Closed Bug 851807 Opened 10 years ago Closed 10 years ago

crash in js::JSONParser::createFinishedObject @ JSObject::setLastProperty


(Core :: JavaScript Engine, defect)

22 Branch
Not set



Tracking Status
firefox21 --- unaffected
firefox22 + fixed


(Reporter: scoobidiver, Assigned: bhackett1024)



(Keywords: crash, regression, topcrash, Whiteboard: [metro-crash])

Crash Data

It first showed up in 22.0a1/20130316 and is currently #1 top crasher in this build. The regression range is:
It's likely a regression from bug 836968.

Signature 	JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>) More Reports Search
UUID	be259c48-7f27-41ce-8dd7-d66e82130316
Date Processed	2013-03-16 15:03:47
Uptime	79
Install Age	3.6 minutes since version was first installed.
Install Time	2013-03-16 14:59:30
Product	Firefox
Version	22.0a1
Build ID	20130316030854
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Address	0xffffffffdadadada
User Comments	Browsing Facebook,, and crashed randomly.
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0126, AdapterSubsysID: 049a1028, AdapterDriverVersion:
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor05.phx1.mozilla.com_18282:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x0126
Total Virtual Memory	4294836224
Available Virtual Memory	3690528768
System Memory Use Percentage	41
Available Page File	6229270528
Available Physical Memory	2446860288
Accessibility	Active

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JSObject::setLastProperty 	js/src/jsobj.cpp:2320
1 	mozjs.dll 	js::types::TypeCompartment::newTypedObject 	js/src/jsinfer.cpp:3492
2 	mozjs.dll 	js::JSONParser::createFinishedObject 	js/src/jsonparser.cpp:529
3 	mozjs.dll 	js::JSONParser::parse 	js/src/jsonparser.cpp:622
4 	mozjs.dll 	js::ParseJSONWithReviver 	js/src/json.cpp:863
5 	mozjs.dll 	js_json_parse 	js/src/json.cpp:76
6 	mozjs.dll 	js::mjit::CallCompiler::generateNativeStub 	js/src/methodjit/MonoIC.cpp:1062
7 	mozjs.dll 	js::mjit::ic::NativeCall 	js/src/methodjit/MonoIC.cpp:1373
8 	mozjs.dll 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:1118
9 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2418
10 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:332
11 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:396
12 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:491
13 	mozjs.dll 	js::mjit::CallCompiler::update 	js/src/methodjit/MonoIC.cpp:1276
14 	mozjs.dll 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1359
15 	mozjs.dll 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1042
16 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:337
17 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:397
18 	mozjs.dll 	js::Invoke 	js/src/jsinterp.h:135
19 	mozjs.dll 	js_fun_call 	js/src/jsfun.cpp:859
20 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:383
21 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2361
22 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:332
23 	mozjs.dll 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:331
24 	mozjs.dll 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:491

More reports at:*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cjs%3A%3AShape*%3E%29
Three in a row with 3/16, two of them with this signature instead -- still in a related area: [@ EnumerateNativeProperties]
Crash Signature: [@ JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>)] → [@ JSObject::setLastProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::Shape*>)] [@ js::types::TypeCompartment::newTypedObject(JSContext*, js::IdValuePair*, unsigned __int64)] [@ js::types::TypeCompartment::newTypedObject(JSContext*, js::IdValue…
Crash Signature: , js::IdValuePair*, unsigned int)] [@ ScanShape ] [@ js::Shape::slotSpan() ] → , js::IdValuePair*, unsigned int)] [@ ScanShape ] [@ js::Shape::slotSpan() ] [@ PushMarkStack ]
This is almost certainly bug 851635, which can cause JSON objects to be assigned dead shapes and cause crashes with these signatures.  I'll be pushing a fix for that once inbound opens.
Crash Signature: , js::IdValuePair*, unsigned int)] [@ ScanShape ] [@ js::Shape::slotSpan() ] [@ PushMarkStack ] → , js::IdValuePair*, unsigned int)] [@ js::types::TypeCompartment::newTypedObject(JSContext*, js::IdValuePair*, unsigned long) ] [@ ScanShape ] [@ ScanBaseShape ] [@ js::Shape::slotSpan() ] [@ PushMarkStack ]
Blocks: 637512
I set this as blocking bug 637512 as I have encountered this crash several times, and each time it was either while "liking" a post on my Facebook timeline, or scrolling my timeline that seemed to trigger it.  I have not experienced any such crashes on any other site.
Whiteboard: [metro-crash]
(In reply to Brian Hackett (:bhackett) from comment #2)
> This is almost certainly bug 851635, which can cause JSON objects to be
> assigned dead shapes and cause crashes with these signatures.  I'll be
> pushing a fix for that once inbound opens.

This is the #1 top crash on Nightly - if we don't have a forward fix, we should be instead be backing out bug 851635 asap
Assignee: general → bhackett1024
I see now. Let's assume this is fixed for now.
Closed: 10 years ago
Resolution: --- → FIXED
This crash is a regression from bug 836968.  Bug 851635 is a testcase that was found that causes the same crash, not a patch that caused this crash.  Bug 836968 was backed out by bhackett on 3-16 (first showing up in the 3-17 Nightly), then relanded with a fix for bug 851635 on 3-17.  I don't see any crashes on the 3-17 or later builds.
Target Milestone: --- → mozilla22
You need to log in before you can comment on or make changes to this bug.