Closed Bug 839581 Opened 12 years ago Closed 12 years ago

crash in js::Vector::convertToHeapStorage

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 832812
Tracking Flags:
Tracking Status
firefox20 --- affected
firefox21 --- affected

People

(Reporter: scoobidiver, Unassigned)

Details

(Keywords: crash)

Crash Data

It's #5 top crasher in 21.0a1 on Mac OS X. Some comments talks about Google Groups, another one about threejs demo. Signature js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::convertToHeapStorage(unsigned long) More Reports Search UUID b1d3dce1-5dfc-49ab-b0ff-503ae2130208 Date Processed 2013-02-08 13:43:12 Uptime 1718 Last Crash 28.8 minutes before submission Install Age 22.2 hours since version was first installed. Install Time 2013-02-07 15:29:21 Product Firefox Version 21.0a1 Build ID 20130207030936 Release Channel nightly OS Mac OS X OS Version 10.8.2 12C3006 Build Architecture amd64 Build Architecture Info family 6 model 58 stepping 9 Crash Reason EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash Address 0x0 App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x fd5GL Context? GL Context+ GL Layers? GL Layers+ Processor Notes sp-processor09.phx1.mozilla.com_4846:2008; exploitablity tool: ERROR: unable to analyze dump EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x fd5 Frame Module Signature Source 0 XUL js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::convertToHeapStorage js/src/jscntxt.h:1638 1 XUL js::Vector<unsigned short, 32ul, js::ContextAllocPolicy>::growStorageBy obj-firefox/x86_64/dist/include/js/Vector.h:663 2 XUL js::SPSProfiler::allocProfileString obj-firefox/x86_64/dist/include/js/Vector.h:700 3 XUL js::SPSProfiler::profileString js/src/vm/SPSProfiler.cpp:79 4 XUL js::ion::CodeGenerator::visitFunctionBoundary js/src/vm/SPSProfiler.h:389 5 XUL js::ion::LFunctionBoundary::accept js/src/ion/LIR-Common.h:3525 6 XUL js::ion::CodeGenerator::generateBody js/src/ion/CodeGenerator.cpp:1731 7 XUL js::ion::CodeGenerator::generate js/src/ion/CodeGenerator.cpp:3658 8 XUL js::ion::CompileBackEnd js/src/ion/Ion.cpp:1023 9 XUL js::WorkerThread::threadLoop js/src/jsworkers.cpp:321 10 libnspr4.dylib _pt_root ptthread.c:156 11 libsystem_c.dylib _pthread_start 12 libsystem_c.dylib thread_start 13 libnspr4.dylib libnspr4.dylib@0x1dad0 More reports at: https://crash-stats.mozilla.com/report/list?signature=js%3A%3AVector%3Cunsigned+short%2C+32ul%2C+js%3A%3AContextAllocPolicy%3E%3A%3AconvertToHeapStorage%28unsigned+long%29
It might be the Mac version of bug 836938.
...and also a duplicate of bug 832812.
On my mac, the STR are * Open http://mailinator.com * Boom.
I'm reliably hitting this bug by opening this google groups link in our CA Policy 2.1 announcement: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/0jnELviAxxo
This is probably a dupe of bug 832812. It should be fixed in nightly.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.