This bug was filed from the Socorro interface and is report bp-d8ad047b-9d34-4859-8712-fc53e0180116. ============================================================= Top 4 frames of crashing thread: 0 xul.dll js::TypeSet::GetValueType js/src/vm/TypeInference-inl.h:184 1 xul.dll js::TypeScript::Monitor js/src/vm/TypeInference-inl.h:607 2 xul.dll js::jit::DoTypeMonitorFallback js/src/jit/SharedIC.cpp:2445 3 @0x315d7cb6da8 ============================================================= Top #12 of Nightly 20180114220708 on Windows, 3 crashes from 2 installations. There are 13 reports from Nightly in the past week.

The stack of bp-d8ad047b-9d34-4859-8712-fc53e0180116 in WinDbg: 0:000> k *** Stack trace for last set context - .thread/.cxr resets it # Child-SP RetAddr Call Site 00 (Inline Function) --------`-------- xul!js::ObjectGroup::singleton+0x3 [z:\build\build\src\js\src\vm\objectgroup.h @ 125] 01 (Inline Function) --------`-------- xul!JSObject::isSingleton+0x3 [z:\build\build\src\js\src\jsobj.h @ 136] 02 (Inline Function) --------`-------- xul!js::TypeSet::ObjectType+0x3 [z:\build\build\src\js\src\vm\typeinference-inl.h @ 159] 03 000000ba`a97f8348 00007ffc`127c7f7f xul!js::TypeSet::GetValueType+0x41 [z:\build\build\src\js\src\vm\typeinference-inl.h @ 184] 04 000000ba`a97f8350 00007ffc`12d45c66 xul!js::TypeScript::Monitor+0x2f [z:\build\build\src\js\src\vm\typeinference-inl.h @ 608] 05 000000ba`a97f8390 00000315`d7cb6da9 xul!js::jit::DoTypeMonitorFallback+0xc6 [z:\build\build\src\js\src\jit\sharedic.cpp @ 2448] 06 000000ba`a97f83e0 4b4b4b4b`4b4b4b4b 0x00000315`d7cb6da9 07 000000ba`a97f83e8 000000ba`a97f8498 0x4b4b4b4b`4b4b4b4b 08 000000ba`a97f83f0 00000315`d7ef1d37 0x000000ba`a97f8498 09 000000ba`a97f83f8 00000000`00000000 0x00000315`d7ef1d37 Looks like the pointer group_ is invalid (rdx=0x4b4b4b4b4b4b4b4b): xul!js::TypeSet::GetValueType: ... 00007ffc`127c80de 488b10 mov rdx,qword ptr [rax] 00007ffc`127c80e1 f6421802 test byte ptr [rdx+18h],2 // invalid access here

Not sure whom to ask, but do you have any ideas?

0x4B is one of the patterns used for things that have been swept by the GC. GetValueType is dereferencing the object passed in to see what type it needs to use for the object, and in this case that object pointer is invalid. GC related corruption like this could have many different root causes, so without a blame cset or STR I don't think this is actionable.

I would guess the signature "[@ js::TypeSet::GetValueType ]" sweeps up basically all of a particular flavor of JS-heap memory corruption. It went from 0 straight to hundreds of reports per day. Started the same day as bug 1429552. "Actionable" is always relative to the size of the problem. What are the options? What can we do to make this kind of thing more actionable in the future?