crash in js::mjit::stubs::ValueToBoolean on Outlook.com

VERIFIED FIXED in Firefox 22

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: jandem)

Tracking

({crash, topcrash})

19 Branch
mozilla23
crash, topcrash
Points:
---

Firefox Tracking Flags

(firefox19 affected, firefox20+ affected, firefox21+ affected, firefox22 verified, firefox23 verified)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Comments talk about outlook.com or the new layout of Hotmail.

Signature 	js::ToBooleanSlow(JS::Value const&) More Reports Search
UUID	b98db315-3737-4b82-a10b-bc83b2130316
Date Processed	2013-03-16 11:22:27
Uptime	501
Last Crash	8.5 minutes before submission
Install Age	32.4 minutes since version was first installed.
Install Time	2013-03-16 10:49:16
Product	Firefox
Version	20.0
Build ID	20130313170052
Release Channel	beta
OS	Mac OS X
OS Version	10.7.5 11G63
Build Architecture	amd64
Build Architecture Info	family 6 model 42 stepping 7
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x0
User Comments	Every time I try to reply to an e-mail using the new Outlook layout, Firefox crashes.
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x 116GL Context? GL Context+ GL Layers? GL Layers+ 
Processor Notes 	sp-processor05.phx1.mozilla.com_18282:2008; exploitablity tool: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x 116

Frame 	Module 	Signature 	Source
0 	XUL 	js::ToBooleanSlow 	js/src/jsfriendapi.h:386
1 	XUL 	js::mjit::stubs::ValueToBoolean 	js/src/jsapi.h:2772
2 		@0x120e01156 	
3 	XUL 	js::mjit::EnterMethodJIT 	js/src/methodjit/MethodJIT.cpp:1041
4 	XUL 	js::mjit::JaegerShotAtSafePoint 	js/src/methodjit/MethodJIT.cpp:1099
5 	XUL 	js::Interpret 	js/src/jsinterp.cpp:1403
6 	XUL 	js::RunScript 	js/src/jsinterp.cpp:346
7 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:404
8 	XUL 	js_fun_apply 	js/src/jsinterp.h:112
9 	XUL 	js::InvokeKernel 	js/src/jscntxtinlines.h:373
10 	XUL 	js::Interpret 	js/src/jsinterp.cpp:2366
11 	XUL 	js::RunScript 	js/src/jsinterp.cpp:346
12 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:404
13 	XUL 	js_fun_apply 	js/src/jsinterp.h:112
14 	XUL 	js::InvokeKernel 	js/src/jscntxtinlines.h:373
15 	XUL 	js::Interpret 	js/src/jsinterp.cpp:2366
16 	XUL 	js::RunScript 	js/src/jsinterp.cpp:346
17 	XUL 	js::InvokeKernel 	js/src/jsinterp.cpp:404
18 	XUL 	js_fun_apply 	js/src/jsinterp.h:112
19 	XUL 	js::InvokeKernel 	js/src/jscntxtinlines.h:373
20 	XUL 	js::Interpret 	js/src/jsinterp.cpp:2366
21 	XUL 	js::RunScript 	js/src/jsinterp.cpp:346
22 	XUL 	UncachedInlineCall 	js/src/methodjit/InvokeHelpers.cpp:372
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3AToBooleanSlow%28JS%3A%3AValue+const%26%29
(Reporter)

Comment 1

5 years ago
It's #30 top browser crasher in 19.0.2 and a low volume in 20.0b5.
But on Mac OS X, it's high in all channels, #16 in 19.0.2, #3 in 20.0b5, and #7 in 21.0a2.

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=js%3A%3Amjit%3A%3Astubs%3A%3AValueToBoolean%28js%3A%3AVMFrame%26%29
Blocks: 595351
Crash Signature: [@ js::ToBooleanSlow(JS::Value const&)] [@ js::ToBooleanSlow ] → [@ js::ToBooleanSlow(JS::Value const&)] [@ js::ToBooleanSlow ] [@ js::mjit::stubs::ValueToBoolean(js::VMFrame&) ]
status-firefox19: --- → affected
status-firefox20: --- → affected
status-firefox21: --- → affected
status-firefox22: --- → affected
tracking-firefox20: --- → ?
tracking-firefox21: --- → ?
Keywords: topcrash
Summary: crash in js::ToBooleanSlow → crash in js::ToBooleanSlow on Outlook.com
(Reporter)

Updated

5 years ago
Summary: crash in js::ToBooleanSlow on Outlook.com → crash in js::mjit::stubs::ValueToBoolean on Outlook.com

Comment 2

5 years ago
(In reply to Scoobidiver from comment #1)
> But on Mac OS X, it's high in all channels

I'd guess that's to a part because there's fewer third-party-software issues on Mac than on Windows. (And also, I guess a lot of Windows people using outlook.com might use some Microsoft client to read it.)


That said, it would be great if we could find some STR here, given that we already narrowed it down to outlook.com - from all we know, it's in the JITed code somewhere. Potentially, there's also some tools to get info out of the JITed code from the minidump, that's be another avenue to take.
We might be too late for FF20 but it's worth looking into STR (as Kairo points out) and since Mac + Outlook appear to be correlated, perhaps that's a good place to start.  Assigning to David to either being the investigation here or delegate to another engineer.
Assignee: general → dvander
tracking-firefox20: ? → +
tracking-firefox21: ? → +
(Reporter)

Comment 4

5 years ago
(In reply to Scoobidiver from comment #1)
> and a low volume in 20.0b5.
In 20.0 Beta, the signature is js::mjit::EnterMethodJIT: https://crash-stats.mozilla.com/report/list?signature=js%3A%3Amjit%3A%3AEnterMethodJIT%28JSContext*%2C+js%3A%3AStackFrame*%2C+void*%2C+JS%3A%3AValue*%2C+bool%29
So it's #33 in 19.0.2, #12 in 20.0b6, #11 in 21.0a2 and #93 in 22.0a1.
Crash Signature: [@ js::ToBooleanSlow(JS::Value const&)] [@ js::ToBooleanSlow ] [@ js::mjit::stubs::ValueToBoolean(js::VMFrame&) ] → [@ js::ToBooleanSlow(JS::Value const&)] [@ js::ToBooleanSlow ] [@ js::mjit::stubs::ValueToBoolean(js::VMFrame&) ] [@ js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) ]
(Reporter)

Updated

5 years ago
Duplicate of this bug: 831018
(Reporter)

Updated

5 years ago
Crash Signature: [@ js::ToBooleanSlow(JS::Value const&)] [@ js::ToBooleanSlow ] [@ js::mjit::stubs::ValueToBoolean(js::VMFrame&) ] [@ js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) ] → [@ js::ToBooleanSlow(JS::Value const&)] [@ js::ToBooleanSlow ] [@ js::mjit::stubs::ValueToBoolean(js::VMFrame&) ] [@ js::IsWrapper(JSObject*)] [@ js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) ]

Comment 6

5 years ago
(In reply to lsblakk@mozilla.com from comment #3)
> We might be too late for FF20 but it's worth looking into STR (as Kairo
> points out) and since Mac + Outlook appear to be correlated, perhaps that's
> a good place to start.

This needs qawanted/steps-wanted in that case.
Keywords: qawanted, steps-wanted
QA Contact: jbecerra
I've not been able to reproduce any crashes on Outlook.com this afternoon with Firefox 20.0b6 and Windows XP (chosen based on highest correlation in reports). 

Ioana, can you please have your team do some exploratory testing around this in an effort to find steps to reproduce and a regression window?
QA Contact: jbecerra → ioana.budnar
I've tried reproducing this crash on a Windows 7 32-bit machine with Firefox 20 RC (build ID: 20130326150557), but without any luck.

I've tried multiple scenarios on a dirty profile (some of them suggested by the users in their comments from the crash reports, and some extra exploratory also):

- open/compose/reply/forward Outlook emails
- chat with friends from the Outlook page
- delete browser history
- open multiple Outlook tabs and perform different actions in each one of them
- open multiple Outlook tabs + 3 YouTube tabs (videos of about 3-4 hours long) +  
  Facebook tab 
- when writing a new email, for some emails I've pasted the address in the "to" 
  field, and for others I've typed it
- changed Outlook theme/appearance and afterwards tested Outlook functionality
- etc.
Keywords: qawanted
Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Build ID: 20130326150557

Firefox 20 did crash for me on Windows XP, but the signature I got is an empty one.
https://crash-stats.mozilla.com/report/index/bp-369c218d-c239-4ecb-90f5-4f9272130329

The crash occurred after pressing the Send button (I was replying to an e-mail). I also had 3 pinned tabs (one with YouTube, Facebook and Aquarium WebGL demo).
I tried to reproduce the crash afterwards but with no luck. 

Prior the crash I did similar actions with the one from Comment 8: chat, sent e-mails with/without attachments (reply, reply all, forward), read e-mails, deleted e-mails, moved e-mails to different folders, linked my Hotmail account to Facebook, Twitter and Google, opened several other tabs beside the Outlook one, closed/opened Firefox several times, installed add-ons, cleared all my history.
Thanks for trying Mihaela and Simona.

Alex, at this point I think we've done all we can; unless we can come up with some more concrete leads for QA to follow. At this point I think this is wontfix for Firefox 19 (possibly 20).

Comment 11

5 years ago
js::mjit::stubs::ValueToBoolean(js::VMFrame&) is #10 on 21.a2 over the last week and #19 on 19.0.2, js::IsWrapper(JSObject*) is #7 in 20.0b7 and also in high ranks in early 20.0 release data.

Comment 12

5 years ago
Hmmm... I was affected by the reply/new email at oulook (mail.live.com) both in my work and home computers (version 20 final and 21 beta).
I already send a crash report with ID bp-8165d4f7-318a-48f9-b06e-c95852130407 , but something weird happened: I ran firefox in safe mode and IT WORKED. That's ok, I thought it could be caused by MemoryFox or AdblockPlus... but now I enabled addons and CAN'T REPRODUCE THE PROBLEM. Don't know why, since it crashed everytime I tried to do it.
Anyway, that happened on my home computer. The one at work will be still crashing, so please tell me if I can help you in any way.

My list of addons is: Adblock Plus, Download Statusbar, Downloadhelper, IDM CC, LogMeIn, Memory Fox and TabMix Plus.
(In reply to Fr3dY from comment #12)
> My list of addons is: Adblock Plus, Download Statusbar, Downloadhelper, IDM
> CC, LogMeIn, Memory Fox and TabMix Plus.

Are both computers using all of these add-ons?

Comment 14

5 years ago
Common ones are:

Adblock Plus
Download Statusbar
Downloadhelper
Memory Fox
TabMix Plus

I just reproduced again at home, crash ID bp-cbeb3286-1dce-4719-8e47-ad2f82130408 and all addons enabled

Comment 15

5 years ago
This is weird... disabled all of these addons and crashed again, report ID bp-7bca4f77-02d6-4922-84b5-7a3d32130408.
Gonna try in safe mode again now.

Comment 16

5 years ago
Working in safe mode.
Besides disabling all addons, what does this 'safe mode' do?

Comment 17

5 years ago
OK, disabled ALL addons and crashed: bp-89bb03d1-9a0e-4a20-b5f5-3329a2130408 , tried again in safe mode and it's working.
So I couldn't reproduce the issue in safe mode, but it crashes when all, some or no addons are manually enabled.
Could you try turning off Hardware Acceleration:
https://support.mozilla.org/en-US/kb/troubleshoot-extensions-themes-to-fix-problems#w_turn-off-hardware-acceleration

Comment 19

5 years ago
OK, that made it work. ALL addons enabled, hardware acceleration OFF --> NO CRASH (using nVidia 314.21 drivers for x64)
(In reply to Fr3dY from comment #19)
> OK, that made it work. ALL addons enabled, hardware acceleration OFF --> NO
> CRASH (using nVidia 314.21 drivers for x64)

Could you please paste a copy of the Graphics section of about:support to this bug?

Comment 21

5 years ago
(In reply to Fr3dY from comment #16)
> Besides disabling all addons, what does this 'safe mode' do?

It disables hardware acceleration, but that should usually not be the culprit here with this signature (though I wonder about comment #19 in this case).
It also disables the just-in-time compilers for JavaScript, though, and this crash is in that "JIT" code (as the "mjit" in the signature tells), so that would explain the safe mode behavior.
(In reply to Fr3dY from comment #19)
> OK, that made it work. ALL addons enabled, hardware acceleration OFF --> NO
> CRASH (using nVidia 314.21 drivers for x64)

Could you also try updating to NVidia 314.22? According to their website, 314.21 is their latest Beta driver while 314.22 is their latest WHQL driver.

Comment 23

5 years ago
Created attachment 734787 [details]
about:support nvidia graphics section

Comment 24

5 years ago
I will update my desktop computer's graphics drivers tomorrow, but laptop at work also crashes, having Intel HD Graphics.
I think those cards have sort-of stable drivers and little 3d capabilities (not like nvidia, always updating their drivers for new features and game compatibility).
When at work, I'll try to reproduce the steps and upload the gfx section of the about:support too. If positive, I don't think it would be a drivers problem.
I tried reproducing this on Windows 7 64-bit with a GeForce 8600GT using 314.22 and 314.21 drivers with HWA turned on but no crash. 

Fr3dY, are there any steps in particular you are following which reproduces this crash?

Robert, is there anything you can suggest? Anything we can get Fr3dY to do to help debug this issue further?

Comment 26

5 years ago
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #25)
> Robert, is there anything you can suggest?

Nothing other than trying to get steps to reproduce - given that he's seeing this with different graphics chips I'd guess it's not really acceleration but really "just" the JIT. The question is how we can find the JS code in question that makes the JIT choke there.

Comment 27

5 years ago
You could try installing the same addons as me, and seeing if the problem arises then. There are no other steps i could think of right now.
(In reply to Fr3dY from comment #27)
> You could try installing the same addons as me, and seeing if the problem
> arises then. There are no other steps i could think of right now.

What in particular are you doing on Outlook when this crashes? Are you simply loading mail.live.com and logging in? Any specific details you can provide would help.
(In reply to Fr3dY from comment #27)
> You could try installing the same addons as me, and seeing if the problem
> arises then. There are no other steps i could think of right now.

Unfortunately doing so has not reproduced a crash. I'll need more specific details about what you are doing when you encounter this crash otherwise I'm just shooting in the dark.

Comment 30

5 years ago
Logging in and reading emails work fine, just try to reply to one of them
(In reply to Fr3dY from comment #30)
> Logging in and reading emails work fine, just try to reply to one of them

Hmm...yeah, I've been trying that and I've not yet seen any crashes.

David, is there something in particular that Fr3dy could do to assist in debugging this issue?
I've looked at a few of the crash dumps and nothing obvious stands out. It looks like a bogus value is flowing into ToBooleanSlow(). Since this has pretty good distribution across platforms, it's unlikely to be PGO-related either. If we could find out what JS code is crashing, that could be a huge help.

I could make a try build of Firefox that saves the exact .js file and line in the crash dump, and then see if anyone could reproduce it on that build?
(In reply to David Anderson [:dvander] from comment #32)
> I could make a try build of Firefox that saves the exact .js file and line
> in the crash dump, and then see if anyone could reproduce it on that build?

That would be great. Fr3dY, once David has linked his build can you please try using it for a bit to see if it crashes?

Comment 34

5 years ago
Of course. When you reply, there's a list of contacts at the left side, maybe the crash is related to that part.
Notify here once the build is ready :)
Cool! Okay, I have queued up the build... I'll have to disassemble it first to make sure the instrumentation is actually there (I have no idea if this instrumentation technique will work), but I should have more info by tonight.

Comment 36

5 years ago
Bad news... here at work, with hardware acceleration disabled, replying to a message crashes too (addons were enabled).
Report ID: bp-5f17aa3a-2b2a-4520-8bb1-171602130409
Fr3dY: okay, I have builds: 

http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/danderson@mozilla.com-61e0a78f390e/try-win32/

If the crash reproduces with that build, send me the new crash ID (feel free to e-mail it if you're not comfortable posting the link here). If it doesn't crash, I'll have to apply this patch to Firefox 21 and queue a new build tomorrow morning :)

Comment 38

5 years ago
Tried like 10 times, and no crash with this build (both HA and addons enabled).
In about 8 hours I'll try again from my desktop computer at home and report, to 'double confirm' the successful fix :)
Hi Fr3dY, thanks for trying it. Unfortunately, that was not intended to be a fix :( most likely the problem doesn't exist on Firefox 23 then. I'll spin up a Firefox 21 build for you shortly.
(Reporter)

Comment 40

5 years ago
(In reply to David Anderson [:dvander] from comment #39)
> most likely the problem doesn't exist on Firefox 23 then
It means the Baseline compiler has fixed it.
status-firefox23: --- → unaffected

Comment 41

5 years ago
Yes, I thought this build was for debugging purposes only, but it's working... confirmed with my desktop computer too.
Anyway, I'll try the v21 build if you want.

Updated

5 years ago
QA Contact: ioana.budnar
Fr3dY: sorry for the late reply. Here's new builds:

http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/danderson@mozilla.com-db6f24ab19f6/try-win32/

Thanks again for helping!

Comment 43

5 years ago
ID of crash report generated with this build: bp-b1b200a4-a7e5-4991-bf49-774f62130411

Comment 44

5 years ago
No news about this? Gonna be just fixed in v23?
This is crashing somewhere in jQuery, on the starred opcode:

main:
00000:   2  getaliasedvar "n" (hops = 0, slot = 2)
00009:   2  dup
00010:   2  callprop "apply"
00015:   2  swap
00016:   2  notearg
00017:   2  this
00018:   2  notearg
00019:   2  getaliasedvar "t" (hops = 0, slot = 3)
***28:   2  or 39 (+11)
00033:   2  pop
00034:   2  newarray 0
00038:   2  endinit
00039:   2  notearg
00040:   2  funapply 2
00043:   2  return
00044:   2  stop

The code appears in the lambda below:

 n.createCallback=function(n,t){return function(){return n.apply(this,t||[])}}

The crash is occurring in the interpreter, a nonsense value is flowing into the |or|'s ValueToBoolean call, which I assume is from |t|.

Unfortunately, short of us being able to reproduce this, I'm not sure what to do next as pretty much anything could have gone wrong.
This is a bug where the ability to collect full crash dumps could potentially help a lot. Can we do that, even manually?

Comment 47

5 years ago
(In reply to David Anderson [:dvander] from comment #46)
> This is a bug where the ability to collect full crash dumps could
> potentially help a lot. Can we do that, even manually?

Yes, we can! See bug 863714 comment #13 for instructions how to do that.
(Reporter)

Comment 50

5 years ago
I accounts for 2.24% of crashes in 20.0.1 and 21.0b3, 2.06% in 21.0b5, and 3.01% in 21.0b6.
Bug 851788 might have had an effect in the 50% jump but the empty crash signature is lower by 1.5 point.

Comment 51

5 years ago
Scoobidiver, what signature are you looking at there? EnterMethodJIT refers to a ton of things, so can't really be counted as this one unless the URL on the crash reports clearly signs that, and the ValueToBoolean signature that is pretty specific to this one is actually sharply down in 21.0b6.
(Reporter)

Comment 52

5 years ago
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #51)
> Scoobidiver, what signature are you looking at there?
The ones in the Crash Signature field.

> EnterMethodJIT refers to a ton of things, so can't really be counted as this one
Yes. If I count js::mjit::JaegerShot which accounts for 1.12% in 21.0b5, the two rates match: 3.18% in Beta 5 and 3.01% in Beta 6.

Comment 53

5 years ago
I just confirmed that Firefox 21.0b7 is affected too
Assignee: dvander → jdemooij
(Assignee)

Comment 54

5 years ago
Hi Fr3dY, I'm looking into this bug now.

Would you mind trying out the following steps (with Firefox 20, 21 or 22) so that we can narrow it down a bit further?

- type about:config in the address bar (and hit enter)
- click the "I'll be careful" button
- in the search field type: javascript.options.methodjit.content
- there should be exactly one result, with "true" in the Value column
- double click on the row so that the value changes to "false"
- restart the browser and see if Firefox still crashes
- repeat the steps above to change the value back to "true".

Would you mind trying this for the following options:

javascript.options.methodjit.content
javascript.options.ion.content
javascript.options.typeinference

Thanks in advance!

Comment 55

5 years ago
I set javascript.options.methodjit.content to FALSE and outlook didn't crash using FF 21b7.
But now I can't reproduce the problem even when reverting the value to TRUE (not even in the special compiled nightly version from Comment #42)... weird :S

I'll try the other two at my home computer and see what happens, will report later.
(Assignee)

Comment 56

5 years ago
Thanks! It makes sense that setting javascript.options.methodjit.content to FALSE fixes it. However I've no idea why resetting it to true does not make the problem reappear...

(In reply to Fr3dY from comment #34)
> Of course. When you reply, there's a list of contacts at the left side,
> maybe the crash is related to that part.

I'm looking at one of the full dumps now and indeed it looks related to the contact list: I'm pretty sure the JS code that's crashing has to do with filling it.

Can you tell us more about the contact list you see when you reply? How many contacts are there? Just a few, or more than 50? Is there anything unusual? Feel free to email me directly if you are not comfortable sharing that information here.
(Assignee)

Comment 57

5 years ago
Created attachment 747875 [details]
Testcase

Shell testcase loosely based on Outlook.com's contact picker code. Crashes on mozilla-beta tip at ToBooleanSlow:

Assertion failure: v.isObject(), at jsbool.cpp:202

Not security-sensitive, safe NULL crash.

This looks like a JM bug I fixed last week... It's on aurora (22) but it was late for beta (21) and since it was not security-critical we decided not to land it there..
(Reporter)

Updated

5 years ago
status-firefox22: affected → unaffected
Keywords: steps-wanted
(Assignee)

Comment 58

5 years ago
Fr3dY, to verify the above analysis of the problem, it would be great if you could try these two builds when you have time:

http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-win32/1367806426/

http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-win32/1367854667/

Only one of them should crash if comment 57 is correct.

Comment 59

5 years ago
1367854667 didn't crash, but 1367806426 crashed... it seems the bug was finally found!
(Assignee)

Comment 60

5 years ago
(In reply to Fr3dY from comment #59)
> 1367854667 didn't crash, but 1367806426 crashed... it seems the bug was
> finally found!

Excellent! Thank you for your help, it's greatly appreciated.

Comment 61

5 years ago
This actually might end up being a dupe of bug 867482 in the end, given that the fix from there helped on 22.
status-firefox22: unaffected → fixed
status-firefox23: unaffected → fixed

Comment 62

5 years ago
Oh, and just to be clear about that, many thanks to Fr3dY for helping to debug (and being patient when it took a bit for developers to reply), and to Jan for finding the testcase and fix!
(Reporter)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
What is the fix for this? There happens to be a report on SUMO for it here: https://support.mozilla.org/en-US/questions/959200

Thanks!
(In reply to Feer56 (Andrew T.) from comment #63)
> What is the fix for this? There happens to be a report on SUMO for it here:
> https://support.mozilla.org/en-US/questions/959200

I'm assuming the people on that thread are using Firefox 20.0.1 or earlier. 

This is fixed for Firefox 22 and above in bug 867482. I do not think there are plans to uplift that patch to Firefox 21 because we want the fix to go through a round of Beta testing before going to Release. This will be fixed in Release when Firefox 22 releases six weeks from Tuesday.
Fredy, can you please check the following builds to see if this is resolved for you:
> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/23.0b1-candidates/build1/
> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/22.0/

Thanks
Flags: needinfo?(fr3dy_)
Keywords: verifyme

Comment 66

5 years ago
Yes, I just tested 22.0 final and it works fine (as did the previous 22 beta versions tested after Comment 58)
I haven't tested 23.0b1 yet, but long ago I tried with some Aurora-alpha 23 versions and they weren't affected by the bug (Comment 40)
Flags: needinfo?(fr3dy_)
(Reporter)

Updated

5 years ago
status-firefox22: fixed → verified
Keywords: verifyme
(In reply to Fr3dY from comment #66)
> I tried with some Aurora-alpha 23 versions and they weren't affected by the bug (Comment 40)

I'd appreciate it if you could retest Firefox 23b1 just for sanity sake.

Thanks

Comment 68

5 years ago
FF 23b1 --> Verified ;)
Thanks Fredy.
Status: RESOLVED → VERIFIED
status-firefox23: fixed → verified

Comment 70

5 years ago
It seems some people are still having issues even with FF22 --> https://support.mozilla.org/es/questions/958539 :(
(In reply to Fr3dY from comment #70)
> It seems some people are still having issues even with FF22 -->
> https://support.mozilla.org/es/questions/958539 :(

Socorro is showing this in far lower volume on Firefox 22 than on Firefox 21. I'm not sure if the fix here was intended to resolve this 100% or to just mitigate the likelihood of hitting it.
(Assignee)

Comment 72

5 years ago
(In reply to Fr3dY from comment #70)
> It seems some people are still having issues even with FF22 -->
> https://support.mozilla.org/es/questions/958539 :(

The two reports there have a different signature (js::IsWrapper(JSObject*)) so are likely unrelated.

https://crash-stats.mozilla.com/report/index/c8e777c5-9836-46ab-9457-08b262130502
https://crash-stats.mozilla.com/report/index/782380f3-6e8e-4451-93e2-4310c2130424

(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #71)
> Socorro is showing this in far lower volume on Firefox 22 than on Firefox
> 21. I'm not sure if the fix here was intended to resolve this 100% or to
> just mitigate the likelihood of hitting it.

It's possible there are still stubs::ValueToBoolean crashes, but these are different bugs I think. ValueToBoolean is just one of the places where Values with an invalid type tag will cause crashes.
You need to log in before you can comment on or make changes to this bug.