crash in js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget)

NEW
Unassigned

Status

()

Core
JavaScript Engine
--
critical
4 years ago
2 years ago

People

(Reporter: ashughes, Unassigned)

Tracking

({crash})

31 Branch
x86
Windows NT
crash
Points:
---

Firefox Tracking Flags

(firefox31- wontfix, firefox32 unaffected, firefox33 unaffected, firefox37 wontfix, firefox38 wontfix, firefox47 wontfix, firefox48 wontfix, firefox-esr45 wontfix)

Details

(crash signature)

(Reporter)

Description

4 years ago
This bug was filed from the Socorro interface and is 
report bp-5a610954-268a-4d61-b195-d1f2e2140701.
=============================================================
0 	mozjs.dll 	js::jit::JitRuntime::patchIonBackedges(JSRuntime *,js::jit::JitRuntime::BackedgeTarget) 	js/src/jit/Ion.cpp
1 	mozjs.dll 	js::jit::JitRuntime::ensureIonCodeAccessible(JSRuntime *) 	js/src/jit/Ion.cpp
2 	mozjs.dll 	js::jit::JitRuntime::handleAccessViolation(JSRuntime *,void *) 	js/src/jit/Ion.cpp
3 	mozjs.dll 	HandleException 	js/src/jit/AsmJSSignalHandlers.cpp
4 	mozjs.dll 	AsmJSExceptionHandler 	js/src/jit/AsmJSSignalHandlers.cpp
5 	ntdll.dll 	SHATransformP3 	
6 	ntdll.dll 	RtlDispatchException 	
7 	ntdll.dll 	KiUserExceptionDispatcher 	
8 	mozjs.dll 	js::jit::JitCode::trace(JSTracer *) 	js/src/jit/Ion.cpp
9 	xul.dll 	nsCOMPtr_base::assign_from_qi(nsQueryInterface,nsID const &) 	xpcom/glue/nsCOMPtr.cpp
10 	xul.dll 	webrtc::SplitAudioChannel::SplitAudioChannel() 	media/webrtc/trunk/webrtc/modules/audio_processing/audio_buffer.cc
11 	mozjs.dll 	js::jit::JitCode::trace(JSTracer *) 	js/src/jit/Ion.cpp
12 	ntdll.dll 	RtlpAllocateFromHeapLookaside 	
13 		@0x1181c214 	
14 		@0x7fffffff 	
15 	mozjs.dll 	GCCycle 	js/src/jsgc.cpp
16 	mozjs.dll 	Collect 	js/src/jsgc.cpp
17 	mozjs.dll 	JS::ShrinkingGC(JSRuntime *,JS::gcreason::Reason) 	js/src/jsfriendapi.cpp
18 	xul.dll 	mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal(JSContext *,bool,bool) 	dom/workers/WorkerPrivate.cpp
19 	xul.dll 	`anonymous namespace'::GarbageCollectRunnable::WorkerRun(JSContext *,mozilla::dom::workers::WorkerPrivate *) 	dom/workers/WorkerPrivate.cpp
20 	xul.dll 	mozilla::dom::workers::WorkerRunnable::Run() 	dom/workers/WorkerRunnable.cpp
21 	xul.dll 	mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() 	dom/workers/WorkerPrivate.cpp
22 	xul.dll 	mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext *) 	dom/workers/WorkerPrivate.cpp
23 	xul.dll 	PseudoStack::sampleRuntime(JSRuntime *) 	obj-firefox/dist/include/PseudoStack.h
24 	xul.dll 	`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() 	dom/workers/RuntimeService.cpp
25 	nss3.dll 	md_UnlockAndPostNotifies 	nsprpub/pr/src/md/windows/w95cv.c
26 	mozjs.dll 	js::jit::CodeGenerator::visitCallGeneric(js::jit::LCallGeneric *) 	js/src/jit/CodeGenerator.cpp
=============================================================
More reports:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3Ajit%3A%3AJitRuntime%3A%3ApatchIonBackedges%28JSRuntime%2A%2C+js%3A%3Ajit%3A%3AJitRuntime%3A%3ABackedgeTarget%29

This crash appears to be spiking on Beta as of July 4. It's not currently a topcrash, however I'm reporting it due to the spike. Prior to July 4 this hovered between 0 and 7 crashes per million ADUs, now its up around 90.

I don't see a whole lot to go on in the crash reports in terms of reproducing this.
Not a top crash, not tracking for now. However, please resubmit for tracking if it comes closer to the top #10. Thanks
tracking-firefox31: ? → -
I think this is the same as bug 1035537. I saw patchIonBackedges in several stacks on that one too.

     52% (145/279) vs.   1% (1481/105725) safetynut.dll
     52% (145/279) vs.   1% (1514/105725) safetyldr.dll
     50% (140/279) vs.   1% (1523/105725) safetycrt.dll
     49% (138/279) vs.   1% (1061/105725) SafetyNutHlpFF30.dll
     47% (132/279) vs.   2% (2598/105725) Datamngr.dll
     47% (132/279) vs.   3% (2686/105725) mgrldr.dll
     87% (243/279) vs.  43% (45064/105725) atl.dll
     44% (122/279) vs.   2% (1665/105725) DatamngrHlpFF30.dll
(Reporter)

Comment 3

4 years ago
This is now the #10 topcrash in Firefox 31, but as near as I can tell this is not showing up for 32 and 33.
status-firefox32: --- → unaffected
status-firefox33: --- → unaffected
tracking-firefox31: - → ?
Keywords: topcrash-win
Except if we have a huge spike, we won't do a dot release for this bug. Please resubmit if the bug is a problem in the 31 release.
tracking-firefox31: ? → -
(Reporter)

Comment 5

3 years ago
This crash is no longer a topcrash - 52 crashes in release and 1 crash in beta reported last week. Top URL remains Facebook. Unless we have any leads as to what's causing this we should probably just close it as incomplete.
status-firefox31: affected → wontfix
status-firefox37: --- → affected
status-firefox38: --- → affected
Keywords: topcrash-win
FWIW, the drop in crash volume seems likely caused by bug 1091912 which shipped in FF36 and changed how and in what context this function is invoked.

Updated

3 years ago
Crash Signature: [@ js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget)] → [@ js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget)] [@ js::jit::JitRuntime::patchIonBackedges]
Crash volume for signature 'js::jit::JitRuntime::patchIonBackedges':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 0 crash from 2016-06-07.
 - beta    (version 48): 4 crashes from 2016-06-06.
 - release (version 47): 1 crash from 2016-05-31.
 - esr     (version 45): 60 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          0          0          0          0          0
 - beta             0          1          0          1          0          1          1
 - release          0          1          0          0          0          0          0
 - esr             12         10          5          3          5          6          7

Affected platform: Windows
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
status-firefox37: affected → wontfix
status-firefox38: affected → wontfix
status-firefox47: affected → wontfix
status-firefox48: affected → wontfix
status-firefox-esr45: affected → wontfix
You need to log in before you can comment on or make changes to this bug.