Closed Bug 1339145 Opened 7 years ago Closed 6 years ago

Crash in jit | NOT_JIT_CODE

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
52 Branch
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox51 --- affected
firefox52 --- wontfix
firefox53 --- affected

People

(Reporter: marcia, Assigned: h4writer)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-c4118826-2528-46e8-9138-0eef62170213.
=============================================================

Seen while looking at B5 crash stats: http://bit.ly/2lcrtAI. This increased a bit from Beta 4.
Discussed this crash in the Channel meeting today - ni on Naveed to see if he can help ascertain what might have caused the increase in this signature.
Flags: needinfo?(nihsanullah)
this signature also increased on aurora since 53.0a2 build 20170209004018

common patches that have landed in the two channels in this regression range would be:
    bug 1334933 - Inaccessible
    bug 1329796 - Inaccessible
    bug 1335272 - Security Error: Content at about:cache?storage=disk&context= may not load or link to about:cache-entry?storage=disk&context=&eid=&uri=...
    bug 1337304 - Inaccessible
    bug 1336291 - Lots of "TypeError: this._browsers is null: _getBrowserRefs@resource://app/modules/NewTabWebChannel.jsm:149" logspam during browser_remotenewtab_pageloads.js
    bug 1324952 - Intermittent netwerk/test/unit/test_be_conservative.js | xpcshell return code: 0 | - error should be NS_BASE_STREAM_CLOSED - 2152398864 == 2152136706
    bug 1322897 - Awful blurry fonts in text in long tab titles after landing patch from bug #658467
    bug 1334876 - Inaccessible
    bug 1319513 - Disabled "Clear Downloads" text is not grayed on Linux
    bug 1321579 - SIGSEGV on aarch64 in nsLayoutUtils::GetLastSibling when compiling with gcc6
I've got a bad feeling this is going to come back to bug 1334933.
From the jit-crash-categorize tool:

  if (raw_info->region_size != 0x10000) {
    printf("NOT_JIT_CODE\n");
    return 0;
  }

So we report NOT_JIT_CODE if we're not inside a 64 K region. It's definitely possible and expected we use bigger memory regions now for JIT code since bug 1334933.

Based on that, I expect this to be a shift from other "jit |" signatures but not a new kind of crash.
Oh and we should fix the categorize tool. It should check something like:

if (raw_info->region_size < 0x10000 || (raw_info->region_size % 0x10000) != 0) {
    printf("NOT_JIT_CODE\n");
    return 0;
}
this is how jit crash signatures shifted from before 52.0b5 to afterwards: http://bit.ly/2le8nux
> if (raw_info->region_size < 0x10000 || (raw_info->region_size % 0x10000) != 0) {

This wouldn't be useful since all address space regions come in multiples of 64K.
Is this Windows-only? But right, maybe we should just remove the check then...
Yeah, just Windows:
https://github.com/mozilla/socorro/blob/master/socorro/processor/breakpad_transform_rules.py#L692

Also, this is a good time for a periodic sanity-check of line 703: Is Enter{Baseline,Ion} still the right set of things to be looking for these days?
(In reply to David Major [:dmajor] from comment #9)
> Yeah, just Windows:
> https://github.com/mozilla/socorro/blob/master/socorro/processor/
> breakpad_transform_rules.py#L692

Hm, the next line checks |processed_crash.cpu_name != 'x86'|. Should we include 'amd64' now?

> Also, this is a good time for a periodic sanity-check of line 703: Is
> Enter{Baseline,Ion} still the right set of things to be looking for these
> days?

Can't hurt to add js::jit::FastInvoke and js::jit::IonCannon (this is EnterIon's only caller so I wouldn't be surprised if EnterIon gets inlined into it). Maybe also irregexp::ExecuteCode.
> Hm, the next line checks |processed_crash.cpu_name != 'x86'|. Should we
> include 'amd64' now?

My memory is fuzzy but I want to say this was a limitation of the disassembler.
> > Also, this is a good time for a periodic sanity-check of line 703: Is
> > Enter{Baseline,Ion} still the right set of things to be looking for these
> > days?
> 
> Can't hurt to add js::jit::FastInvoke and js::jit::IonCannon (this is
> EnterIon's only caller so I wouldn't be surprised if EnterIon gets inlined
> into it). Maybe also irregexp::ExecuteCode.

I filed bug 1339960 for that.
Assignee: nobody → hv1989
Flags: needinfo?(nihsanullah)
Priority: -- → P3
Mass wontfix for bugs affecting firefox 52.
status-firefox52: affectedwontfix
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.