Closed Bug 1274625 Opened 8 years ago Closed 6 months ago

Crash in js::jit::JitCode::copyFrom

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected
firefox52 --- wontfix
firefox53 --- affected

People

(Reporter: mccr8, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-7bcbe438-97eb-4dbf-955f-5edd82160519.
=============================================================

#7 Windows Nightly crash for 05-18, with 12 crashes. All from a single install time. This signature does have crashes in other channels.
nbp, any ideas?
Flags: needinfo?(nicolas.b.pierron)
Looking at the source, …

This is not a logical issue, the backward offset is valid as we reserved space ahead to be able to address below.

The result pointer from the newCode function, is own by the JitCode as soon as it is created, and there is no other allocation which might cause it to be reclaimed.  The ExecutablePool cannot be freed without an explicit call to the "release" function, which is made only if the JitCode allocation fails.

I do not see how this issue can happen.
Flags: needinfo?(nicolas.b.pierron)
Crash volume for signature 'js::jit::JitCode::copyFrom':
 - nightly(version 50):0 crashes from 2016-06-06.
 - aurora (version 49):6 crashes from 2016-06-07.
 - beta   (version 48):676 crashes from 2016-06-06.
 - release(version 47):1943 crashes from 2016-05-31.
 - esr    (version 45):7 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       0       0       0
 - aurora        0       0       2       0       1       1       2
 - beta         77     104     129      84      81      99      77
 - release     252     283     287     207     262     266     280
 - esr           1       0       1       0       1       1       1

Affected platform: Windows
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'js::jit::JitCode::copyFrom':
 - nightly (version 51): 1 crash from 2016-08-01.
 - aurora  (version 50): 3 crashes from 2016-08-01.
 - beta    (version 49): 234 crashes from 2016-08-02.
 - release (version 48): 188 crashes from 2016-07-25.
 - esr     (version 45): 7 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       1       0       0
 - aurora        0       1       1
 - beta         99      71      17
 - release      53      53      37
 - esr           0       0       2

Affected platform: Windows

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly           #546
 - aurora  #1362
 - beta    #169      #1155
 - release #311
 - esr
status-firefox50: --- → affected
status-firefox51: --- → affected
Bugzilla Socorro Lens highlights[1] that this signature spiked between:
 - March 14 - 19
 - ~April 7
 - May 5 - now (and remains stable)

Do we have any patches matching these spikes?
Or would these crashes be related to some external website on which this issue can be reproduced?

[1] https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm?s=js::jit::JitCode::copyFrom
Crash volume for signature 'js::jit::JitCode::copyFrom':
 - nightly (version 54): 0 crashes from 2017-01-23.
 - aurora  (version 53): 1 crash from 2017-01-23.
 - beta    (version 52): 93 crashes from 2017-01-23.
 - release (version 51): 308 crashes from 2017-01-16.
 - esr     (version 45): 22 crashes from 2016-08-10.

Crash volume on the last weeks (Week N is from 02-06 to 02-12):
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0
 - aurora        0       0
 - beta         39      37
 - release     181      58       0
 - esr           0       2       3       0       3       0       1

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content   Plugin
 - nightly
 - aurora  #1302
 - beta    #264      #594
 - release #265      #536
 - esr     #4163
status-firefox52: --- → affected
status-firefox53: --- → affected
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
QA Whiteboard: qa-not-actionable

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: critical → S3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.