Closed Bug 1264188 Opened 8 years ago Closed 3 years ago

crash in js::jit::BaselineCompiler::addPCMappingEntry

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected

People

(Reporter: n.nethercote, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-b6118787-b636-4cd0-85a2-47d702160406.
=============================================================

This first appeared in March 2014, but no bug has been filed until now. It's happened 471 times in the past 7 days on Beta 46, making it the #40 topcrasher.
jandem, any ideas?
Flags: needinfo?(jdemooij)
It's weird, the past weeks there were 459 crashes with 46.0b8, but only 4 with 46.0b9 and 2 with 45.0.1

Maybe the signature changes or it's compiler related somehow. I'll take a look.
I looked at some of these crash dumps in Visual Studio, and EIP is in the middle of an instruction.. So we end up executing some bogus or invalid instruction and crash.

The CPU data is interesting:

73.16% - AuthenticAMD family 20 model 1 stepping 0 | 2
16.82% - AuthenticAMD family 20 model 1 stepping 0 | 1

So this AMD E-350 CPU accounts for 90% of all crashes... It's probably not from a single user - I see different Windows versions.
Flags: needinfo?(jdemooij)
See also bug 772330 for problems with this CPU. I can check if erratum 688 applies here as well.
(In reply to Jan de Mooij [:jandem] from comment #4)
> See also bug 772330 for problems with this CPU. I can check if erratum 688
> applies here as well.

I don't see any indirect calls or jumps in this function. There are a number of direct branches though...

Since 90% of the crashes are with this particular CPU and 46.0b8, I don't expect us to be able to reproduce it elsewhere.
Crash volume for signature 'js::jit::BaselineCompiler::addPCMappingEntry':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 0 crash from 2016-06-07.
 - beta    (version 48): 21 crashes from 2016-06-06.
 - release (version 47): 27 crashes from 2016-05-31.
 - esr     (version 45): 0 crash from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          0          0          0          0          0
 - beta             0          2          1          1          7          6          3
 - release          5          1          6          5          5          2          2
 - esr              0          0          0          0          0          0          0

Affected platforms: Windows, Linux
status-firefox47: --- → affected
Priority: -- → P3
FWIW, one of my try pushes was hit by this crash during running dom/canvas/test/webgl-conf/generated/test_2_conformance__offscreencanvas__context-creation-worker.html.

https://treeherder.mozilla.org/logviewer.html#?job_id=184839515&repo=try&lineNumber=10330

Code no longer exists.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.