1035534 - crash in js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget)

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[u279076]

This bug was filed from the Socorro interface and is 
report bp-5a610954-268a-4d61-b195-d1f2e2140701.
=============================================================
0 	mozjs.dll 	js::jit::JitRuntime::patchIonBackedges(JSRuntime *,js::jit::JitRuntime::BackedgeTarget) 	js/src/jit/Ion.cpp
1 	mozjs.dll 	js::jit::JitRuntime::ensureIonCodeAccessible(JSRuntime *) 	js/src/jit/Ion.cpp
2 	mozjs.dll 	js::jit::JitRuntime::handleAccessViolation(JSRuntime *,void *) 	js/src/jit/Ion.cpp
3 	mozjs.dll 	HandleException 	js/src/jit/AsmJSSignalHandlers.cpp
4 	mozjs.dll 	AsmJSExceptionHandler 	js/src/jit/AsmJSSignalHandlers.cpp
5 	ntdll.dll 	SHATransformP3 	
6 	ntdll.dll 	RtlDispatchException 	
7 	ntdll.dll 	KiUserExceptionDispatcher 	
8 	mozjs.dll 	js::jit::JitCode::trace(JSTracer *) 	js/src/jit/Ion.cpp
9 	xul.dll 	nsCOMPtr_base::assign_from_qi(nsQueryInterface,nsID const &) 	xpcom/glue/nsCOMPtr.cpp
10 	xul.dll 	webrtc::SplitAudioChannel::SplitAudioChannel() 	media/webrtc/trunk/webrtc/modules/audio_processing/audio_buffer.cc
11 	mozjs.dll 	js::jit::JitCode::trace(JSTracer *) 	js/src/jit/Ion.cpp
12 	ntdll.dll 	RtlpAllocateFromHeapLookaside 	
13 		@0x1181c214 	
14 		@0x7fffffff 	
15 	mozjs.dll 	GCCycle 	js/src/jsgc.cpp
16 	mozjs.dll 	Collect 	js/src/jsgc.cpp
17 	mozjs.dll 	JS::ShrinkingGC(JSRuntime *,JS::gcreason::Reason) 	js/src/jsfriendapi.cpp
18 	xul.dll 	mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal(JSContext *,bool,bool) 	dom/workers/WorkerPrivate.cpp
19 	xul.dll 	`anonymous namespace'::GarbageCollectRunnable::WorkerRun(JSContext *,mozilla::dom::workers::WorkerPrivate *) 	dom/workers/WorkerPrivate.cpp
20 	xul.dll 	mozilla::dom::workers::WorkerRunnable::Run() 	dom/workers/WorkerRunnable.cpp
21 	xul.dll 	mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() 	dom/workers/WorkerPrivate.cpp
22 	xul.dll 	mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext *) 	dom/workers/WorkerPrivate.cpp
23 	xul.dll 	PseudoStack::sampleRuntime(JSRuntime *) 	obj-firefox/dist/include/PseudoStack.h
24 	xul.dll 	`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() 	dom/workers/RuntimeService.cpp
25 	nss3.dll 	md_UnlockAndPostNotifies 	nsprpub/pr/src/md/windows/w95cv.c
26 	mozjs.dll 	js::jit::CodeGenerator::visitCallGeneric(js::jit::LCallGeneric *) 	js/src/jit/CodeGenerator.cpp
=============================================================
More reports:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3Ajit%3A%3AJitRuntime%3A%3ApatchIonBackedges%28JSRuntime%2A%2C+js%3A%3Ajit%3A%3AJitRuntime%3A%3ABackedgeTarget%29

This crash appears to be spiking on Beta as of July 4. It's not currently a topcrash, however I'm reporting it due to the spike. Prior to July 4 this hovered between 0 and 7 crashes per million ADUs, now its up around 90.

I don't see a whole lot to go on in the crash reports in terms of reproducing this.

Comment 1

[Sylvestre Ledru [:Sylvestre]]

Not a top crash, not tracking for now. However, please resubmit for tracking if it comes closer to the top #10. Thanks

Comment 2

[(Away)]

I think this is the same as bug 1035537. I saw patchIonBackedges in several stacks on that one too.

     52% (145/279) vs.   1% (1481/105725) safetynut.dll
     52% (145/279) vs.   1% (1514/105725) safetyldr.dll
     50% (140/279) vs.   1% (1523/105725) safetycrt.dll
     49% (138/279) vs.   1% (1061/105725) SafetyNutHlpFF30.dll
     47% (132/279) vs.   2% (2598/105725) Datamngr.dll
     47% (132/279) vs.   3% (2686/105725) mgrldr.dll
     87% (243/279) vs.  43% (45064/105725) atl.dll
     44% (122/279) vs.   2% (1665/105725) DatamngrHlpFF30.dll

Comment 3

[u279076]

This is now the #10 topcrash in Firefox 31, but as near as I can tell this is not showing up for 32 and 33.

Comment 4

[Sylvestre Ledru [:Sylvestre]]

Except if we have a huge spike, we won't do a dot release for this bug. Please resubmit if the bug is a problem in the 31 release.

Comment 5

[u279076]

This crash is no longer a topcrash - 52 crashes in release and 1 crash in beta reported last week. Top URL remains Facebook. Unless we have any leads as to what's causing this we should probably just close it as incomplete.

Comment 6

[Luke Wagner [:luke]]

FWIW, the drop in crash volume seems likely caused by bug 1091912 which shipped in FF36 and changed how and in what context this function is invoked.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'js::jit::JitRuntime::patchIonBackedges':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 0 crash from 2016-06-07.
 - beta    (version 48): 4 crashes from 2016-06-06.
 - release (version 47): 1 crash from 2016-05-31.
 - esr     (version 45): 60 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          0          0          0          0          0
 - beta             0          1          0          1          0          1          1
 - release          0          1          0          0          0          0          0
 - esr             12         10          5          3          5          6          7

Affected platform: Windows

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a regression, but please revert this change in case of error.