Closed
Bug 1218925
Opened 9 years ago
Closed 2 years ago
crash in js::jit::CodeGenerator::generateBody
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox43 | + | wontfix |
| firefox44 | + | wontfix |
| firefox45 | --- | wontfix |
| firefox46 | --- | wontfix |
| firefox47 | --- | wontfix |
| firefox48 | --- | wontfix |
| firefox49 | --- | wontfix |
| firefox-esr45 | --- | wontfix |
| firefox50 | --- | wontfix |
| firefox51 | --- | wontfix |
| firefox52 | --- | wontfix |
| firefox-esr102 | --- | wontfix |
| firefox110 | --- | wontfix |
People
(Reporter: lizzard, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is
report bp-3fdf72fd-56d4-4866-a243-14bbb2151026.
=============================================================
This is currently the #2 topcrash in 43.0a2 and it's usually a startup crash.
Crashing thread:
0 xul.dll js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp
1 xul.dll js::jit::CodeGenerator::generateBody() js/src/jit/CodeGenerator.cpp
2 xul.dll js::jit::CodeGenerator::generate() js/src/jit/CodeGenerator.cpp
3 xul.dll js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) js/src/jit/Ion.cpp
4 xul.dll js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp
|
||
Comment 1•9 years ago
|
||
Looking at a few crashes, it looks like either we get a corrupted pointer to a LIR instruction, or that the content of the LIR instructions got corrupted.
Various failures are either failure to dereference pointers which are in the LIRInstruction, or to read the vtable of the LIR instruction.
This is a recent change from within the last 3 days, and mostly on aurora, so I guess we might be able to look at the history of backported commit and figure out that we need to backport something else.
Some crashes suggest that we might corrupt the mir_ field after the accept function is called, which suggest that the issue might be within the CodeGen / MacroAssembler.
|
Reporter | |
Comment 2•9 years ago
|
||
[Tracking Requested - why for this release]:
This is no longer a topcrash for 43, but still fairly high volume in 44.
133 crashes in the last week for 44.0a2.
Wontfixing for 43 since we are heading into beta 5 without any progress.
Naveed, can you help us find an owner for this bug?
|
||
Comment 3•9 years ago
|
||
Eric please find an owner for this.
Assignee: nobody → efaustbmo
Flags: needinfo?(nihsanullah)
Tracked for FF44 since it's a top crash.
|
||
Comment 5•9 years ago
|
||
I don't think many people actually follow changes to their "assigned bugs" list. I certainly don't.
Flags: needinfo?(efaustbmo)
|
||
Comment 6•9 years ago
|
||
Thanks Terrence!
I had looked at this before, and with Nicolas as well. Very little here is actionable, unfortunately. Blind memory corruption is blind to find as well :/.
I agree that we should start by looking at the backport list to 43 for the beginning of the regression rane, and see if there are any correlations there.
Jan, any other ideas?
Flags: needinfo?(efaustbmo) → needinfo?(jdemooij)
|
||
Comment 7•9 years ago
|
||
Is this still a problem? I don't see it in the top 200 on crash-stats (the socorro website has been incredibly slow lately though..)
Flags: needinfo?(jdemooij) → needinfo?(lhenry)
|
|
Reporter | |
Comment 8•9 years ago
|
||
The crash is still showing up on 43.0.4 but not in high volume (61 crashes in the last week). There are a few recent crashes on 44 and 45 as well. Often but not always a startup crash.
You can see the reports here: https://crash-stats.mozilla.com/signature/?date=%3E%3D2016-01-05T16%3A12%3A48.744472&date=%3C2016-01-12T16%3A12%3A48.744472&signature=js%3A%3Ajit%3A%3ACodeGenerator%3A%3AgenerateBody#aggregations
Flags: needinfo?(lhenry)
|
||
Updated•9 years ago
|
status-firefox45:
--- → affected
status-firefox46:
--- → affected
This bug might be a duplicate of Bug 1272944.
|
||
Comment 10•9 years ago
|
||
Possible workaround (gcc6): https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526#c14
--- firefox-45.0.1-orig/js/src/Makefile.in 2016-05-17 14:53:58.753178403 +0200
+++ firefox-45.0.1/js/src/Makefile.in 2016-05-17 14:53:28.432817862 +0200
@@ -144,6 +144,11 @@ distclean::
CFLAGS += $(MOZ_ZLIB_CFLAGS)
+# Avoid GNU gcc bug #70526
+# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70526#c14
+CFLAGS += -fno-schedule-insns2
+CXXFLAGS += -fno-schedule-insns2
+
# Silence warnings on AIX/HP-UX from non-GNU compilers
ifndef GNU_CC
ifeq ($(OS_ARCH),AIX)
|
||
Comment 11•8 years ago
|
||
Crash volume for signature 'js::jit::CodeGenerator::generateBody':
- nightly (version 50): 4 crashes from 2016-06-06.
- aurora (version 49): 26 crashes from 2016-06-07.
- beta (version 48): 408 crashes from 2016-06-06.
- release (version 47): 963 crashes from 2016-05-31.
- esr (version 45): 23 crashes from 2016-04-07.
Crash volume on the last weeks:
Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7
- nightly 1 1 0 0 1 0 1
- aurora 5 4 3 2 9 2 0
- beta 99 48 49 64 61 47 11
- release 142 153 124 148 161 138 49
- esr 4 1 5 2 3 1 2
Affected platforms: Windows, Mac OS X, Linux
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr45:
--- → affected
|
|
||
Updated•8 years ago
|
Priority: -- → P3
|
|
||
Comment 12•8 years ago
|
||
Crash volume for signature 'js::jit::CodeGenerator::generateBody':
- nightly (version 52): 6 crashes from 2016-09-19.
- aurora (version 51): 4 crashes from 2016-09-19.
- beta (version 50): 194 crashes from 2016-09-20.
- release (version 49): 666 crashes from 2016-09-05.
- esr (version 45): 45 crashes from 2016-07-25.
Crash volume on the last weeks (Week N is from 10-17 to 10-23):
W. N-1 W. N-2 W. N-3 W. N-4
- nightly 2 1 1 1
- aurora 0 0 1 0
- beta 61 53 44 15
- release 180 194 182 49
- esr 22 1 0 2
Affected platforms: Windows, Mac OS X, Linux
Crash rank on the last 7 days:
Browser Content Plugin
- nightly #781 #163
- aurora #271
- beta #373 #160
- release #550 #135
- esr #454
status-firefox51:
--- → affected
status-firefox52:
--- → affected
|
||
Comment 13•8 years ago
|
||
Mass wontfix for bugs affecting firefox 52.
|
|
||
Updated•3 years ago
|
Blocks: sm-defects-crashes
|
|
||
Comment 14•3 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months.
:sdetar, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee: efaustbmo → nobody
Flags: needinfo?(sdetar)
|
||
Updated•3 years ago
|
Flags: needinfo?(sdetar)
|
||
Updated•2 years ago
|
Severity: critical → S2
|
|
||
Updated•2 years ago
|
OS: Windows NT → Windows
|
|
||
Updated•2 years ago
|
status-firefox110:
--- → affected
status-firefox-esr102:
--- → affected
|
||
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
|
||
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•