Closed Bug 837076 Opened 12 years ago Closed 12 years ago

crash in js::TypedArray::length

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 842025
Tracking Flags:
Tracking Status
firefox21 --- affected

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

It first showed up in 21.0a1/20130124162801 and has slightly spiked since 21.0a1/20120128. One comment says: "Loading the new Indie space game "Epic Space Game" it uses HTML5" This game was released on January 26. Signature js::TypedArray::lengthValue(JSObject*) More Reports Search UUID 0008e923-f640-427f-a6d7-6d1d62130201 Date Processed 2013-02-01 03:24:45 Uptime 321 Install Age 25.1 minutes since version was first installed. Install Time 2013-02-01 02:59:34 Product Firefox Version 21.0a1 Build ID 20130131031009 Release Channel nightly OS Windows NT OS Version 6.2.9200 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 58 stepping 9 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x38 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0dc4, AdapterSubsysID: 085a10de, AdapterDriverVersion: 9.18.13.1090 Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x0162, AdapterSubsysID2: 0000000c, AdapterDriverVersion2: 9.17.10.2867D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL+ GL Context? GL Context+ WebGL+ Processor Notes sp-processor04.phx1.mozilla.com_30666:2008 EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x0dc4 Total Virtual Memory 4294836224 Available Virtual Memory 3308535808 System Memory Use Percentage 22 Available Page File 10892701696 Available Physical Memory 6588280832 Frame Module Signature Source 0 mozjs.dll js::TypedArray::lengthValue js/src/jstypedarrayinlines.h:83 1 mozjs.dll js::TypedArray::length js/src/jstypedarrayinlines.h:89 2 mozjs.dll GetTypedArrayLength js/src/ion/IonBuilder.cpp:5481 3 mozjs.dll js::ion::IonBuilder::jsop_setelem_typed js/src/ion/IonBuilder.cpp:5729 4 mozjs.dll js::ion::IonBuilder::jsop_setelem js/src/ion/IonBuilder.cpp:5625 5 mozjs.dll js::ion::IonBuilder::inspectOpcode js/src/ion/IonBuilder.cpp:1019 6 mozjs.dll js::ion::IonBuilder::traverseBytecode js/src/ion/IonBuilder.cpp:687 7 mozjs.dll js::ion::IonBuilder::buildInline js/src/ion/IonBuilder.cpp:486 8 mozjs.dll js::ion::IonBuilder::inlineScriptedCall js/src/ion/IonBuilder.cpp:2909 9 mozjs.dll js::ion::IonBuilder::inlineScriptedCalls js/src/ion/IonBuilder.cpp:3441 10 mozjs.dll js::ion::IonBuilder::jsop_call js/src/ion/IonBuilder.cpp:4077 11 mozjs.dll js::ion::IonBuilder::inspectOpcode js/src/ion/IonBuilder.cpp:940 12 mozjs.dll js::ion::IonBuilder::traverseBytecode js/src/ion/IonBuilder.cpp:687 13 mozjs.dll js::ion::IonBuilder::build js/src/ion/IonBuilder.cpp:349 14 mozjs.dll js::ion::SequentialCompileContext::compile js/src/ion/Ion.cpp:1198 15 mozjs.dll js::ion::IonCompile<js::ion::SequentialCompileContext> js/src/ion/Ion.cpp:1159 16 mozjs.dll js::ion::CanEnter js/src/ion/Ion.cpp:1487 17 mozjs.dll js::RunScript js/src/jsinterp.cpp:320 18 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:404 19 mozjs.dll js::Invoke js/src/jsinterp.cpp:437 20 mozjs.dll js::ion::InvokeFunction js/src/ion/VMFunctions.cpp:108 21 @0x1ef99f40 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3ATypedArray%3A%3AlengthValue%28JSObject*%29 https://crash-stats.mozilla.com/report/list?signature=js%3A%3ATypedArray%3A%3Alength%28JSObject*%29
Looks like a null deref there?
Hardware: x86 → All
When I try to find regression range of bug 842025, browser crashes with the crash signature bp-194c7762-b526-4df6-b4f5-69c882130216. Regression window(m-c) Good: http://hg.mozilla.org/mozilla-central/rev/689690a17de3 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130123 Firefox/21.0 ID:20130124092036 Crash: http://hg.mozilla.org/mozilla-central/rev/fa969919b1bb Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130124 Firefox/21.0 ID:20130124093636 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=689690a17de3&tochange=fa969919b1bb Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/594b9c2a8ccc Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130123 Firefox/21.0 ID:20130123063757 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/6a48352004a2 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130123 Firefox/21.0 ID:20130123075912 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=594b9c2a8ccc&tochange=6a48352004a2
Err: Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/c808fa0206ac Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130123 Firefox/21.0 ID:20130123071257 Crash: http://hg.mozilla.org/integration/mozilla-inbound/rev/f11a8adb9a77 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130123 Firefox/21.0 ID:20130123074354 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c808fa0206ac&tochange=f11a8adb9a77 Triggered by: f11a8adb9a77 Brian Hackett — Bug 832578 - Tweaks to improve compilation of element accesses, r=dvander.
Blocks: 832578
tracking-firefox21: --- → ?
Keywords: regression
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
tracking-firefox21: ? → ---
You need to log in before you can comment on or make changes to this bug.