crash in js::Vector::convertToHeapStorage

RESOLVED DUPLICATE of bug 832812

Status

()

--
critical
RESOLVED DUPLICATE of bug 832812
6 years ago
6 years ago

People

(Reporter: scoobidiver, Unassigned)

Tracking

({crash})

Trunk
x86_64
macOS
crash
Points:
---

Firefox Tracking Flags

(firefox20 affected, firefox21 affected)

Details

(crash signature)

(Reporter)

Description

6 years ago
It's #5 top crasher in 21.0a1 on Mac OS X.

Some comments talks about Google Groups, another one about threejs demo.

Signature 	js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::convertToHeapStorage(unsigned long) More Reports Search
UUID	b1d3dce1-5dfc-49ab-b0ff-503ae2130208
Date Processed	2013-02-08 13:43:12
Uptime	1718
Last Crash	28.8 minutes before submission
Install Age	22.2 hours since version was first installed.
Install Time	2013-02-07 15:29:21
Product	Firefox
Version	21.0a1
Build ID	20130207030936
Release Channel	nightly
OS	Mac OS X
OS Version	10.8.2 12C3006
Build Architecture	amd64
Build Architecture Info	family 6 model 58 stepping 9
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x fd5GL Context? GL Context+ GL Layers? GL Layers+ 
Processor Notes 	sp-processor09.phx1.mozilla.com_4846:2008; exploitablity tool: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x fd5

Frame 	Module 	Signature 	Source
0 	XUL 	js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::convertToHeapStorage 	js/src/jscntxt.h:1638
1 	XUL 	js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::growStorageBy 	obj-firefox/x86_64/dist/include/js/Vector.h:663
2 	XUL 	js::SPSProfiler::allocProfileString 	obj-firefox/x86_64/dist/include/js/Vector.h:700
3 	XUL 	js::SPSProfiler::profileString 	js/src/vm/SPSProfiler.cpp:79
4 	XUL 	js::ion::CodeGenerator::visitFunctionBoundary 	js/src/vm/SPSProfiler.h:389
5 	XUL 	js::ion::LFunctionBoundary::accept 	js/src/ion/LIR-Common.h:3525
6 	XUL 	js::ion::CodeGenerator::generateBody 	js/src/ion/CodeGenerator.cpp:1731
7 	XUL 	js::ion::CodeGenerator::generate 	js/src/ion/CodeGenerator.cpp:3658
8 	XUL 	js::ion::CompileBackEnd 	js/src/ion/Ion.cpp:1023
9 	XUL 	js::WorkerThread::threadLoop 	js/src/jsworkers.cpp:321
10 	libnspr4.dylib 	_pt_root 	ptthread.c:156
11 	libsystem_c.dylib 	_pthread_start 	
12 	libsystem_c.dylib 	thread_start 	
13 	libnspr4.dylib 	libnspr4.dylib@0x1dad0

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AVector%3Cunsigned+short%2C+32ul%2C+js%3A%3AContextAllocPolicy%3E%3A%3AconvertToHeapStorage%28unsigned+long%29
(Reporter)

Comment 1

6 years ago
It might be the Mac version of bug 836938.
(Reporter)

Comment 2

6 years ago
...and also a duplicate of bug 832812.
On my mac, the STR are

* Open http://mailinator.com
* Boom.
I'm reliably hitting this bug by opening this google groups link in our CA Policy 2.1 announcement:

  https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/0jnELviAxxo
This is probably a dupe of bug 832812. It should be fixed in nightly.
(Reporter)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 832812
You need to log in before you can comment on or make changes to this bug.