Closed
Bug 1322881
Opened 8 years ago
Closed 7 years ago
Crash in memcpy | js::wasm::DeserializePodVector<T>
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox50 | --- | wontfix |
firefox51 | --- | verified |
firefox52 | --- | unaffected |
firefox53 | --- | unaffected |
People
(Reporter: philipp, Assigned: luke)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
19.99 KB,
patch
|
bbouvier
:
review+
gchang
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-7aa48190-fcc4-49b0-8e92-a47182161210. ============================================================= Crashing Thread (22) Frame Module Signature Source 0 vcruntime140.dll memcpy f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm:319 1 xul.dll js::wasm::DeserializePodVector<enum js::wasm::ValType, 8> js/src/asmjs/WasmSerialize.h:131 2 xul.dll js::wasm::Metadata::deserialize(unsigned char const*) js/src/asmjs/WasmCode.cpp:467 3 xul.dll js::AsmJSMetadata::deserialize(unsigned char const*) js/src/asmjs/AsmJS.cpp:8110 4 xul.dll js::wasm::Module::deserialize(unsigned char const*, RefPtr<js::wasm::Module>*, js::wasm::Metadata*) js/src/asmjs/WasmModule.cpp:365 5 xul.dll LookupAsmJSModuleInCache js/src/asmjs/AsmJS.cpp:8381 6 xul.dll js::CompileAsmJS(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, bool*) js/src/asmjs/AsmJS.cpp:8525 7 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::asmJS(js::frontend::ParseNode*) js/src/frontend/Parser.cpp:3450 crashes with this signature are spiking up on various versions of windows since firefox 50 - overall it's rather a low-volume issue as it's accounting for <0.05% of crashes on release atm. many crash comments and this user report on sumo seem to indicate that the problem occurs repeatedly while browsing on facebook: https://support.mozilla.org/questions/1149769
Assignee | ||
Comment 1•8 years ago
|
||
I think this kind of crash should be fixed in 52 (bug 1318039 and a few others). A workaround for users experiencing the repeated crash is to clear offline storage for facebook.com (by navigating to facebook.com, clicking the 'i' info icon, clicking the right arrow, then More Information, then Permissions, then clicking "Clear Storage"). If we need to mitigate this on 50 or 51 release, we could land a trivial patch that disables asm.js caching.
Reporter | ||
Comment 2•8 years ago
|
||
updating the status flags according to comment #1
Reporter | ||
Comment 3•7 years ago
|
||
would be nice if there was some sort of workaround for 51 - we have received another user report about this and clearing offline storage doesn't seem to help: https://support.mozilla.org/questions/1151056
Assignee | ||
Comment 4•7 years ago
|
||
Ok, I can put up the trivial patch to disable asm.js caching. Unfortunately the steps linked in that bug doesn't clear IndexedDB databases; you need the relatively more-hidden steps in comment 1.
Assignee | ||
Comment 5•7 years ago
|
||
Approval Request Comment [Feature/Bug causing the regression]: one of multiple refactorings in FF50 [User impact if declined]: crashes when asm.js used (e.g. Facebook Messenger) [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: no (straight-to-beta patch) [Needs manual test from QE? If yes, steps to reproduce]: no, I tested manually [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: it just turns off a feature (caching)
Attachment #8821002 -
Flags: review?(bbouvier)
Attachment #8821002 -
Flags: approval-mozilla-beta?
Comment 6•7 years ago
|
||
Comment on attachment 8821002 [details] [diff] [review] disable-asmjscache in beta (FF51) Turn off asm cache feature in Beta51. Beta51+. Should be in 51 beta 10.
Attachment #8821002 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 7•7 years ago
|
||
Comment on attachment 8821002 [details] [diff] [review] disable-asmjscache in beta (FF51) Review of attachment 8821002 [details] [diff] [review]: ----------------------------------------------------------------- Thanks
Attachment #8821002 -
Flags: review?(bbouvier) → review+
Comment 8•7 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/6ff5553aea2ac05e70992a1a6573f8ff7ad6da2a
Reporter | ||
Updated•7 years ago
|
Crash Signature: [@ memcpy | js::wasm::DeserializePodVector<T>] → [@ memcpy | js::wasm::DeserializePodVector<T>]
[@ vcruntime140.dll@0xcab7 | js::wasm::DeserializePodVector<T>]
Reporter | ||
Comment 9•7 years ago
|
||
adding more crash signatures to this bug...
Crash Signature: [@ memcpy | js::wasm::DeserializePodVector<T>]
[@ vcruntime140.dll@0xcab7 | js::wasm::DeserializePodVector<T>] → [@ memcpy | js::wasm::DeserializePodVector<T>]
[@ vcruntime140.dll@0xcab7 | js::wasm::DeserializePodVector<T>]
[@ vcruntime140.dll@0xc887 | js::wasm::DeserializePodVector<T> ]
[@ vcruntime140.dll@0xcbf0 | js::wasm::DeserializePodVector<T> ]
[@ vcrunti…
Reporter | ||
Comment 10•7 years ago
|
||
a couple of affected users on sumo have confirmed that updating to 51.0b10 indeed solved these crashes on facebook. thanks for the fix!
Updated•7 years ago
|
Updated•7 years ago
|
Assignee: nobody → luke
You need to log in
before you can comment on or make changes to this bug.
Description
•