Closed Bug 1426173 Opened 7 years ago Closed 7 years ago

Crash in <name omitted> | decltype JS::DispatchTraceKindTyped<T>

Categories

(Core :: JavaScript: GC, defect, P5)

Product:
Core
Component:
JavaScript: GC
Version:
59 Branch
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox59 --- affected

People

(Reporter: sphilp, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-28e59016-5387-4057-b919-ce8b60171219. ============================================================= Top 10 frames of crashing thread: 0 XUL <name omitted> js/public/HeapAPI.h:187 1 XUL decltype js/src/jsgc.cpp:3679 2 XUL JS::GCHashMap<js::gc::Cell*, unsigned long long, js::PointerHasher<js::gc::Cell*>, js::SystemAllocPolicy, js::gc::UniqueIdGCPolicy>::sweep js/src/jsgc.cpp:3690 3 XUL SweepUniqueIds js/src/jsgc.cpp:3696 4 XUL js::GCParallelTask::runFromHelperThread js/src/vm/HelperThreads.cpp:1496 5 XUL js::HelperThread::threadLoop js/src/vm/HelperThreads.cpp:1528 6 XUL js::detail::ThreadTrampoline<void js/src/threading/Thread.h:242 7 libsystem_pthread.dylib _pthread_body 8 libsystem_pthread.dylib _pthread_start 9 libsystem_pthread.dylib thread_start =============================================================
Looks like UAF sweeping the unique ID map. There are only 8 instances of this crash though.
Priority: -- → P5
Blocks: GCCrashes
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.