crash in js::jit::BaselineCompiler::addPCMappingEntry

NEW
Unassigned

Status

()

Core
JavaScript Engine: JIT
P3
critical
2 years ago
2 months ago

People

(Reporter: njn, Unassigned)

Tracking

({crash})

Trunk
x86
Windows NT
crash
Points:
---

Firefox Tracking Flags

(firefox47 affected, firefox48 affected)

Details

(crash signature)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-b6118787-b636-4cd0-85a2-47d702160406.
=============================================================

This first appeared in March 2014, but no bug has been filed until now. It's happened 471 times in the past 7 days on Beta 46, making it the #40 topcrasher.
(Reporter)

Comment 1

2 years ago
jandem, any ideas?
Flags: needinfo?(jdemooij)
It's weird, the past weeks there were 459 crashes with 46.0b8, but only 4 with 46.0b9 and 2 with 45.0.1

Maybe the signature changes or it's compiler related somehow. I'll take a look.
I looked at some of these crash dumps in Visual Studio, and EIP is in the middle of an instruction.. So we end up executing some bogus or invalid instruction and crash.

The CPU data is interesting:

73.16% - AuthenticAMD family 20 model 1 stepping 0 | 2
16.82% - AuthenticAMD family 20 model 1 stepping 0 | 1

So this AMD E-350 CPU accounts for 90% of all crashes... It's probably not from a single user - I see different Windows versions.
Flags: needinfo?(jdemooij)
See also bug 772330 for problems with this CPU. I can check if erratum 688 applies here as well.
(In reply to Jan de Mooij [:jandem] from comment #4)
> See also bug 772330 for problems with this CPU. I can check if erratum 688
> applies here as well.

I don't see any indirect calls or jumps in this function. There are a number of direct branches though...

Since 90% of the crashes are with this particular CPU and 46.0b8, I don't expect us to be able to reproduce it elsewhere.
Crash volume for signature 'js::jit::BaselineCompiler::addPCMappingEntry':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 0 crash from 2016-06-07.
 - beta    (version 48): 21 crashes from 2016-06-06.
 - release (version 47): 27 crashes from 2016-05-31.
 - esr     (version 45): 0 crash from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          0          0          0          0          0
 - beta             0          2          1          1          7          6          3
 - release          5          1          6          5          5          2          2
 - esr              0          0          0          0          0          0          0

Affected platforms: Windows, Linux
status-firefox47: --- → affected
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.