crash in SuppressDeletedPropertyHelper

VERIFIED FIXED in Firefox 18

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: dvander)

Tracking

({crash, regression, topcrash})

18 Branch
mozilla21
crash, regression, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox17+ unaffected, firefox18+ fixed, firefox19+ fixed, firefox20+ verified, firefox21+ verified)

Details

(Whiteboard: [js:p1], crash signature)

(Reporter)

Description

6 years ago
It's #32 top browser crasher in 18.0a2 and #63 in 19.0a1.
It started spiking from 18.0a1/20120911140351 with IonMonkey.

Signature 	SuppressDeletedPropertyHelper<SingleStringPredicate> More Reports Search
UUID	1842a719-33a1-4744-aef1-2995e2121030
Date Processed	2012-10-30 09:39:41
Uptime	535
Last Crash	9.1 minutes before submission
Install Age	1.1 hours since version was first installed.
Install Time	2012-10-30 08:32:11
Product	Firefox
Version	19.0a1
Build ID	20121029030553
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadae2
App Notes 	
Cisco VPN
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 040a1028, AdapterDriverVersion: 8.15.10.2182
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+ 
EMCheckCompatibility	False
Adapter Vendor ID	0x8086
Adapter Device ID	0x0046
Total Virtual Memory	2147352576
Available Virtual Memory	1542926336
System Memory Use Percentage	61
Available Page File	4442198016
Available Physical Memory	1420218368

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	SuppressDeletedPropertyHelper<SingleStringPredicate> 	js/src/jsiter.cpp:1087
1 	mozjs.dll 	js::baseops::DeleteGeneric 	js/src/jsobj.cpp:4809
2 	mozjs.dll 	js::baseops::DeleteProperty 	js/src/jsobj.cpp:4817
3 	mozjs.dll 	JSObject::deleteProperty 	js/src/jsobjinlines.h:193
4 	mozjs.dll 	JSObject::deleteByValue 	js/src/jsobj.cpp:2551
5 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2101
6 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:316
7 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:379
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:109
9 	mozjs.dll 	js_fun_call 	js/src/jsfun.cpp:864
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=SuppressDeletedPropertyHelper%3CSingleStringPredicate%3E

Updated

6 years ago
tracking-firefox18: --- → ?
tracking-firefox19: --- → ?

Comment 1

6 years ago
Including David and Naveed to help get eyes on. Typically, this would fall outside our top crash range, but since it's a recent regression (IonMonkey?) and we've got a lot of Flash crashes taking up the top 10, we'll track for release.
status-firefox17: --- → affected
status-firefox18: --- → affected
tracking-firefox17: --- → +
tracking-firefox18: ? → +
tracking-firefox19: ? → ---
We've already gone to build with beta 5 so we're now past the point to take speculative fixes.  Will keep tracking for 18.
status-firefox17: affected → wontfix
It looks like cx->enumerators has a garbage object. I can believe that something in IonMonkey would cause this, but I'm not sure what, and we don't have STR. There's probably not a lot we can do. 

One idea is if we could explicitly fuzz for-in iterators. We have had bugs in this path before that fuzzers found. Probably some magic combination of property removal, for-in, and gcPreserveCode could reproduce this? Unless it is Windows-PGO only.
Indeed! Thanks to fuzzing, this is likely bug 812341, which I've posted a fix for. Let's see how this affects crash-stats after it lands.
Assignee: general → dvander
Status: NEW → ASSIGNED
Whiteboard: [js:p1]

Comment 5

6 years ago
(In reply to David Anderson [:dvander] from comment #4)
> Indeed! Thanks to fuzzing, this is likely bug 812341, which I've posted a
> fix for. Let's see how this affects crash-stats after it lands.

David, as this has landed on all channels up to beta, can we mark this fixed on those?
(Reporter)

Comment 6

6 years ago
(In reply to David Anderson [:dvander] from comment #4)
> Indeed! Thanks to fuzzing, this is likely bug 812341, which I've posted a
> fix for. Let's see how this affects crash-stats after it lands.
There are still crashes in the latest Nightly, in Aurora up to 19.0a2/20121206 and in 18.0b3.
It's #30 top browser crasher in 18.0b3 and #35 in 19.0a2.

Comment 7

6 years ago
David, according to comment #6, it looks like bug 812341 hasn't fixed this one, is there anything more we can do here?
Flags: needinfo?(dvander)
Not without STR.
Flags: needinfo?(dvander)
We could consider marking cx->enumerators during GC, but likely the issue is that we're not popping cx->enumerators correctly. That would maybe change this from a crash to a memory leak and weird JS behavior.

Updated

6 years ago
status-firefox18: affected → wontfix

Updated

6 years ago
status-firefox19: --- → affected
tracking-firefox19: --- → ?

Updated

6 years ago
tracking-firefox19: ? → -
(Reporter)

Comment 10

5 years ago
It has spiked across all channels since January 9, 0H UTC: #3 in 18.0 and 21.0a1.

There are no correlations to extensions or modules so it's likely caused by a website update. According to comments, it's Facebook.
status-firefox18: wontfix → affected
tracking-firefox19: - → ?
tracking-firefox20: --- → ?
tracking-firefox21: --- → ?
Keywords: needURLs
(Reporter)

Updated

5 years ago
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty]
Keywords: topcrash
OS: Windows 7 → All
Hardware: x86 → All
(Reporter)

Updated

5 years ago
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIter()]

Comment 13

5 years ago
js::shadow::Object::numFixedSlots() is another fast-rising crash that has all Facebook URLs all over it.
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIter()] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIter()] [@ js::shadow::Object::numFixedSlots()]
It's unlikely that you'll be able to identify a particular javascript in Facebook or any other page that easily reproduces this. The testcases for this kind of error are usually very large and/or fragile. Unfortunately fuzzing hasn't hit it anymore since the last fix we made in bug 812341. Is the fix for this bug in the versions these topcrashes are coming from?

Comment 15

5 years ago
(In reply to Christian Holler (:decoder) from comment #14)
> Is the fix for this bug in the versions these topcrashes are coming from?

This is a topcrash issue in all current channels, from 18 Release to 21 Nightly - interestingly, it's not a top issue in 17, so it's a regression with 18!
We're going to be on the lookout for actionable leads (there were none during the beta cycle), and I'll reach out to peeps at FB about the possibility of a recent FB change tickling IonMonkey.
I looked at the crashes. It looks like cx->enumerators contains 0xdadadada. I talked to David, and he said that we rely on the iterator in cx->enumerators to be reachable in some other way. If it's not, it could be an IonMonkey bug or maybe something where the iterators aren't balanced correctly. Given that it happens in FF18 and up, it's likely to be an IM issue.

Could we maybe try to focus the fuzzers on generating more patterns involving iterators?
(Reporter)

Updated

5 years ago
status-firefox17: wontfix → unaffected

Comment 18

5 years ago
We're looking into this on Facebook's side. Any pointers to client code possibly triggering this would be helpful.
The JavaScript pattern triggering this bug is:  for (var x in y) ...

(Which is common, but triggering this bug also needs some random interaction like GC.)
Possible users affected by this, https://support.mozilla.org/en-US/questions/946537. I'll be monitoring this today and over the next few days. Please let me know if outreach is needed.

Comment 21

5 years ago
I didn't find any smoking guns, passed it on the the right people.
(Reporter)

Updated

5 years ago
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIter()] [@ js::shadow::Object::numFixedSlots()] → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip;
(In reply to David Anderson [:dvander] from comment #19)
> The JavaScript pattern triggering this bug is:  for (var x in y) ...
> 
> (Which is common, but triggering this bug also needs some random interaction
> like GC.)

David, please provide an update tomorrow with any outreach we should perform to impacted users, or next steps for a low risk fix. We're trying to determine the changes we plan to take as part of an 18.0.1 release.
status-firefox20: --- → affected
status-firefox21: --- → affected
tracking-firefox19: ? → +
tracking-firefox20: ? → +
tracking-firefox21: ? → +
The only low risk, immediate fix I can think of is something to try and turn this crash into a memory leak. If that's acceptable I can throw a patch together. Bill, what do you think?
(In reply to David Anderson [:dvander] from comment #23)
> The only low risk, immediate fix I can think of is something to try and turn
> this crash into a memory leak. If that's acceptable I can throw a patch
> together. Bill, what do you think?

I'm not sure. Since we don't know what's going wrong, it's hard to decide on the right course. It seems like there are two general scenarios for what's going wrong. One scenario is that we're done with an iterator but we fail to pop it off the stack. The other scenario is that a live iterator isn't being marked correctly.

In the first scenario (failing to pop), we could add some code to the GC that automatically pops off any iterators that are about to be finalized. However, this won't fix the second scenario because it doesn't stop us from collecting a live iterator.

In the second scenario (failing to mark), we could strongly mark everything in the iterator stack. However, this won't fix the first scenario because it will leave the iterator stack unbalanced so we'll probably just crash later on.

In short, I don't think there's one fix that will solve both of these potential problems. However, I guess we could just pick one. It probably wouldn't make anything worse and we might make the problem go away.
If you have theories about what's going on, is it possible to add assertions to test them?

Comment 26

5 years ago
Bill, would it be possible to try both fixes for a possible 18.0.1 and try only one of them for the next beta (and Aurora) while possibly adding some instrumentation in addition on Nightly?

I'm not making the call if that's a good idea overall, esp. in terms of 18.0.1, just asking from the POV of providing maximum stability for users out in the wild (esp. given how wide-spread Facebook use is).

Also, the fact that 17 isn't affected by this crash spike (only 18+), is no help in determining which of the scenarios we might run into?

Comment 27

5 years ago
Oh, and does the fact that some of those crashes are in js::NativeIterator::isKeyIter() help to determine what is actually going on? See "Reports" tab of https://crash-stats.mozilla.com/report/list?signature=js%3A%3ANativeIterator%3A%3AisKeyIter%28%29
There's also the js::shadow::Object::numFixedSlots() signature that seems to be the same thing/cause.

Comment 28

5 years ago
Not helpful for investigation, but it looks like the empty dump signature significantly spiked on the same versions and the same days with a Facebook correlation as well, so unless fixes for this don't help that, I count that spike to be this bug as well.
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip; → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip;

Comment 29

5 years ago
We still haven't found anything FWIW
We possibly might have found something here. I hit a bug in the fuzzer that involves the shell only "timeout" function. I didn't bother to investigate earlier because that function is usually disabled for fuzzing because it was at some time unsafe. But now I'm hitting the 

Assertion failure: enumerators == cx->enumerators, at js/src/jsinterp.cpp:312

assertion. The test does not reproduce because of the timeout, so I need to see if we can get anything usuable out of this.

However, I talked to dvander and we scanned the crash comments and people seem to indicate that they hit the slow script dialog. Hitting stop would interrupt the script and could lead to what we reproduced here in the shell with timeout. If that's the case, then we might be able to get a testcase for this bug out of the fuzzing result.
This might be bug 801721. It's some sort of iterator badness related to the slow script dialog.

Jim, the last time we talked about that bug, you said there was a quick fix we could do similar to something the debugger does. What was that?

Updated

5 years ago
Depends on: 801721

Comment 32

5 years ago
Based on the theory that this involves the slow script dialog, I filed bug 831046 to improve fuzzing of script termination on operation callbacks.
Okay, I filed + took bug 831626. This should completely remove the failure mode seen in this bug, no matter where it happens or what JIT causes it. Patch tomorrow.

Luke suggests we should try breaking the web by just removing SupressDeletedProperties entirely. We know this bombed in the original iterator cleanup back in 2009 or so, but it's possible things have changed now or other browsers have broken it as well. Worth looking into, but for now I'll just fix cx->enumerators which is the safest thing to backport to Firefox Release.
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip; → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip;

Comment 34

5 years ago
I am not a programmer, but after looking into my recent crash (1-19-13, roughly 2345 hours), I ran into this log and found one poster here commenting on the fact that this bug was related to Facebook.  Have to agree, as I was clicking on a MSN article that led me to FB.  Once on MSN's FB page, some type of script warning popped up, so I cancelled the page and restarted Firefox, with option to report crash to Firefox, which I did, and this is how I ended up on this page.  Seems that FB needs a reboot or regroup on their activities.  Hope this helps to confirm somewhat of the origin, good luck Firefox users.

Comment 35

5 years ago
(In reply to colarguns from comment #34)
> Once on MSN's
> FB page, some type of script warning popped up, so I cancelled the page and
> restarted Firefox, with option to report crash to Firefox, which I did, and
> this is how I ended up on this page.

Thanks for your comment. We knew that it seems to be connected to Facebook, but the information of a warning popping up could possibly be helpful information. Do you remember if it was a "Slow script warning" that offered you to "Stop the script" or "Continue"?
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip; → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip;
(Reporter)

Comment 36

5 years ago
It accounts for 17.7% of all crashes in 18.0.1.
The fix is in bug 831626.
(Reporter)

Updated

5 years ago
status-firefox21: affected → fixed
Crash Signature: [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip; → [@ SuppressDeletedPropertyHelper<SingleStringPredicate>] [@ SuppressDeletedPropertyHelper<IndexRangePredicate>] [@ js_SuppressDeletedProperty(JSContext*, JS::Handle<JSObject*> long)] [@ js_SuppressDeletedProperty] [@ js::NativeIterator::isKeyIt&hellip;
(Reporter)

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox19: affected → fixed
status-firefox20: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
(Reporter)

Updated

5 years ago
status-firefox18: affected → fixed
While checking in Socorro, I've found crashes on Firefox 19 beta 3 and a few on Firefox 19 beta 4, within last month, for 9 out of 10 signatures registered for this bug.

Here are the links to the reports:

http://bit.ly/VDhtKk

http://bit.ly/XnvcVd

http://bit.ly/Xiqry6

http://bit.ly/YSUT6H

http://bit.ly/VI1YWO

http://bit.ly/VDhEp1

http://bit.ly/YCCBmp

http://bit.ly/WO9WeU

http://bit.ly/WtM0Ok

Comment 38

5 years ago
We didn't have this fixed in Beta 3, only in Beta 4. And I will avoid to give my tracking information to bit.ly when I can, so I didn't look into those lists.
On Firefox 19 beta 4 the number of crashes is very low, only for 6 out of 10 signatures, within last month. Here are the Socorro reports:

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SuppressDeletedPropertyHelper%26lt;SingleStringPredicate%26gt;&reason_type=contains&date=02/06/2013%2009:57:02&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=SuppressDeletedPropertyHelper%3CSingleStringPredicate%3E


https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty(JSContext*,%20JS::Handle%26lt;JSObject*%26gt;,%20long)&reason_type=contains&date=02/06/2013%2009:57:03&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty(JSContext*,%20JS::Handle%3CJSObject*%3E,%20long)


https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js::NativeIterator::isKeyIter()&reason_type=contains&date=02/06/2013%2009:57:04&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js::NativeIterator::isKeyIter()


https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js::shadow::Object::numFixedSlots()&reason_type=contains&date=02/06/2013%2009:57:05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js::shadow::Object::numFixedSlots()


https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=EMPTY:%20no%20crashing%20thread%20identified;%20corrupt%20dump&reason_type=contains&date=02/06/2013%2009:57:05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=EMPTY:%20no%20crashing%20thread%20identified;%20corrupt%20dump


https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedElements(JSContext*,%20JS::Handle%26lt;JSObject*%26gt;,%20unsigned%20int,%20unsigned%20int)&reason_type=contains&date=02/06/2013%2009:57:06&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedElements(JSContext*,%20JS::Handle%3CJSObject*%3E,%20unsigned%20int,%20unsigned%20int)

Updated

5 years ago
QA Contact: manuela.muntean
Here are the Socorro reports within last month:

1) first signature: 1 crash on Firefox 20 beta 1, but also a few crashes in Firefox 19.0 and 19.0.2: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SuppressDeletedPropertyHelper%26lt%3BSingleStringPredicate%26gt%3B&reason_type=contains&date=03%2F14%2F2013%2009%3A54%3A56&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=SuppressDeletedPropertyHelper%3CSingleStringPredicate%3E

2) second signature: a few crashes in Firefox 19.0, 19.0.2, 20 beta 1 and 2: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=SuppressDeletedPropertyHelper%26lt%3BIndexRangePredicate%26gt%3B&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A01&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=SuppressDeletedPropertyHelper%3CIndexRangePredicate%3E

3) third signature: no crashes on Firefox after Firefox 19 beta 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%26lt%3BJSObject%2A%26gt%3B%2C%20long%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A01&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%3CJSObject%2A%3E%2C%20long%29

4) 4th signature: no crashes on Firefox after Firefox 19 beta 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A02&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty

5) 5th signature: crashes on Firefox 19, 19.0.2, 20 beta 1, 2, 3 and 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js%3A%3ANativeIterator%3A%3AisKeyIter%28%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A03&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js%3A%3ANativeIterator%3A%3AisKeyIter%28%29

6) 6th signature: crashes on Firefox 19, 19.0.2, 19 beta 4 and 6, 20 beta 1, 2, and 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js%3A%3Ashadow%3A%3AObject%3A%3AnumFixedSlots%28%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A03&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js%3A%3Ashadow%3A%3AObject%3A%3AnumFixedSlots%28%29

7) 7th signature: crashes on Firefox 19, 19.0.2, 19.0.1, 19 beta 4, 5 and 6, 20 beta 1, 3, and 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=EMPTY%3A%20no%20crashing%20thread%20identified%3B%20corrupt%20dump&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A04&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=EMPTY%3A%20no%20crashing%20thread%20identified%3B%20corrupt%20dump

8) 8th signature: no crashes on Firefox after Firefox 19 beta 4: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedElements&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedElements

9) 9th signature: a few crashes on Firefox 20 beta 1, 19 beta 4 and 19.0: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedElements%28JSContext%2A%2C%20JS%3A%3AHandle%26lt%3BJSObject%2A%26gt%3B%2C%20unsigned%20int%2C%20unsigned%20int%29&reason_type=contains&date=03%2F14%2F2013%2009%3A55%3A05&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedElements%28JSContext%2A%2C%20JS%3A%3AHandle%3CJSObject%2A%3E%2C%20unsigned%20int%2C%20unsigned%20int%29

10) 10th signature: a few crashes on Firefox 19 and 19.0.2: https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%26lt%3BJSObject%2A%26gt%3B%2C%20int%29&reason_type=contains&date=03%2F14%2F2013%2009%3A57%3A11&range_value=4&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=js_SuppressDeletedProperty%28JSContext%2A%2C%20JS%3A%3AHandle%3CJSObject%2A%3E%2C%20int%29

Comment 41

5 years ago
Those signatures still happening are probably different things than this, as AFAIK the place in the code where this crash happened is gone.
Verified fixed based on comments 40 and 41. (Firefox 21 (Aurora) and 22 (Nightly) aren't mentioned in the crash reports)
Status: RESOLVED → VERIFIED
status-firefox20: fixed → verified
status-firefox21: fixed → verified
You need to log in before you can comment on or make changes to this bug.