Closed Bug 1089652 Opened 10 years ago Closed 3 years ago

crash in js::jit::OutOfLineCode::bind(js::jit::MacroAssembler*)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
33 Branch
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox48 --- affected

People

(Reporter: csuciu, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-24a80c6e-e456-44ce-b86d-27af52141027.
=============================================================

Steps:
1. Go to https://www.google.com/maps/
2. Explore the map (zoom, pan)

Result:
After a while (~5 minutes), Firefox will crash.

Frame 	Module 	Signature 	Source
0 	XUL 	js::jit::OutOfLineCode::bind(js::jit::MacroAssembler*) 	js/src/assembler/assembler/X86Assembler.h
1 	XUL 	js::jit::CodeGeneratorShared::generateOutOfLineCode() 	js/src/jit/shared/CodeGenerator-shared.cpp
2 	XUL 	js::jit::CodeGeneratorX86Shared::generateOutOfLineCode() 	js/src/jit/shared/CodeGenerator-x86-shared.cpp
3 	XUL 	js::jit::CodeGenerator::generate() 	js/src/jit/CodeGenerator.cpp
4 	XUL 	js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) 	js/src/jit/Ion.cpp
5 	XUL 	js::HelperThread::handleIonWorkload() 	js/src/vm/HelperThreads.cpp
6 	XUL 	js::HelperThread::threadLoop() 	js/src/vm/HelperThreads.cpp
7 	libnss3.dylib 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c
Ø 8 	libsystem_pthread.dylib 	libsystem_pthread.dylib@0x1898 	
Ø 9 	libsystem_pthread.dylib 	libsystem_pthread.dylib@0x1729 	
Ø 10 	libsystem_pthread.dylib 	libsystem_pthread.dylib@0x5fc8 	
11 	libnss3.dylib 	libnss3.dylib@0x1185bf
I tried for a while to reproduce this issue by going on google maps from my Linux laptop, but I failed to reproduce it,  I tried to change my user agent such as it appears to be running on Mac OSX but I still cannot reproduce this issue.
Crash Signature: [@ js::jit::OutOfLineCode::bind(js::jit::MacroAssembler*)] → [@ js::jit::OutOfLineCode::bind(js::jit::MacroAssembler*)] [@ js::jit::OutOfLineCode::bind]
Crash volume for signature 'js::jit::OutOfLineCode::bind':
 - nightly (version 50): 0 crashes from 2016-06-06.
 - aurora  (version 49): 0 crashes from 2016-06-07.
 - beta    (version 48): 4 crashes from 2016-06-06.
 - release (version 47): 574 crashes from 2016-05-31.
 - esr     (version 45): 0 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       0       0       0
 - aurora        0       0       0       0       0       0       0
 - beta          0       1       0       0       2       1       0
 - release      65      93      79      79      79      63      82
 - esr           0       0       0       0       0       0       0

Affected platform: Windows
status-firefox48: --- → affected

Following the reporter's steps I am able to confirm that the issue doesn't happen anymore on MacOS 10.15 on any of the current versions of Firefox Nightly 87.0a1 (2021-02-04), beta 86.0b6 and release 85.0.

Closing this issue as Resolved > Worksforme.
Feel free to re-open or file a new bug if this issue reoccurs again.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.