This bug was filed from the Socorro interface and is report bp-24b339d9-e3f8-4aa7-9d88-cab242140413. ============================================================= This crash signature first appeared on 3-11-2014 on Firefox 31.0a1 and caused 56 out of 11686 crashes in the last 7 days. More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2014-04-14&signature=%60anonymous+namespace%27%27%3A%3ATypedArrayObjectTemplate%3Cunsigned+char%3E%3A%3AfromArray%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%29&version=Firefox%3A31.0a1#tab-reports A similar crash started showing up on 31.0a1, with 96 out of 11686 crashes in the last 7 days. https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2014-04-14&signature=%60anonymous+namespace%27%27%3A%3ATypedArrayObjectTemplate%3Cunsigned+char%3E%3A%3AcopyFromArray%28JSContext%2A%2C+JS%3A%3AHandle%3CJSObject%2A%3E%2C+JS%3A%3AHandle%3CJSObject%2A%3E%2C+unsigned+int%2C+unsigned+int%29&version=Firefox%3A31.0a1 From the URLs reported they look related to pdf.js. stack: 0 @0xd31b6ea 1 mozjs.dll `anonymous namespace'::TypedArrayObjectTemplate<unsigned char>::fromArray(JSContext *,JS::Handle<JSObject *>) js/src/vm/TypedArrayObject.cpp 2 mozjs.dll `anonymous namespace'::TypedArrayObjectTemplate<unsigned char>::create(JSContext *,JS::CallArgs const &) js/src/vm/TypedArrayObject.cpp 3 mozjs.dll js::jit::OperatorIn(JSContext *,JS::Handle<JS::Value>,JS::Handle<JSObject *>,bool *) js/src/jit/VMFunctions.cpp URLs: 6 http://www.pm.ma.gov.br/bg/Boletins%20de%20Inclus%C3%A3o/ADIT%20BG%20010%20DE... 5 http://www.math.uwaterloo.ca/~mscott/euler.htm 5 http://www.physics.umd.edu/courses/Phys260/ji/HW9.PDF 4 https://blackboard.louisville.edu/bbcswebdav/pid-7559315-dt-content-rid-11806... 4 http://www.math.uwaterloo.ca/%7Emscott/138_Week7.pdf 4 http://www.balcescucj.ro/onf/files/comisia_centrala.pdf 3 http://www.fireye.com/Documents/C400.pdf

Last good nightly: 2014-04-07 First bad nightly: 2014-04-08 Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5405d6f4e3c6&tochange=8883360b1edb

bhackett, maybe this is related to your changes?

Backing out the following solved the issue: d5b0e9e6a849 Brian Hackett — Bug 987508 - Create array buffers lazily for small typed arrays, r=sfink.

This fixes the crash for me. When allocating typed array objects in the nursery, forwarding pointers weren't being set up properly.

Wow, that was fast! You are all awesome!

Fix for the last patch, we need to make sure there is space available to store the forwarding pointer.

Updated/rebased patch, also fixes dumb Max/Min confusion.

https://hg.mozilla.org/integration/mozilla-inbound/rev/208bcb7879c0 *Please* make sure your patches include commit information when requesting checkin.

I had to back this out in http://hg.mozilla.org/integration/mozilla-inbound/rev/2e62324ea929 for assertions in mochitest-1 runs: https://tbpl.mozilla.org/php/getParsedLog.php?id=38350366&tree=Mozilla-Inbound Assertion failure: isInside(oldData) == (oldData == src->fixedData(TypedArrayObject::FIXED_DATA_START)), at c:\builds\moz2_slave\m-in-w32-d-0000000000000000000\build\js\src\gc/Nursery.cpp:577 TEST-UNEXPECTED-FAIL | /tests/content/media/webaudio/test/test_bug867174.html | application terminated with exit code 2147483651 PROCESS-CRASH | /tests/content/media/webaudio/test/test_bug867174.html | application crashed [@ js::Nursery::moveObjectToTenured(JSObject *,JSObject *,js::gc::AllocKind)] Return code: 1

It looks like Jon Coppeard fixed this in bug 993768. This patch had yet another dumb confusion (src/dst) that caused the assertion failure.

Brian, reading your comment 11, I am not sure what you mean. Is that bug fixed by bug 993768 or the failure which caused the backout?

(In reply to Sylvestre Ledru [:sylvestre] from comment #12) > Brian, reading your comment 11, I am not sure what you mean. Is that bug > fixed by bug 993768 or the failure which caused the backout? Bug 993768 fixed this bug.