1260721 - [e10s] topcrash at js::jit::ICStub::traceCode

Status: RESOLVED INVALID

(Core :: JavaScript Engine, defect, P2)

Description

[Benjamin Smedberg]

This is a crash that showed up in beta 46 highly correlated with e10s (it didn't appear in the non-e10s case at all). Bug 1250964 exists for this signature but that is apparently unrelated because it's 47+ only, so I was asked to file this separately.

https://crash-stats.mozilla.org/search/?ActiveExperiment=e10s-beta46-noapz%40experiments.mozilla.org&ActiveExperimentBranch=experiment-no-addons&process_type=content&date=%3E2016-03-09&date=%3C2016-03-22&signature=%3Djs%3A%3Ajit%3A%3AICStub%3A%3AmarkCode&_facets=signature&_columns=signature&_columns=product&_columns=build_id&_columns=platform&_columns=reason&_columns=address#crash-reports has the list of crashes.

Naveed, can you help find an owner for this?

Comment 1

[Hannes Verschore [:h4writer]]

Since this is baseline stubs, going to needinfo jandem. Feel free to forward or assign me again, but I think you know the code best. Like mentioned, I don't think this is related to bug 1250964, since shared stubs are only enabled since FF47+

Comment 2

[Jan de Mooij [:jandem]]

I'm looking into this now.

Comment 3

[Jan de Mooij [:jandem]]

(In reply to Benjamin Smedberg  [:bsmedberg] from comment #0)
> This is a crash that showed up in beta 46 highly correlated with e10s (it
> didn't appear in the non-e10s case at all).

I don't think that's true? I see a lot of non-e10s crashes (also on beta) with this signature, but maybe I'm misreading Socorro.

Last week I looked at a number of crash dumps in Visual Studio. Some of them have an ICStub with a bogus or poisoned JitCode* pointer.

It's confusing because the ownership model isn't that complicated, hasn't changed much since Firefox 23, and this code is fuzzed aggressively. My best guess is memory corruption somewhere.

I'll take another look.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'js::jit::ICStub::markCode':
 - nightly (version 50): 15 crashes from 2016-06-06.
 - aurora  (version 49): 69 crashes from 2016-06-07.
 - beta    (version 48): 2326 crashes from 2016-06-06.
 - release (version 47): 0 crash from 2016-05-31.
 - esr     (version 45): 10 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          1          3          2          3          1          3          1
 - aurora           8         12         14          9         10         10          0
 - beta           374        305        346        367        347        330        105
 - release          0          0          0          0          0          0          0
 - esr              1          0          3          0          1          1          0

Affected platform: Windows

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'js::jit::ICStub::markCode':
 - nightly (version 51): 11 crashes from 2016-08-01.
 - aurora  (version 50): 35 crashes from 2016-08-01.
 - beta    (version 49): 764 crashes from 2016-08-02.
 - release (version 48): 933 crashes from 2016-07-25.
 - esr     (version 45): 14 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       4       4       2
 - aurora       17      13       1
 - beta        271     226     114
 - release     300     276     150
 - esr           2       1       1

Affected platform: Windows

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #335      #274
 - aurora  #156      #159
 - beta    #70       #34
 - release #67       #35
 - esr     #4763

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'js::jit::ICStub::markCode':
 - nightly (version 52): 18 crashes from 2016-09-19.
 - aurora  (version 51): 8 crashes from 2016-09-19.
 - beta    (version 50): 334 crashes from 2016-09-20.
 - release (version 49): 4 crashes from 2016-09-05.
 - esr     (version 45): 18 crashes from 2016-06-01.

Crash volume on the last weeks (Week N is from 10-03 to 10-09):
            W. N-1  W. N-2
 - nightly      11       7
 - aurora        5       3
 - beta        259      75
 - release       1       1
 - esr           1       2

Affected platform: Windows

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly #444      #93
 - aurora  #653      #316
 - beta    #77       #40
 - release           #7768
 - esr     #5268

Comment 7

[Hannes Verschore [:h4writer]]

I'm not sure I understand the "crash volume reports"

3 months ago:
FF47 (release): 0 crashes
FF48 (beta): 2326 crashes
FF49 (aurora): 69 crashes

2 months ago:
FF48 (release): 933 crashes
FF49 (beta): 764 crashes
FF50 (aurora): 35 crashes

1 month ago:
FF49 (release): 4 crashes
FF50 (beta): 334 crashes
FF51 (aurora): 8 crashes

How did 1 month ago FF49 suddenly stop crashing when it went to release?
Given the amount of crashes we had when it was on beta it should still be crashing on release!

What happened?

Comment 8

[Hannes Verschore [:h4writer]]

(In reply to Hannes Verschore [:h4writer] from comment #7)
> What happened?

Was FF49 throttled until we had FF 49.0.2? I Don't see a lot of crashes on 49.0 and 49.0.1.
But that would explain it. Most people were still on FF48?
FF 49.0.2 has the huge amount of crashes again.

Comment 9

[Julien Cristau [:jcristau]]

Mass wontfix for bugs affecting firefox 52.

Comment 10

[Jan de Mooij [:jandem]]

markCode was renamed to traceCode at some point.

I'll clear the NI because we don't have any leads and I don't think this is related to e10s. I remember looking at this last year and I didn't find anything - could be random memory corruption.

Comment 11

[Ted Campbell [:tcampbell]]

The current crashes exist in FF57, FF60 without crashes in between. This is very likely inlining related and has nothing to do with e10s. Closing in favor of the general ICStub::trace investigation bugs we have.