1387
25 	XUL 	mozilla::net::nsHttpChannel::ProcessResponse 	nsHttpChannel.cpp:1299
26 	XUL 	mozilla::net::nsHttpChannel::OnStartRequest 	nsHttpChannel.cpp:4762
27 	XUL 	nsInputStreamPump::OnStateStart 	nsInputStreamPump.cpp:416
28 	XUL 	nsInputStreamPump::OnInputStreamReady 	nsInputStreamPump.cpp:367
29 	XUL 	nsInputStreamReadyEvent::Run 	nsStreamUtils.cpp:81
30 	XUL 	nsThread::ProcessNextEvent 	nsThread.cpp:624
31 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:163
32 	XUL 	nsBaseAppShell::NativeEventCallback 	nsBaseAppShell.cpp:97
33 	XUL 	nsAppShell::ProcessGeckoEvents 	nsAppShell.mm:402
34 	CoreFoundation 	CoreFoundation@0x12e90 	
35 	CoreFoundation 	CoreFoundation@0x127b4 	
36 	CoreFoundation 	CoreFoundation@0x35a04

Comment 1

[Luke Wagner [:luke]]

I believe this was fixed by bug 761863 as I am not able to reproduce on trunk.  Do you see the same thing?  (This fix doesn't appear to be in nightly yet.)

Comment 2

[Marcia Knous [:marcia]]

Bug 761863 looks as if it landed on 6-6. Using today's nightly I can still crash in this stack on Mac and see other crashes in crash stats with today's build ID.  https://crash-stats.mozilla.com/report/index/bp-976406ea-b023-4265-8002-713e52120608

(In reply to Luke Wagner [:luke] from comment #1)
> I believe this was fixed by bug 761863 as I am not able to reproduce on
> trunk.  Do you see the same thing?  (This fix doesn't appear to be in
> nightly yet.)

Comment 3

[Luke Wagner [:luke]]

I just found what should be the same crash (offset-from-NULL crash under ArgSetter) in bug 705423.  I know I just said the same thing in comment 1, but I am fairly certain this time that these are the same bug.

Comment 4

[Luke Wagner [:luke]]

Yes, it does seem fixed (along with the top-crash).