crash in js::ObjectImpl::getPrivate

VERIFIED FIXED in Firefox 20

Status

()

--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: scoobidiver, Assigned: dvander)

Tracking

(4 keywords)

20 Branch
mozilla21
All
Windows 7
crash, regression, steps-wanted, topcrash
Points:
---

Firefox Tracking Flags

(firefox19 unaffected, firefox20+ verified, firefox21+ verified)

Details

(crash signature)

(Reporter)

Description

6 years ago
It's #12 top browser crasher in 20.0a2 and #28 in 21.0a1. It first showed up in 20.0a1/20121228. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d29b182e169e&tochange=f2a500997116

Although it has a stack trace similar to the one of bug 806820, their regression ranges are different so I don't think it's a duplicate.

Signature 	js::ObjectImpl::getPrivate() More Reports Search
UUID	f4dab735-bc2e-45ee-95f1-67d6e2130114
Date Processed	2013-01-14 21:21:11
Uptime	1949
Last Crash	2.0 days before submission
Install Age	1.1 days since version was first installed.
Install Time	2013-01-13 18:15:29
Product	Firefox
Version	21.0a1
Build ID	20130113031019
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadae2
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 08461854, AdapterDriverVersion: 8.15.10.2509
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x0046
Total Virtual Memory	2147352576
Available Virtual Memory	909783040
System Memory Use Percentage	51
Available Page File	4572995584
Available Physical Memory	1539563520

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::ObjectImpl::getPrivate 	js/src/vm/ObjectImpl-inl.h:459
1 	mozjs.dll 	SuppressDeletedPropertyHelper<IndexRangePredicate> 	js/src/jsiter.cpp:1080
2 	mozjs.dll 	js_SuppressDeletedElements 	js/src/jsiter.cpp:1199
3 	mozjs.dll 	array_splice 	js/src/jsarray.cpp:1881
4 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:391
5 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2385
6 	mozjs.dll 	js::ion::CanEnter 	js/src/ion/Ion.cpp:1511
7 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:348
8 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:406
9 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:112
10 	mozjs.dll 	js_fun_call 	js/src/jsfun.cpp:855
11 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:391
12 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2385
13 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:340
14 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:406
15 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:112
16 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:967
17 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:391
18 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2385
19 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:340
20 	xul.dll 	nsScriptSecurityManager::LookupPolicy 	caps/src/nsScriptSecurityManager.cpp:1192
21 	xul.dll 	nsJSContext::ConvertSupportsTojsvals 	dom/base/nsJSEnvironment.cpp:2179

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AObjectImpl%3A%3AgetPrivate%28%29

Updated

6 years ago
Keywords: needURLs, steps-wanted

Comment 1

6 years ago
It has mostly the Facebook main page and a few YouTube URLs, not posting a list because the front pages of those services will not be what we can use for reproduction anyhow, unfortunately.
Keywords: needURLs

Comment 2

6 years ago
Naveed/David - any recent changes in this code?
tracking-firefox20: ? → +
tracking-firefox21: --- → +
Depends on: 831626
No crashes on trunk like this since bug 831626 landed (the 1/25 build).
(Reporter)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox21: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Yeah, looking at the crash stack this is definitely the same thing.
(Reporter)

Updated

6 years ago
status-firefox20: affected → fixed
This may be related to cx->enumerator fragility that David is working on. Assigning to him so he can weigh in.
Assignee: general → dvander
There are no crashes in Soccoro in last 14days.

Comment 7

6 years ago
There are only one Firefox 20a1 and one Firefox 20a2 crashes in Socorro for the last 4 weeks.
Status: RESOLVED → VERIFIED
status-firefox20: fixed → verified
status-firefox21: fixed → verified
You need to log in before you can comment on or make changes to this bug.