Closed
Bug 1260721
Opened 8 years ago
Closed 6 years ago
[e10s] topcrash at js::jit::ICStub::traceCode
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
People
(Reporter: benjamin, Unassigned)
References
Details
(Whiteboard: [#jsapi:crashes-retriage])
Crash Data
This is a crash that showed up in beta 46 highly correlated with e10s (it didn't appear in the non-e10s case at all). Bug 1250964 exists for this signature but that is apparently unrelated because it's 47+ only, so I was asked to file this separately. https://crash-stats.mozilla.org/search/?ActiveExperiment=e10s-beta46-noapz%40experiments.mozilla.org&ActiveExperimentBranch=experiment-no-addons&process_type=content&date=%3E2016-03-09&date=%3C2016-03-22&signature=%3Djs%3A%3Ajit%3A%3AICStub%3A%3AmarkCode&_facets=signature&_columns=signature&_columns=product&_columns=build_id&_columns=platform&_columns=reason&_columns=address#crash-reports has the list of crashes. Naveed, can you help find an owner for this?
Comment 1•8 years ago
|
||
Since this is baseline stubs, going to needinfo jandem. Feel free to forward or assign me again, but I think you know the code best. Like mentioned, I don't think this is related to bug 1250964, since shared stubs are only enabled since FF47+
Flags: needinfo?(jdemooij)
Comment 2•8 years ago
|
||
I'm looking into this now.
Updated•8 years ago
|
Assignee: nobody → jdemooij
Comment 3•8 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #0) > This is a crash that showed up in beta 46 highly correlated with e10s (it > didn't appear in the non-e10s case at all). I don't think that's true? I see a lot of non-e10s crashes (also on beta) with this signature, but maybe I'm misreading Socorro. Last week I looked at a number of crash dumps in Visual Studio. Some of them have an ICStub with a bogus or poisoned JitCode* pointer. It's confusing because the ownership model isn't that complicated, hasn't changed much since Firefox 23, and this code is fuzzed aggressively. My best guess is memory corruption somewhere. I'll take another look.
Updated•8 years ago
|
tracking-e10s:
--- → +
Updated•8 years ago
|
Priority: -- → P2
Comment 4•8 years ago
|
||
Crash volume for signature 'js::jit::ICStub::markCode': - nightly (version 50): 15 crashes from 2016-06-06. - aurora (version 49): 69 crashes from 2016-06-07. - beta (version 48): 2326 crashes from 2016-06-06. - release (version 47): 0 crash from 2016-05-31. - esr (version 45): 10 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 1 3 2 3 1 3 1 - aurora 8 12 14 9 10 10 0 - beta 374 305 346 367 347 330 105 - release 0 0 0 0 0 0 0 - esr 1 0 3 0 1 1 0 Affected platform: Windows
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr45:
--- → affected
Comment 5•8 years ago
|
||
Crash volume for signature 'js::jit::ICStub::markCode': - nightly (version 51): 11 crashes from 2016-08-01. - aurora (version 50): 35 crashes from 2016-08-01. - beta (version 49): 764 crashes from 2016-08-02. - release (version 48): 933 crashes from 2016-07-25. - esr (version 45): 14 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 4 4 2 - aurora 17 13 1 - beta 271 226 114 - release 300 276 150 - esr 2 1 1 Affected platform: Windows Crash rank on the last 7 days: Browser Content Plugin - nightly #335 #274 - aurora #156 #159 - beta #70 #34 - release #67 #35 - esr #4763
status-firefox51:
--- → affected
Comment 6•8 years ago
|
||
Crash volume for signature 'js::jit::ICStub::markCode': - nightly (version 52): 18 crashes from 2016-09-19. - aurora (version 51): 8 crashes from 2016-09-19. - beta (version 50): 334 crashes from 2016-09-20. - release (version 49): 4 crashes from 2016-09-05. - esr (version 45): 18 crashes from 2016-06-01. Crash volume on the last weeks (Week N is from 10-03 to 10-09): W. N-1 W. N-2 - nightly 11 7 - aurora 5 3 - beta 259 75 - release 1 1 - esr 1 2 Affected platform: Windows Crash rank on the last 7 days: Browser Content Plugin - nightly #444 #93 - aurora #653 #316 - beta #77 #40 - release #7768 - esr #5268
status-firefox52:
--- → affected
Comment 7•8 years ago
|
||
I'm not sure I understand the "crash volume reports" 3 months ago: FF47 (release): 0 crashes FF48 (beta): 2326 crashes FF49 (aurora): 69 crashes 2 months ago: FF48 (release): 933 crashes FF49 (beta): 764 crashes FF50 (aurora): 35 crashes 1 month ago: FF49 (release): 4 crashes FF50 (beta): 334 crashes FF51 (aurora): 8 crashes How did 1 month ago FF49 suddenly stop crashing when it went to release? Given the amount of crashes we had when it was on beta it should still be crashing on release! What happened?
Comment 8•8 years ago
|
||
(In reply to Hannes Verschore [:h4writer] from comment #7) > What happened? Was FF49 throttled until we had FF 49.0.2? I Don't see a lot of crashes on 49.0 and 49.0.1. But that would explain it. Most people were still on FF48? FF 49.0.2 has the huge amount of crashes again.
Comment 9•7 years ago
|
||
Mass wontfix for bugs affecting firefox 52.
Comment 10•7 years ago
|
||
markCode was renamed to traceCode at some point. I'll clear the NI because we don't have any leads and I don't think this is related to e10s. I remember looking at this last year and I didn't find anything - could be random memory corruption.
Crash Signature: [@ js::jit::ICStub::markCode ] → [@ js::jit::ICStub::markCode ]
[@ js::jit::ICStub::traceCode ]
Flags: needinfo?(jdemooij)
Summary: [e10s] topcrash at js::jit::ICStub::markCode → [e10s] topcrash at js::jit::ICStub::traceCode
Updated•6 years ago
|
Assignee: jdemooij → nobody
Whiteboard: [#jsapi:crashes-retriage]
Comment 11•6 years ago
|
||
The current crashes exist in FF57, FF60 without crashes in between. This is very likely inlining related and has nothing to do with e10s. Closing in favor of the general ICStub::trace investigation bugs we have.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•