Closed
Bug 806820
Opened 11 years ago
Closed 11 years ago
crash in SuppressDeletedPropertyHelper
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla21
People
(Reporter: scoobidiver, Assigned: dvander)
References
Details
(Keywords: crash, regression, topcrash, Whiteboard: [js:p1])
Crash Data
It's #32 top browser crasher in 18.0a2 and #63 in 19.0a1. It started spiking from 18.0a1/20120911140351 with IonMonkey. Signature SuppressDeletedPropertyHelper<SingleStringPredicate> More Reports Search UUID 1842a719-33a1-4744-aef1-2995e2121030 Date Processed 2012-10-30 09:39:41 Uptime 535 Last Crash 9.1 minutes before submission Install Age 1.1 hours since version was first installed. Install Time 2012-10-30 08:32:11 Product Firefox Version 19.0a1 Build ID 20121029030553 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 37 stepping 5 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xffffffffdadadae2 App Notes Cisco VPN AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 040a1028, AdapterDriverVersion: 8.15.10.2182 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+ EMCheckCompatibility False Adapter Vendor ID 0x8086 Adapter Device ID 0x0046 Total Virtual Memory 2147352576 Available Virtual Memory 1542926336 System Memory Use Percentage 61 Available Page File 4442198016 Available Physical Memory 1420218368 Frame Module Signature Source 0 mozjs.dll SuppressDeletedPropertyHelper<SingleStringPredicate> js/src/jsiter.cpp:1087 1 mozjs.dll js::baseops::DeleteGeneric js/src/jsobj.cpp:4809 2 mozjs.dll js::baseops::DeleteProperty js/src/jsobj.cpp:4817 3 mozjs.dll JSObject::deleteProperty js/src/jsobjinlines.h:193 4 mozjs.dll JSObject::deleteByValue js/src/jsobj.cpp:2551 5 mozjs.dll js::Interpret js/src/jsinterp.cpp:2101 6 mozjs.dll js::RunScript js/src/jsinterp.cpp:316 7 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:379 8 mozjs.dll js::Invoke js/src/jsinterp.h:109 9 mozjs.dll js_fun_call js/src/jsfun.cpp:864 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=SuppressDeletedPropertyHelper%3CSingleStringPredicate%3E
Updated•11 years ago
|
tracking-firefox18:
--- → ?
tracking-firefox19:
--- → ?
Comment 1•11 years ago
|
||
Including David and Naveed to help get eyes on. Typically, this would fall outside our top crash range, but since it's a recent regression (IonMonkey?) and we've got a lot of Flash crashes taking up the top 10, we'll track for release.
status-firefox17:
--- → affected
status-firefox18:
--- → affected
tracking-firefox17:
--- → +
tracking-firefox19:
? → ---
Comment 2•11 years ago
|
||
We've already gone to build with beta 5 so we're now past the point to take speculative fixes. Will keep tracking for 18.
![]() |
Assignee | |
Comment 3•11 years ago
|
||
It looks like cx->enumerators has a garbage object. I can believe that something in IonMonkey would cause this, but I'm not sure what, and we don't have STR. There's probably not a lot we can do. One idea is if we could explicitly fuzz for-in iterators. We have had bugs in this path before that fuzzers found. Probably some magic combination of property removal, for-in, and gcPreserveCode could reproduce this? Unless it is Windows-PGO only.
![]() |
Assignee | |
Comment 4•11 years ago
|
||
Indeed! Thanks to fuzzing, this is likely bug 812341, which I've posted a fix for. Let's see how this affects crash-stats after it lands.
Assignee: general → dvander
Status: NEW → ASSIGNED
Updated•11 years ago
|
Whiteboard: [js:p1]
![]() |
||
Comment 5•11 years ago
|
||
(In reply to David Anderson [:dvander] from comment #4) > Indeed! Thanks to fuzzing, this is likely bug 812341, which I've posted a > fix for. Let's see how this affects crash-stats after it lands. David, as this has landed on all channels up to beta, can we mark this fixed on those?
Reporter | ||
Comment 6•11 years ago
|
||
(In reply to David Anderson [:dvander] from comment #4) > Indeed! Thanks to fuzzing, this is likely bug 812341, which I've posted a > fix for. Let's see how this affects crash-stats after it lands. There are still crashes in the latest Nightly, in Aurora up to 19.0a2/20121206 and in 18.0b3. It's #30 top browser crasher in 18.0b3 and #35 in 19.0a2.
![]() |
||
Comment 7•11 years ago
|
||
David, according to comment #6, it looks like bug 812341 hasn't fixed this one, is there anything more we can do here?
Flags: needinfo?(dvander)
![]() |
Assignee | |
Comment 9•11 years ago
|
||
We could consider marking cx->enumerators during GC, but likely the issue is that we're not popping cx->enumerators correctly. That would maybe change this from a crash to a memory leak and weird JS behavior.
Updated•11 years ago
|
Updated•11 years ago
|
status-firefox19:
--- → affected
tracking-firefox19:
--- → ?
Updated•11 years ago
|
Reporter | ||
Comment 10•11 years ago
|
||
It has spiked across all channels since January 9, 0H UTC: #3 in 18.0 and 21.0a1. There are no correlations to extensions or modules so it's likely caused by a website update. According to comments, it's Facebook.
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>]
[@ js_SuppressDeletedProperty]
Keywords: topcrash
OS: Windows 7 → All
Hardware: x86 → All
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>]
[@ js_SuppressDeletedProperty] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
Comment 11•11 years ago
|
||
URLs are almost all Facebook for all three signatures - we should reach out to someone at Facebook regarding this. 1210 http://www.facebook.com/ 1137 https://www.facebook.com/ 112 http://www.facebook.com/?ref=tn_tnmn 73 https://www.facebook.com/?ref=tn_tnmn 38 about:blank 27 https://www.facebook.com/?sk=nf 24 http://www.facebook.com/home.php 21 https://www.facebook.com/home.php 19 http://www.facebook.com/?ref=logo 16 https://www.facebook.com/?ref=logo 16 http://www.facebook.com/?sk=h_chr 15 http://www.facebook.com/logout.php 14 https://www.facebook.com/logout.php 14 http://www.facebook.com/?sk=nf 13 https://www.facebook.com/?sk=h_chr 11 https://www.facebook.com/home.php?ref=tn_tnmn 11 https://twitter.com/ 8 http://www.facebook.com/pages/feed 8 about:newtab 7 http://www.facebook.com/home.php?ref=tn_tnmn 7 https://www.facebook.com/pages/feed 6 http://www.facebook.com/home.php?src=fftb 5 http://www.google.com.eg/ 4 https://twitter.com/i/connect 4 https://mail.google.com/mail/u/0/?shva=1#inbox 4 http://www.tumblr.com/dashboard 3 http://www.eluniversal.com.mx/noticias.html 3 http://ask.fm/account/wall 3 https://www.facebook.com/fredi.gjergji 3 http://khabar.ibnlive.in.com/astro/raashi/astro_home.php 3 http://khabar.ibnlive.in.com/photogallery/4152 3 http://www.profitclicking.com/traffic-exchange/?ViewAdsInit=true 3 http://www.facebook.com/home.php?ref=hp
Keywords: needURLs
![]() |
||
Comment 12•11 years ago
|
||
URLs for SuppressDeletedPropertyHelper<SingleStringPredicate>: 1210 http://www.facebook.com/ 1137 https://www.facebook.com/ 112 http://www.facebook.com/?ref=tn_tnmn 73 https://www.facebook.com/?ref=tn_tnmn 38 about:blank 27 https://www.facebook.com/?sk=nf 24 http://www.facebook.com/home.php 21 https://www.facebook.com/home.php 19 http://www.facebook.com/?ref=logo 16 https://www.facebook.com/?ref=logo 16 http://www.facebook.com/?sk=h_chr 15 http://www.facebook.com/logout.php 14 https://www.facebook.com/logout.php 14 http://www.facebook.com/?sk=nf 13 https://www.facebook.com/?sk=h_chr 11 https://www.facebook.com/home.php?ref=tn_tnmn 11 https://twitter.com/ URLs for js::NativeIterator::isKeyIter(): 185 https://www.facebook.com/ 167 http://www.facebook.com/ 16 https://www.facebook.com/?ref=tn_tnmn 15 http://www.facebook.com/?ref=tn_tnmn All other URLs have less than 10 hits in the last week. Both signatures are rising really fast in early Firefox 18 data.
![]() |
||
Comment 13•11 years ago
|
||
js::shadow::Object::numFixedSlots() is another fast-rising crash that has all Facebook URLs all over it.
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()]
Comment 14•11 years ago
|
||
It's unlikely that you'll be able to identify a particular javascript in Facebook or any other page that easily reproduces this. The testcases for this kind of error are usually very large and/or fragile. Unfortunately fuzzing hasn't hit it anymore since the last fix we made in bug 812341. Is the fix for this bug in the versions these topcrashes are coming from?
![]() |
||
Comment 15•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #14) > Is the fix for this bug in the versions these topcrashes are coming from? This is a topcrash issue in all current channels, from 18 Release to 21 Nightly - interestingly, it's not a top issue in 17, so it's a regression with 18!
Comment 16•11 years ago
|
||
We're going to be on the lookout for actionable leads (there were none during the beta cycle), and I'll reach out to peeps at FB about the possibility of a recent FB change tickling IonMonkey.
I looked at the crashes. It looks like cx->enumerators contains 0xdadadada. I talked to David, and he said that we rely on the iterator in cx->enumerators to be reachable in some other way. If it's not, it could be an IonMonkey bug or maybe something where the iterators aren't balanced correctly. Given that it happens in FF18 and up, it's likely to be an IM issue. Could we maybe try to focus the fuzzers on generating more patterns involving iterators?
Reporter | ||
Updated•11 years ago
|
Comment 18•11 years ago
|
||
We're looking into this on Facebook's side. Any pointers to client code possibly triggering this would be helpful.
![]() |
Assignee | |
Comment 19•11 years ago
|
||
The JavaScript pattern triggering this bug is: for (var x in y) ... (Which is common, but triggering this bug also needs some random interaction like GC.)
Comment 20•11 years ago
|
||
Possible users affected by this, https://support.mozilla.org/en-US/questions/946537. I'll be monitoring this today and over the next few days. Please let me know if outreach is needed.
Comment 21•11 years ago
|
||
I didn't find any smoking guns, passed it on the the right people.
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>]
[@ SuppressDeletedPropertyHelper<IndexRangePredicate>]
[@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
…
Comment 22•11 years ago
|
||
(In reply to David Anderson [:dvander] from comment #19) > The JavaScript pattern triggering this bug is: for (var x in y) ... > > (Which is common, but triggering this bug also needs some random interaction > like GC.) David, please provide an update tomorrow with any outreach we should perform to impacted users, or next steps for a low risk fix. We're trying to determine the changes we plan to take as part of an 18.0.1 release.
status-firefox20:
--- → affected
status-firefox21:
--- → affected
![]() |
Assignee | |
Comment 23•11 years ago
|
||
The only low risk, immediate fix I can think of is something to try and turn this crash into a memory leak. If that's acceptable I can throw a patch together. Bill, what do you think?
(In reply to David Anderson [:dvander] from comment #23) > The only low risk, immediate fix I can think of is something to try and turn > this crash into a memory leak. If that's acceptable I can throw a patch > together. Bill, what do you think? I'm not sure. Since we don't know what's going wrong, it's hard to decide on the right course. It seems like there are two general scenarios for what's going wrong. One scenario is that we're done with an iterator but we fail to pop it off the stack. The other scenario is that a live iterator isn't being marked correctly. In the first scenario (failing to pop), we could add some code to the GC that automatically pops off any iterators that are about to be finalized. However, this won't fix the second scenario because it doesn't stop us from collecting a live iterator. In the second scenario (failing to mark), we could strongly mark everything in the iterator stack. However, this won't fix the first scenario because it will leave the iterator stack unbalanced so we'll probably just crash later on. In short, I don't think there's one fix that will solve both of these potential problems. However, I guess we could just pick one. It probably wouldn't make anything worse and we might make the problem go away.
Comment 25•11 years ago
|
||
If you have theories about what's going on, is it possible to add assertions to test them?
![]() |
||
Comment 26•11 years ago
|
||
Bill, would it be possible to try both fixes for a possible 18.0.1 and try only one of them for the next beta (and Aurora) while possibly adding some instrumentation in addition on Nightly? I'm not making the call if that's a good idea overall, esp. in terms of 18.0.1, just asking from the POV of providing maximum stability for users out in the wild (esp. given how wide-spread Facebook use is). Also, the fact that 17 isn't affected by this crash spike (only 18+), is no help in determining which of the scenarios we might run into?
![]() |
||
Comment 27•11 years ago
|
||
Oh, and does the fact that some of those crashes are in js::NativeIterator::isKeyIter() help to determine what is actually going on? See "Reports" tab of https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANativeIterator%3A%3AisKeyIter%28%29 There's also the js::shadow::Object::numFixedSlots() signature that seems to be the same thing/cause.
![]() |
||
Comment 28•11 years ago
|
||
Not helpful for investigation, but it looks like the empty dump signature significantly spiked on the same versions and the same days with a Facebook correlation as well, so unless fixes for this don't help that, I count that spike to be this bug as well.
Crash Signature: long)]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()] → long)]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()]
[@ EMPTY: no crashing thread identified; corrupt dump ]
Comment 29•11 years ago
|
||
We still haven't found anything FWIW
Comment 30•11 years ago
|
||
We possibly might have found something here. I hit a bug in the fuzzer that involves the shell only "timeout" function. I didn't bother to investigate earlier because that function is usually disabled for fuzzing because it was at some time unsafe. But now I'm hitting the Assertion failure: enumerators == cx->enumerators, at js/src/jsinterp.cpp:312 assertion. The test does not reproduce because of the timeout, so I need to see if we can get anything usuable out of this. However, I talked to dvander and we scanned the crash comments and people seem to indicate that they hit the slow script dialog. Hitting stop would interrupt the script and could lead to what we reproduced here in the shell with timeout. If that's the case, then we might be able to get a testcase for this bug out of the fuzzing result.
This might be bug 801721. It's some sort of iterator badness related to the slow script dialog. Jim, the last time we talked about that bug, you said there was a quick fix we could do similar to something the debugger does. What was that?
Comment 32•11 years ago
|
||
Based on the theory that this involves the slow script dialog, I filed bug 831046 to improve fuzzing of script termination on operation callbacks.
![]() |
Assignee | |
Comment 33•11 years ago
|
||
Okay, I filed + took bug 831626. This should completely remove the failure mode seen in this bug, no matter where it happens or what JIT causes it. Patch tomorrow. Luke suggests we should try breaking the web by just removing SupressDeletedProperties entirely. We know this bombed in the original iterator cleanup back in 2009 or so, but it's possible things have changed now or other browsers have broken it as well. Worth looking into, but for now I'll just fix cx->enumerators which is the safest thing to backport to Firefox Release.
Updated•11 years ago
|
Crash Signature: long)]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()]
[@ EMPTY: no crashing thread identified; corrupt dump ] → long)]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()]
[@ EMPTY: no crashing thread identified; corrupt dump ]
[@ js_SuppressDeletedElements]
Comment 34•11 years ago
|
||
I am not a programmer, but after looking into my recent crash (1-19-13, roughly 2345 hours), I ran into this log and found one poster here commenting on the fact that this bug was related to Facebook. Have to agree, as I was clicking on a MSN article that led me to FB. Once on MSN's FB page, some type of script warning popped up, so I cancelled the page and restarted Firefox, with option to report crash to Firefox, which I did, and this is how I ended up on this page. Seems that FB needs a reboot or regroup on their activities. Hope this helps to confirm somewhat of the origin, good luck Firefox users.
![]() |
||
Comment 35•11 years ago
|
||
(In reply to colarguns from comment #34) > Once on MSN's > FB page, some type of script warning popped up, so I cancelled the page and > restarted Firefox, with option to report crash to Firefox, which I did, and > this is how I ended up on this page. Thanks for your comment. We knew that it seems to be connected to Facebook, but the information of a warning popping up could possibly be helpful information. Do you remember if it was a "Slow script warning" that offered you to "Stop the script" or "Continue"?
Updated•11 years ago
|
Crash Signature: long)]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()]
[@ EMPTY: no crashing thread identified; corrupt dump ]
[@ js_SuppressDeletedElements] → long)]
[@ js_SuppressDeletedProperty]
[@ js::NativeIterator::isKeyIter()]
[@ js::shadow::Object::numFixedSlots()]
[@ EMPTY: no crashing thread identified; corrupt dump ]
[@ js_SuppressDeletedElements]
[@ js_SuppressDeletedElements(JSContext* JS::Han…
Reporter | ||
Comment 36•11 years ago
|
||
It accounts for 17.7% of all crashes in 18.0.1. The fix is in bug 831626.
Reporter | ||
Updated•11 years ago
|
Updated•11 years ago
|
Crash Signature: JS::Handle<JSObject*>, unsigned int, unsigned int)] → JS::Handle<JSObject*>, unsigned int, unsigned int)]
[@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*>, int)]
Reporter | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Reporter | ||
Updated•11 years ago
|
Comment 37•11 years ago
|
||
While checking in Socorro, I've found crashes on Firefox 19 beta 3 and a few on Firefox 19 beta 4, within last month, for 9 out of 10 signatures registered for this bug. Here are the links to the reports: http://bit.ly/VDhtKk http://bit.ly/XnvcVd http://bit.ly/Xiqry6 http://bit.ly/YSUT6H http://bit.ly/VI1YWO http://bit.ly/VDhEp1 http://bit.ly/YCCBmp http://bit.ly/WO9WeU http://bit.ly/WtM0Ok
![]() |
||
Comment 38•11 years ago
|
||
We didn't have this fixed in Beta 3, only in Beta 4. And I will avoid to give my tracking information to bit.ly when I can, so I didn't look into those lists.
Comment 39•11 years ago
|
||
On Firefox 19 beta 4 the number of crashes is very low, only for 6 out of 10 signatures, within last month. Here are the Socorro reports: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SuppressDeletedPropertyHelper%26lt;SingleStringPredicate%26gt;&reason_type=contains&date=02/06/2013%2009:57:02&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=SuppressDeletedPropertyHelper%3CSingleStringPredicate%3E https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty(JSContext*,%20JS::Handle%26lt;JSObject*%26gt;,%20long)&reason_type=contains&date=02/06/2013%2009:57:03&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty(JSContext*,%20JS::Handle%3CJSObject*%3E,%20long) https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js::NativeIterator::isKeyIter()&reason_type=contains&date=02/06/2013%2009:57:04&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js::NativeIterator::isKeyIter() https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js::shadow::Object::numFixedSlots()&reason_type=contains&date=02/06/2013%2009:57:05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js::shadow::Object::numFixedSlots() https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=EMPTY:%20no%20crashing%20thread%20identified;%20corrupt%20dump&reason_type=contains&date=02/06/2013%2009:57:05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=EMPTY:%20no%20crashing%20thread%20identified;%20corrupt%20dump https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedElements(JSContext*,%20JS::Handle%26lt;JSObject*%26gt;,%20unsigned%20int,%20unsigned%20int)&reason_type=contains&date=02/06/2013%2009:57:06&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedElements(JSContext*,%20JS::Handle%3CJSObject*%3E,%20unsigned%20int,%20unsigned%20int)
Updated•10 years ago
|
QA Contact: manuela.muntean
Comment 40•10 years ago
|
||
Here are the Socorro reports within last month: 1) first signature: 1 crash on Firefox 20 beta 1, but also a few crashes in Firefox 19.0 and 19.0.2: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SuppressDeletedPropertyHelper%26lt%3BSingleStringPredicate%26gt%3B&reason_type=contains&date=03%2F14%2F2013%2009%3A54%3A56&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=SuppressDeletedPropertyHelper%3CSingleStringPredicate%3E 2) second signature: a few crashes in Firefox 19.0, 19.0.2, 20 beta 1 and 2: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SuppressDeletedPropertyHelper%26lt%3BIndexRangePredicate%26gt%3B&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A01&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=SuppressDeletedPropertyHelper%3CIndexRangePredicate%3E 3) third signature: no crashes on Firefox after Firefox 19 beta 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%26lt%3BJSObject%2A%26gt%3B%2C%20long%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A01&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%3CJSObject%2A%3E%2C%20long%29 4) 4th signature: no crashes on Firefox after Firefox 19 beta 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A02&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty 5) 5th signature: crashes on Firefox 19, 19.0.2, 20 beta 1, 2, 3 and 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js%3A%3ANativeIterator%3A%3AisKeyIter%28%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A03&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js%3A%3ANativeIterator%3A%3AisKeyIter%28%29 6) 6th signature: crashes on Firefox 19, 19.0.2, 19 beta 4 and 6, 20 beta 1, 2, and 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js%3A%3Ashadow%3A%3AObject%3A%3AnumFixedSlots%28%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A03&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js%3A%3Ashadow%3A%3AObject%3A%3AnumFixedSlots%28%29 7) 7th signature: crashes on Firefox 19, 19.0.2, 19.0.1, 19 beta 4, 5 and 6, 20 beta 1, 3, and 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=EMPTY%3A%20no%20crashing%20thread%20identified%3B%20corrupt%20dump&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A04&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=EMPTY%3A%20no%20crashing%20thread%20identified%3B%20corrupt%20dump 8) 8th signature: no crashes on Firefox after Firefox 19 beta 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedElements&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedElements 9) 9th signature: a few crashes on Firefox 20 beta 1, 19 beta 4 and 19.0: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedElements%28JSContext%2A%2C%20JS%3A%3AHandle%26lt%3BJSObject%2A%26gt%3B%2C%20unsigned%20int%2C%20unsigned%20int%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedElements%28JSContext%2A%2C%20JS%3A%3AHandle%3CJSObject%2A%3E%2C%20unsigned%20int%2C%20unsigned%20int%29 10) 10th signature: a few crashes on Firefox 19 and 19.0.2: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%26lt%3BJSObject%2A%26gt%3B%2C%20int%29&reason_type=contains&date=03%2F14%2F2013%2009%3A57%3A11&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%3CJSObject%2A%3E%2C%20int%29
![]() |
||
Comment 41•10 years ago
|
||
Those signatures still happening are probably different things than this, as AFAIK the place in the code where this crash happened is gone.
Comment 42•10 years ago
|
||
Verified fixed based on comments 40 and 41. (Firefox 21 (Aurora) and 22 (Nightly) aren't mentioned in the crash reports)
You need to log in
before you can comment on or make changes to this bug.
Description
•