Closed Bug 1353543 Opened 8 years ago Closed 8 years ago

Crash in LookupAsmJSModuleInCache

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
52 Branch
Platform:
All
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox52 --- wontfix
firefox-esr52 --- fixed
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: philipp, Assigned: luke)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

non-fatal-assert
1.33 KB, patch
bbouvier
: review+
gchang
: approval-mozilla-aurora+
lizzard
: approval-mozilla-beta-
ritu
: approval-mozilla-esr52+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-b19edaa1-4309-41ad-94f3-7cec32170404. ============================================================= Crashing Thread (5) Frame Module Signature Source 0 xul.dll LookupAsmJSModuleInCache js/src/wasm/AsmJS.cpp:8552 1 xul.dll js::CompileAsmJS(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, bool*) js/src/wasm/AsmJS.cpp:8683 2 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::asmJS(js::frontend::ParseNode*) js/src/frontend/Parser.cpp:3705 3 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) js/src/frontend/Parser.cpp:3791 4 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::statementList(js::frontend::YieldHandling) js/src/frontend/Parser.cpp:3851 5 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) js/src/frontend/Parser.cpp:2409 6 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, js::frontend::FunctionSyntaxKind) js/src/frontend/Parser.cpp:3487 7 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::trySyntaxParseInnerFunction(js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) js/src/frontend/Parser.cpp:3269 8 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::functionDefinition(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<JSAtom*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:3175 9 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr(js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction, js::FunctionAsyncKind) js/src/frontend/Parser.cpp:3631 10 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:9398 11 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:8463 12 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:7990 13 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:7632 14 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:7217 15 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:9440 16 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:8463 17 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:7990 18 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:7632 19 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:7762 20 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:7217 21 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) js/src/frontend/Parser.cpp:5208 22 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::statementListItem(js::frontend::YieldHandling, bool) js/src/frontend/Parser.cpp:7110 23 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::statementList(js::frontend::YieldHandling) js/src/frontend/Parser.cpp:3829 24 xul.dll js::frontend::Parser<js::frontend::FullParseHandler>::globalBody(js::frontend::GlobalSharedContext*) js/src/frontend/Parser.cpp:1951 25 xul.dll BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) js/src/frontend/BytecodeCompiler.cpp:335 26 xul.dll BytecodeCompiler::compileGlobalScript(js::ScopeKind) js/src/frontend/BytecodeCompiler.cpp:376 27 xul.dll js::ThisThread::GetId() js/src/threading/windows/Thread.cpp:118 28 xul.dll js::frontend::CompileGlobalScript(js::ExclusiveContext*, js::LifoAlloc&, js::ScopeKind, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::SourceCompressionTask*, js::ScriptSourceObject**) js/src/frontend/BytecodeCompiler.cpp:569 29 xul.dll js::ScriptParseTask::parse() js/src/vm/HelperThreads.cpp:370 30 xul.dll js::HelperThread::handleParseWorkload(js::AutoLockHelperThreadState&, unsigned int) js/src/vm/HelperThreads.cpp:1628 31 xul.dll js::HelperThread::threadLoop() js/src/vm/HelperThreads.cpp:1882 32 xul.dll js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) js/src/threading/Thread.h:227 33 ucrtbase.dll _o__CIpow 34 kernel32.dll BaseThreadInitThunk 35 ntdll.dll __RtlUserThreadStart 36 ntdll.dll _RtlUserThreadStart this crash signature is newly showing up on firefox 52 with a moz_assert introduced in bug 1276029. many of the user comments seem to refer to playing online games as a source of the crashes. Correlations for Firefox Release (100.0% in signature vs 27.22% overall) "GL Context+" in app_notes = true [109.01% vs 77.63% if startup_crash = null] (73.49% in signature vs 27.57% overall) process_type = content [55.86% vs 302.54% if startup_crash = null] (100.0% in signature vs 00.10% overall) moz_crash_reason = MOZ_RELEASE_ASSERT(cursor == entry.memory + entry.serializedSize)
I'm unable to reproduce trying various combinations of cache hit and cache miss on the URLs in the crashes. Given top11 is a pretty popular game, there must be some rare condition that causes this to trigger or else we'd see this a lot more. I had hoped that for a bug of this type, we'd get STR. We do have a safe and clean failure path here that won't cache (it'll just cause a cache miss which will recompile), so we can just do that.
Attached patch non-fatal-assertSplinter Review
Assignee: nobody → luke
Attachment #8854632 - Flags: review?(bbouvier)
Comment on attachment 8854632 [details] [diff] [review] non-fatal-assert Review of attachment 8854632 [details] [diff] [review]: ----------------------------------------------------------------- It's a bit unfortunate, but it's better than having random crashes we can't explain. Thanks!
Attachment #8854632 - Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/c6a73e6fcf5e Baldr: soften LookupAsmJSModuleInCache check (r=bbouvier)
Comment on attachment 8854632 [details] [diff] [review] non-fatal-assert Approval Request Comment [Feature/Bug causing the regression]: none [User impact if declined]: RELEASE_ASSERT() instead of safe cache miss [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: not really a fix you can verify; if we could reproduce a crash, we'd just fix it [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: just turns a release assert into a normal failure path; there are many other failure paths just like it [String changes made/needed]: none
Attachment #8854632 - Flags: approval-mozilla-beta?
Attachment #8854632 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/c6a73e6fcf5e
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Attachment #8854632 - Flags: approval-mozilla-esr52?
Comment on attachment 8854632 [details] [diff] [review] non-fatal-assert Take this and see if the crash is decreased. Aurora54+.
Attachment #8854632 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8854632 [details] [diff] [review] non-fatal-assert Let's see how this does with 54 aurora/beta. Too late for 53 uplift.
Attachment #8854632 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment on attachment 8854632 [details] [diff] [review] non-fatal-assert Replaces an assert with a proper fix for unexpected state. We've hit this release assert ~600 times in the past week, seems worthwhile to uplift to esr52.2.
Attachment #8854632 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
(In reply to Luke Wagner [:luke] from comment #5) > [Is this code covered by automated tests?]: yes > [Has the fix been verified in Nightly?]: not really a fix you can verify; if > we could reproduce a crash, we'd just fix it > [Needs manual test from QE? If yes, steps to reproduce]: no Setting qe-verify- based on Luke's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: