aja+bugzilla Reporter
	Description • 15 years ago

http://crash-stats.mozilla.com/report/index/b79e0754-8d65-463c-b54a-da5c62100506

crash stats showing these began on may 4th sometime...and is now in top 20

	timeless
	Comment 1 • 15 years ago

Signature	JSObject::getSlot(unsigned int)
UUID	b79e0754-8d65-463c-b54a-da5c62100506
Time 	2010-05-06 18:08:07.619756
Uptime	11135
Last Crash	3878863 seconds before submission
Product	Firefox
Version	3.7a5pre
Build ID	20100506040636
Branch	1.9.3
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 15 model 1 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0xffffffffffffffe8
User Comments	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	mozjs.dll 	JSObject::getSlot 	js/src/jsobj.h:310
1 	mozjs.dll 	JSScope::methodWriteBarrier 	js/src/jsscopeinlines.h:152
2 	mozjs.dll 	js_DefineNativeProperty 	
3 	mozjs.dll 	js_DefineProperty 	js/src/jsobj.cpp:4096
4 	mozjs.dll 	JS_DefinePropertyById 	js/src/jsapi.cpp:2958
5 	xul.dll 	DefinePropertyIfFound 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:534
6 	xul.dll 	XPC_WN_NoHelper_Resolve 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:805
7 	mozjs.dll 	js_LookupPropertyWithFlags 	js/src/jsobj.cpp:4406

	aja+bugzilla Reporter
	Comment 2 • 15 years ago

Guessing this began with t-m -> m-c merge on 4th:
http://hg.mozilla.org/mozilla-central/rev/13bcf4386e12

	Jim Jeffery not reading bug-mail 1/2/11
	Comment 3 • 15 years ago

Crashed again today, while I was doing nothing..

http://crash-stats.mozilla.com/report/index/bp-a207082d-7d05-4663-8752-68e812100509

	Jim Jeffery not reading bug-mail 1/2/11
	Comment 4 • 15 years ago

Another crash, this time within approx 5 mins after watching a 45min movie on Hulu.  Wonder - could be related to some sort of cycle-collection/garbage-collection maybe: 

http://crash-stats.mozilla.com/report/index/bp-034c735a-5eb0-4d62-94f4-47cb52100509

	Mycroft Project (CC)
	Comment 5 • 15 years ago

topcrash?
active in latest nightly, hitting this frequently

	jayram
	Comment 7 • 15 years ago

http://crash-stats.mozilla.com/report/index/47f54b16-34ff-4ed8-98ff-52a052100509

	timeless
	Comment 8 • 15 years ago

I haven't run this through tests and am not quite sure about the context, locking rules, or fallbacks. But I think this is along the right lines.

since this is jorendorff's code, i'm tossing this to him, if he doesn't like it, he's welcome to take the bug.

	Danial Horton
	Comment 9 • 15 years ago

this crash is occuring much more while my net is capped and there are pages taking longer than usual to load fully.

	Jason Orendorff [:jorendorff] Assignee
	Comment 10 • 15 years ago

BEGIN_TEST(testDefineProperty_bug564344)
{
    jsvalRoot x(cx);
    EVAL("function f() {}\n"
	 "var x = {p: f};\n"
	 "x.p();  // brand x's scope\n"
	 "x;", x.addr());

    JSObject *obj = JSVAL_TO_OBJECT(x.value());
    for (int i = 0; i < 2; i++)
	CHECK(JS_DefineProperty(cx, obj, "q", JSVAL_VOID, NULL, NULL, JSPROP_SHARED));
    return true;
}
END_TEST(testDefineProperty_bug564344)

Assertion failure: slot < (this)->scope()->freeslot, at ../jsscope.h:563

	Jason Orendorff [:jorendorff] Assignee
	Comment 11 • 15 years ago

Comment on attachment 444370 [details] [diff] [review]
proposal

Thanks for bothering to patch, but this isn't what we want.

	Jason Orendorff [:jorendorff] Assignee
	Comment 12 • 15 years ago

My mistake.

	Jason Orendorff [:jorendorff] Assignee
	Comment 13 • 15 years ago

Carrying forward brendan's r+.

v1 had some tab characters in it -- oops. Here's the patch with that fixed and a nice commit message, suitable for hg import or whatever, in case someone wants to push this tonight. It can go into either m-c or tracemonkey. I consider the change very safe.

	Robert Sayre
	Comment 14 • 15 years ago

http://hg.mozilla.org/tracemonkey/rev/9adaee06f256

	David Baron :dbaron:
	Comment 16 • 15 years ago

I transplanted the above changeset to mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/94591caa7f0c