Closed Bug 1322881 Opened 3 years ago Closed 3 years ago

Crash in memcpy | js::wasm::DeserializePodVector<T>

Categories

(Core :: JavaScript Engine, defect, critical)

50 Branch
x86
Windows
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox50 --- wontfix
firefox51 --- verified
firefox52 --- unaffected
firefox53 --- unaffected

People

(Reporter: philipp, Assigned: luke)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-7aa48190-fcc4-49b0-8e92-a47182161210.
=============================================================
Crashing Thread (22)
Frame 	Module 	Signature 	Source
0 	vcruntime140.dll 	memcpy 	f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm:319
1 	xul.dll 	js::wasm::DeserializePodVector<enum js::wasm::ValType, 8> 	js/src/asmjs/WasmSerialize.h:131
2 	xul.dll 	js::wasm::Metadata::deserialize(unsigned char const*) 	js/src/asmjs/WasmCode.cpp:467
3 	xul.dll 	js::AsmJSMetadata::deserialize(unsigned char const*) 	js/src/asmjs/AsmJS.cpp:8110
4 	xul.dll 	js::wasm::Module::deserialize(unsigned char const*, RefPtr<js::wasm::Module>*, js::wasm::Metadata*) 	js/src/asmjs/WasmModule.cpp:365
5 	xul.dll 	LookupAsmJSModuleInCache 	js/src/asmjs/AsmJS.cpp:8381
6 	xul.dll 	js::CompileAsmJS(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, bool*) 	js/src/asmjs/AsmJS.cpp:8525
7 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::asmJS(js::frontend::ParseNode*) 	js/src/frontend/Parser.cpp:3450

crashes with this signature are spiking up on various versions of windows since firefox 50 - overall it's rather a low-volume issue as it's accounting for <0.05% of crashes on release atm.

many crash comments and this user report on sumo seem to indicate that the problem occurs repeatedly while browsing on facebook: https://support.mozilla.org/questions/1149769
I think this kind of crash should be fixed in 52 (bug 1318039 and a few others).  A workaround for users experiencing the repeated crash is to clear offline storage for facebook.com (by navigating to facebook.com, clicking the 'i' info icon, clicking the right arrow, then More Information, then Permissions, then clicking "Clear Storage").  If we need to mitigate this on 50 or 51 release, we could land a trivial patch that disables asm.js caching.
updating the status flags according to comment #1
would be nice if there was some sort of workaround for 51 - we have received another user report about this and clearing offline storage doesn't seem to help: https://support.mozilla.org/questions/1151056
Ok, I can put up the trivial patch to disable asm.js caching.  Unfortunately the steps linked in that bug doesn't clear IndexedDB databases; you need the relatively more-hidden steps in comment 1.
Approval Request Comment
[Feature/Bug causing the regression]: one of multiple refactorings in FF50
[User impact if declined]: crashes when asm.js used (e.g. Facebook Messenger)
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: no (straight-to-beta patch)
[Needs manual test from QE? If yes, steps to reproduce]: no, I tested manually
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: it just turns off a feature (caching)
Attachment #8821002 - Flags: review?(bbouvier)
Attachment #8821002 - Flags: approval-mozilla-beta?
Comment on attachment 8821002 [details] [diff] [review]
disable-asmjscache in beta (FF51)

Turn off asm cache feature in Beta51. Beta51+. Should be in 51 beta 10.
Attachment #8821002 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8821002 [details] [diff] [review]
disable-asmjscache in beta (FF51)

Review of attachment 8821002 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks
Attachment #8821002 - Flags: review?(bbouvier) → review+
Crash Signature: [@ memcpy | js::wasm::DeserializePodVector<T>] → [@ memcpy | js::wasm::DeserializePodVector<T>] [@ vcruntime140.dll@0xcab7 | js::wasm::DeserializePodVector<T>]
adding more crash signatures to this bug...
Crash Signature: [@ memcpy | js::wasm::DeserializePodVector<T>] [@ vcruntime140.dll@0xcab7 | js::wasm::DeserializePodVector<T>] → [@ memcpy | js::wasm::DeserializePodVector<T>] [@ vcruntime140.dll@0xcab7 | js::wasm::DeserializePodVector<T>] [@ vcruntime140.dll@0xc887 | js::wasm::DeserializePodVector<T> ] [@ vcruntime140.dll@0xcbf0 | js::wasm::DeserializePodVector<T> ] [@ vcrunti…
a couple of affected users on sumo have confirmed that updating to 51.0b10 indeed solved these crashes on facebook. thanks for the fix!
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Duplicate of this bug: 1326533
Assignee: nobody → luke
You need to log in before you can comment on or make changes to this bug.