830654 - crash in js::ObjectImpl::getPrivate

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Scoobidiver (away)]

It's #12 top browser crasher in 20.0a2 and #28 in 21.0a1. It first showed up in 20.0a1/20121228. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d29b182e169e&tochange=f2a500997116

Although it has a stack trace similar to the one of bug 806820, their regression ranges are different so I don't think it's a duplicate.

Signature 	js::ObjectImpl::getPrivate() More Reports Search
UUID	f4dab735-bc2e-45ee-95f1-67d6e2130114
Date Processed	2013-01-14 21:21:11
Uptime	1949
Last Crash	2.0 days before submission
Install Age	1.1 days since version was first installed.
Install Time	2013-01-13 18:15:29
Product	Firefox
Version	21.0a1
Build ID	20130113031019
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 5
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadae2
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 08461854, AdapterDriverVersion: 8.15.10.2509
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x0046
Total Virtual Memory	2147352576
Available Virtual Memory	909783040
System Memory Use Percentage	51
Available Page File	4572995584
Available Physical Memory	1539563520

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::ObjectImpl::getPrivate 	js/src/vm/ObjectImpl-inl.h:459
1 	mozjs.dll 	SuppressDeletedPropertyHelper<IndexRangePredicate> 	js/src/jsiter.cpp:1080
2 	mozjs.dll 	js_SuppressDeletedElements 	js/src/jsiter.cpp:1199
3 	mozjs.dll 	array_splice 	js/src/jsarray.cpp:1881
4 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:391
5 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2385
6 	mozjs.dll 	js::ion::CanEnter 	js/src/ion/Ion.cpp:1511
7 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:348
8 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:406
9 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:112
10 	mozjs.dll 	js_fun_call 	js/src/jsfun.cpp:855
11 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:391
12 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2385
13 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:340
14 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:406
15 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:112
16 	mozjs.dll 	js_fun_apply 	js/src/jsfun.cpp:967
17 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:391
18 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2385
19 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:340
20 	xul.dll 	nsScriptSecurityManager::LookupPolicy 	caps/src/nsScriptSecurityManager.cpp:1192
21 	xul.dll 	nsJSContext::ConvertSupportsTojsvals 	dom/base/nsJSEnvironment.cpp:2179

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AObjectImpl%3A%3AgetPrivate%28%29

Comment 1

[Robert Kaiser]

It has mostly the Facebook main page and a few YouTube URLs, not posting a list because the front pages of those services will not be what we can use for reproduction anyhow, unfortunately.

Comment 2

[Alex Keybl [:akeybl]]

Naveed/David - any recent changes in this code?

Comment 3

[Andrew McCreight [:mccr8]]

No crashes on trunk like this since bug 831626 landed (the 1/25 build).

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

Yeah, looking at the crash stack this is definitely the same thing.

Comment 5

[Naveed Ihsanullah [:naveed]]

This may be related to cx->enumerator fragility that David is working on. Assigning to him so he can weigh in.

Comment 6

[Mihai Morar, (:MihaiMorar)]

There are no crashes in Soccoro in last 14days.

Comment 7

[Ioana (away)]

There are only one Firefox 20a1 and one Firefox 20a2 crashes in Socorro for the last 4 weeks.