Crash in js::jit::JitCode::copyFrom

NEW
Unassigned

Status

()

Core
JavaScript Engine: JIT
--
critical
2 years ago
9 months ago

People

(Reporter: mccr8, Unassigned)

Tracking

({crash})

Trunk
x86
Windows 7
crash
Points:
---

Firefox Tracking Flags

(firefox47 affected, firefox48 affected, firefox49 affected, firefox-esr45 affected, firefox50 affected, firefox51 affected, firefox52 wontfix, firefox53 affected)

Details

(crash signature)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-7bcbe438-97eb-4dbf-955f-5edd82160519.
=============================================================

#7 Windows Nightly crash for 05-18, with 12 crashes. All from a single install time. This signature does have crashes in other channels.
nbp, any ideas?
Flags: needinfo?(nicolas.b.pierron)
Looking at the source, …

This is not a logical issue, the backward offset is valid as we reserved space ahead to be able to address below.

The result pointer from the newCode function, is own by the JitCode as soon as it is created, and there is no other allocation which might cause it to be reclaimed.  The ExecutablePool cannot be freed without an explicit call to the "release" function, which is made only if the JitCode allocation fails.

I do not see how this issue can happen.
Flags: needinfo?(nicolas.b.pierron)
Crash volume for signature 'js::jit::JitCode::copyFrom':
 - nightly(version 50):0 crashes from 2016-06-06.
 - aurora (version 49):6 crashes from 2016-06-07.
 - beta   (version 48):676 crashes from 2016-06-06.
 - release(version 47):1943 crashes from 2016-05-31.
 - esr    (version 45):7 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       0       0       0
 - aurora        0       0       2       0       1       1       2
 - beta         77     104     129      84      81      99      77
 - release     252     283     287     207     262     266     280
 - esr           1       0       1       0       1       1       1

Affected platform: Windows
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'js::jit::JitCode::copyFrom':
 - nightly (version 51): 1 crash from 2016-08-01.
 - aurora  (version 50): 3 crashes from 2016-08-01.
 - beta    (version 49): 234 crashes from 2016-08-02.
 - release (version 48): 188 crashes from 2016-07-25.
 - esr     (version 45): 7 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       1       0       0
 - aurora        0       1       1
 - beta         99      71      17
 - release      53      53      37
 - esr           0       0       2

Affected platform: Windows

Crash rank on the last 7 days:
           Browser   Content     Plugin
 - nightly           #546
 - aurora  #1362
 - beta    #169      #1155
 - release #311
 - esr
status-firefox50: --- → affected
status-firefox51: --- → affected
Bugzilla Socorro Lens highlights[1] that this signature spiked between:
 - March 14 - 19
 - ~April 7
 - May 5 - now (and remains stable)

Do we have any patches matching these spikes?
Or would these crashes be related to some external website on which this issue can be reproduced?

[1] https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm?s=js::jit::JitCode::copyFrom
Crash volume for signature 'js::jit::JitCode::copyFrom':
 - nightly (version 54): 0 crashes from 2017-01-23.
 - aurora  (version 53): 1 crash from 2017-01-23.
 - beta    (version 52): 93 crashes from 2017-01-23.
 - release (version 51): 308 crashes from 2017-01-16.
 - esr     (version 45): 22 crashes from 2016-08-10.

Crash volume on the last weeks (Week N is from 02-06 to 02-12):
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0
 - aurora        0       0
 - beta         39      37
 - release     181      58       0
 - esr           0       2       3       0       3       0       1

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content   Plugin
 - nightly
 - aurora  #1302
 - beta    #264      #594
 - release #265      #536
 - esr     #4163
status-firefox52: --- → affected
status-firefox53: --- → affected
Too late for firefox 52, mass-wontfix.
status-firefox52: affected → wontfix
You need to log in before you can comment on or make changes to this bug.