Closed
Bug 851806
Opened 12 years ago
Closed 12 years ago
crash in js::ObjectImpl::nativeLookup @ js::ShapeTable::search
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | fixed |
People
(Reporter: scoobidiver, Unassigned)
References
Details
(Keywords: crash, regression, Whiteboard: [native-crash])
Crash Data
With the below stack trace, it first showed up in 22.0a1/20130316 and has been hit by three users in Firefox for Android. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0f7261e288f2&tochange=8f5b1f9f5804
Signature js::ShapeTable::search(int, bool) More Reports Search
UUID 047cb8e9-9858-4561-b5e2-408122130316
Date Processed 2013-03-16 14:47:01
Uptime 1063
Install Age 17.7 minutes since version was first installed.
Install Time 2013-03-16 14:29:15
Product FennecAndroid
Version 22.0a1
Build ID 20130316030854
Release Channel nightly
OS Android
OS Version 0.0.0 Linux 3.1.10-00003-gb0003ba #1 SMP PREEMPT Fri Dec 28 17:34:31 CST 2012 armv7l asus/JP_epad/TF300T:4.1.1/JRO03C/JP_epad-10.4.2.20-20121228:user/release-keys
Build Architecture arm
Build Architecture Info
Crash Reason SIGSEGV
Crash Address 0x178
App Notes
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra 3 -- OpenGL ES 2.0 14.01002 -- Model: ASUS Pad TF300T, Product: JP_epad, Manufacturer: asus, Hardware: cardhu'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ Stagefright? Stagefright+
asus ASUS Pad TF300T
asus/JP_epad/TF300T:4.1.1/JRO03C/JP_epad-10.4.2.20-20121228:user/release-keys
Processor Notes sp-processor04.phx1.mozilla.com_23613:2008; exploitablity tool: ERROR: unable to analyze dump
EMCheckCompatibility True
Adapter Vendor ID NVIDIA Corporation
Adapter Device ID NVIDIA Tegra 3
Device asus ASUS Pad TF300T
Android API Version 16 (REL)
Android CPU ABI armeabi-v7a
Frame Module Signature Source
0 libxul.so js::ShapeTable::search js/src/vm/Shape.cpp:163
1 libxul.so js::GetPropertyHelper js/src/jsobj.cpp:3459
2 libxul.so js::SetPropertyOperation js/src/jsinterpinlines.h:370
3 libxul.so js::NameOperation js/src/jsinterpinlines.h:455
4 libxul.so js::ion::CanEnter js/src/ion/Ion.cpp:1519
5 libxul.so js::Interpret js/src/jsinterpinlines.h:295
6 libxul.so libxul.so@0xd6a4fb
More reports at:
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=js%3A%3AShapeTable%3A%3Asearch%28int%2C+bool%29
|
Reporter | |
Comment 1•12 years ago
|
||
More reports also at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AShapeTable%3A%3Asearch%28long%2C+bool%29
Crash Signature: [@ js::ShapeTable::search(int, bool)] → [@ js::ShapeTable::search(int, bool)]
[@ js::ShapeTable::search(long, bool)]
|
|
Reporter | |
Comment 2•12 years ago
|
||
The desktop stack trace looks like:
Frame Module Signature Source
0 libxul.so js::ShapeTable::search js/src/vm/Shape.cpp:159
1 libxul.so js::ObjectImpl::nativeLookup js/src/vm/Shape.h:1055
2 libxul.so js::GetPropertyHelper js/src/jsobj.cpp:3459
3 libxul.so js_json_parse js/src/json.cpp:76
4 libxul.so js::ParseJSONWithReviver js/src/json.cpp:868
5 libxul.so js::InvokeKernel js/src/jscntxtinlines.h:327
6 libxul.so js::mjit::EnterMethodJIT js/src/methodjit/MethodJIT.cpp:1035
7 libxul.so js::ObjectImpl::nativeLookup js/src/vm/Shape.h:1055
8 libxul.so js::LookupNameNoGC js/src/jsobj.cpp:3459
9 libxul.so js::mjit::JITScript::chunk js/src/methodjit/MethodJIT.h:859
10 libxul.so js::Interpret js/src/jsinterpinlines.h:295
11 libxul.so libxul.so@0x18ad500
Blocks: 836968
Crash Signature: [@ js::ShapeTable::search(int, bool)]
[@ js::ShapeTable::search(long, bool)] → [@ js::ShapeTable::search(int, bool)]
[@ js::ShapeTable::search(long, bool)]
[@ js::Shape::search(JSContext*, js::Shape*, int, js::Shape***, bool) ]
[@ js::Shape::search(JSContext*, js::Shape*, __int64, js::Shape***, bool) ]
[@ EnumerateNativeProperti…
Summary: crash in js::GetPropertyHelper @ js::ShapeTable::search → crash in js::ObjectImpl::nativeLookup @ js::ShapeTable::search
|
||
Comment 3•12 years ago
|
||
Crash Report: bp-1b527bd6-72c5-4e86-944e-fc2b42130317
|
|
||
Comment 4•12 years ago
|
||
I set this as blocking bug 637512 as I have encountered this crash several times, and each time it was either while "liking" a post on my Facebook timeline, or scrolling my timeline that seemed to trigger it. I have not experienced any such crashes on any other site.
|
||
Comment 5•12 years ago
|
||
The offending bug was backed out, so today's nightly shouldn't have this crash. It was then repushed with a fix for the crashes, but that hasn't merged to m-c yet.
|
|
Reporter | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Looks okay for me in Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20130321 Firefox/22.0
Thanks!
|
||
Comment 8•10 years ago
|
||
¡Hola Andrew!
Got this crash recently https://crash-stats.mozilla.com/report/index/7d7e8dc7-df37-49e7-bc8d-40eec2160205
Shall I reopen this bug or file a new one?
¡Gracias!
Flags: needinfo?(continuation)
|
|
||
Comment 9•10 years ago
|
||
(In reply to alex_mayorga from comment #8)
> Shall I reopen this bug or file a new one?
A new bug, please.
Flags: needinfo?(continuation)
|
|
||
Comment 10•10 years ago
|
||
¡Hola Andrew!
Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1246987
¡Gracias!
You need to log in
before you can comment on or make changes to this bug.
Description
•