Closed Bug 1275500 Opened 6 years ago Closed 6 years ago

Crash in js::jit::CodeGenerator::visitOutOfLineTypeOfV

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Windows 8
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kanru, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-2d8c3019-bcc6-49c3-a778-e30982160525.
=============================================================

This is #11 crash on Nightly 20160523030225, 7 crashes which are likely from single installation.

The first crash with this signature is on 44.0.2 build id 20160210153822

js::jit::CodeGenerator::visitOutOfLineTypeOfV(js::jit::OutOfLineTypeOfV*)
js::jit::CodeGeneratorShared::generateOutOfLineCode()
js::jit::CodeGeneratorX86Shared::generateOutOfLineCode()
js::jit::CodeGenerator::generate()
js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*)
js::jit::CompileBackEnd(js::jit::MIRGenerator*)
js::HelperThread::handleIonWorkload()
js::HelperThread::threadLoop()

Search used
https://crash-stats.mozilla.com/signature/?date=%3E%3D2015-06-01&signature=js%3A%3Ajit%3A%3ACodeGenerator%3A%3AvisitOutOfLineTypeOfV&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&page=1
Jan, any ideas?
Flags: needinfo?(jdemooij)
(In reply to Nicholas Nethercote [:njn] from comment #1)
> Jan, any ideas?

I looked at one of these reports. We're crashing here:

00007FF89EDE2A78 48 8D 05 11 F1 BB FF lea         rax,[js::TypeOfObjectOperation (07FF89E9A1B90h)]  
00007FF89EDE2A7F 48 8D 54 24 30       lea         rdx,[input]  
00007FF89EDE2A84 48 89 44 24 30       mov         qword ptr [input],rax  
00007FF89EDE2A89 E8 7A 34 B3 FF       call        js::jit::MacroAssembler::callWithABI<void * __ptr64> (07FF89E915F08h)  

This is a normal (non-virtual) function call. Then we crash with EXCEPTION_ACCESS_VIOLATION_EXEC at address 0x7ff89e115f08. Note that this is the expected address (0x7FF89E915F08), the difference is 1 bit so this suggests a bit flip.

Furthermore, these crashes are from a single installation and have very low uptimes (like 4, 7, 58 seconds). I don't know if it's worth spending time on these single-user, low uptime crashes (unless they look interesting), as it suggests malware or bad hardware.
Flags: needinfo?(jdemooij)
(In reply to Jan de Mooij [:jandem] from comment #2)
> Then we crash with
> EXCEPTION_ACCESS_VIOLATION_EXEC at address 0x7ff89e115f08. Note that this is
> the expected address (0x7FF89E915F08), the difference is 1 bit so this
> suggests a bit flip.

Sorry, I can't type today. What I meant to say is: the address where we crash is the *expected* address, except one bit is different.
See comment 2. Single user, crashes look like memory corruption, I'll close this.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.