Closed Bug 1275185 Opened 9 years ago Closed 9 months ago

Crash in js::LookupOwnPropertyPure

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox49 --- wontfix
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox60 --- wontfix
firefox61 --- fix-optional
firefox62 --- fix-optional

People

(Reporter: ting, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-926caebf-7ad0-4c54-8ee7-057ee2160523. ============================================================= #20 of Nightly 20160522030240, 3 crashes from 2 installations. No reports from previous builds.
So far this crash happens only with 0522030240 build, maybe not that important. But do you have any ideas?
Flags: needinfo?(arai.unmht)
In 2 cases, obj->as<NativeObject>()->shape_ is corrupted (==0xffffff8c) and in 1 case, obj->as<NativeObject>()->shape_ or parent is corrupted (==0xcf0004) https://hg.mozilla.org/mozilla-central/annotate/16663eb3dcfa/js/src/jsobj.cpp#l2336 1 other case is 64bit and currently I don't have an environment to debug windows 64bit :/ anyway, possible cases are: * obj is not JSObject * obj->flags contains wrong value and it's not actually NativeObject * obj->shape contains wrong value also, it's inside js::LookupPropertyPure's loop, so there might be the case that `obj->staticPrototype()` returns wrong value, instead of `obj` itself is wrong in LookupPropertyPure but not sure how to investigate from here, without testcase.
Flags: needinfo?(arai.unmht)
Crash volume for signature 'js::LookupOwnPropertyPure': - nightly (version 50): 6 crashes from 2016-06-06. - aurora (version 49): 43 crashes from 2016-06-07. - beta (version 48): 0 crashes from 2016-06-06. - release (version 47): 0 crashes from 2016-05-31. - esr (version 45): 0 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 5 0 0 1 0 0 - aurora 3 4 11 12 10 1 2 - beta 0 0 0 0 0 0 0 - release 0 0 0 0 0 0 0 - esr 0 0 0 0 0 0 0 Affected platforms: Windows, Mac OS X
status-firefox50: --- → affected
Crash volume for signature 'js::LookupOwnPropertyPure': - nightly (version 52): 0 crashes from 2016-09-19. - aurora (version 51): 2 crashes from 2016-09-19. - beta (version 50): 98 crashes from 2016-09-20. - release (version 49): 237 crashes from 2016-09-05. - esr (version 45): 0 crashes from 2016-06-01. Crash volume on the last weeks (Week N is from 10-03 to 10-09): W. N-1 W. N-2 - nightly 0 0 - aurora 1 1 - beta 78 20 - release 197 40 - esr 0 0 Affected platforms: Windows, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora #1467 - beta #240 #193 - release #363 #196 - esr
status-firefox51: --- → affected
Crash volume for signature 'js::LookupOwnPropertyPure': - nightly (version 52): 2 crashes from 2016-09-19. - aurora (version 51): 7 crashes from 2016-09-19. - beta (version 50): 259 crashes from 2016-09-20. - release (version 49): 782 crashes from 2016-09-05. - esr (version 45): 0 crashes from 2016-07-25. Crash volume on the last weeks (Week N is from 10-17 to 10-23): W. N-1 W. N-2 W. N-3 W. N-4 - nightly 1 1 0 0 - aurora 4 1 1 1 - beta 84 58 78 20 - release 239 223 197 40 - esr 0 0 0 0 Affected platforms: Windows, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora #443 - beta #358 #105 - release #351 #144 - esr
status-firefox52: --- → affected
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
QA Whiteboard: qa-not-actionable

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: critical → S3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.