Closed
Bug 899687
Opened 11 years ago
Closed 11 years ago
crash in (anonymous namespace)::Worker::Trace(JSTracer*, JSObject*)
Categories
(Core :: DOM: Workers, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
| Tracking | Status | |
|---|---|---|
| firefox24 | --- | affected |
People
(Reporter: till, Assigned: jonco)
References
Details
(Keywords: crash, Whiteboard: [js:t])
Crash Data
Attachments
(1 file)
|
1.43 KB,
patch
|
khuey
:
review+
|
Details | Diff | Splinter Review |
Looks like this is x64 only. From crashstats.m.o, it seem to also happen under other circumstances, but these STR work reliably for me on OS X 10.8 and a reporter (:Pereba in #shumway) on Win. STR: - install the Shumway extension from http://www.areweflashyet.com/shumway/ - install the Custom Buttons extension from https://addons.mozilla.org/en-US/firefox/addon/custom-buttons/ - disable the Flash plugin - restart the browser - visit http://geocities.ws/___/troll.swf A stack trace for these STR can be found at https://crash-stats.mozilla.com/report/index/15b1ec1a-cc5b-470f-bc04-2bbd32130730
|
Reporter | |
Updated•11 years ago
|
See Also: → https://github.com/mozilla/shumway/issues/430
|
||
Updated•11 years ago
|
Severity: normal → critical
Crash Signature: [@ (anonymous namespace)::Worker::Trace(JSTracer*, JSObject*)]
`anonymous namespace''::Worker::Trace(JSTracer*, JSObject*) → [@ (anonymous namespace)::Worker::Trace(JSTracer*, JSObject*)]
[@ `anonymous namespace''::Worker::Trace(JSTracer*, JSObject*)]
Would you mind taking a look at this, Jon? It looks like a fun bug.
Flags: needinfo?(jcoppeard)
|
Assignee | |
Comment 2•11 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #1) > Would you mind taking a look at this, Jon? It looks like a fun bug. Fun? :) Sure, no problem.
Assignee: general → jcoppeard
Status: NEW → ASSIGNED
Flags: needinfo?(jcoppeard)
|
|
Assignee | |
Comment 3•11 years ago
|
||
The DOM_OBJECT_SLOT of the JSObject is always assumed to hold a private value. However, it can be accessed by the Trace() method before it is initialised as such if WorkerPrivate::Create() triggers a GC. The solution is just to always set it to a null private value as soon as it is created.
Attachment #784424 -
Flags: review?(jonas)
|
||
Updated•11 years ago
|
Component: JavaScript Engine → DOM: Workers
Attachment #784424 -
Flags: review?(jonas) → review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/284946982e36
|
||
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/284946982e36
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
|
||
Updated•11 years ago
|
status-firefox24:
--- → affected
You need to log in
before you can comment on or make changes to this bug.
Description
•