Closed Bug 883562 Opened 9 years ago Closed 9 years ago

Crash [@ js::ObjectImpl::getSlot(unsigned int) ]


(Core :: JavaScript Engine, defect)

24 Branch
Not set



Tracking Status
firefox23 --- unaffected
firefox24 + verified


(Reporter: gps, Assigned: bhackett1024)




(4 keywords)

Crash Data


(1 file)

I am able to reproduce crashes on 2013-06-15 Nightly on Windows 7 by doing the following:

1) Load
2) Place mouse in the lower chart, click and hold, and start moving left and right.
3) Crash occurs within a few mouse movements.


Unfortunately, I cannot reproduce in safe mode. I have a number of add-ons installed.

I can load up Visual Studio and try to debug things if that will be helpful. Just needinfo me.
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)]
Keywords: crash
I can reproduce.

The regression range is:

Stack trace:
Frame 	Module 	Signature 	Source
0 	mozjs.dll 	js::ObjectImpl::getSlot 	js/src/vm/ObjectImpl.h:1400
1 	mozjs.dll 	InitFromBailout 	js/src/ion/BaselineBailouts.cpp:478
2 	mozjs.dll 	js::ion::BailoutIonToBaseline 	js/src/ion/BaselineBailouts.cpp:1086
3 	mozjs.dll 	js::ion::Bailout 	js/src/ion/Bailouts.cpp:81
4 		@0x2bb6f8 	
5 		@0x4 	
6 	mozjs.dll 	js::ToNumberSlow 	js/src/jsnum.cpp:1463

More reports at:
Severity: normal → critical
Hardware: x86_64 → x86
Version: unspecified → 24 Branch
Regression window(m-i)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614031707
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20130614 Firefox/24.0 ID:20130614045911

Suspected: Bug 678037
Blocks: LazyBytecode
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] → [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const]
OS: Windows 7 → All
Hardware: x86 → All
Attached patch patchSplinter Review
I think this will fix these crashes (haven't confirmed).  Bailing out from baseline would assume that functions read from the stack have a non lazy script, which might not be the case for the callees of inlined Ion frames (see bug 883630).
Assignee: general → bhackett1024
Attachment #763259 - Flags: review?(jdemooij)
Pushing ahead of review to see if the crashes get fixed.
Duplicate of this bug: 883633
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const] → [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const ]
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
Attachment #763259 - Flags: review?(jdemooij) → review+
Duplicate of this bug: 883677
Crash Signature: [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const ] → [@ js::ObjectImpl::getSlot(unsigned int)] [@ JSScript::filename() const ] [@ js::ion::SnapshotIterator::slotValue(js::ion::SnapshotReader::Slot const&) ]
Verified as fixed with Firefox 24 beta 8 (build ID: 20130902131354), on Mac OSX 10.7.5, Ubuntu 12.10 32bit and Win 8 32bit. No more crashing with the URLs from comment 0, comment 3 and comment 4.

Reports from Socorro, regarding last month:

1) for the first signature, there are 9 crashes with 24.0b7

2) for the second signature, there aren't any crashes regarding last month

3) for the third signature, there are 2 crashes with 24.0b5
QA Contact: manuela.muntean
You need to log in before you can comment on or make changes to this bug.