Closed Bug 1353543 Opened 7 years ago Closed 7 years ago

Crash in LookupAsmJSModuleInCache

Categories

(Core :: JavaScript Engine, defect)

52 Branch
All
Windows
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr45 --- unaffected
firefox52 --- wontfix
firefox-esr52 --- fixed
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: philipp, Assigned: luke)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-b19edaa1-4309-41ad-94f3-7cec32170404.
=============================================================
Crashing Thread (5)
Frame 	Module 	Signature 	Source
0 	xul.dll 	LookupAsmJSModuleInCache 	js/src/wasm/AsmJS.cpp:8552
1 	xul.dll 	js::CompileAsmJS(js::ExclusiveContext*, js::frontend::Parser<js::frontend::FullParseHandler>&, js::frontend::ParseNode*, bool*) 	js/src/wasm/AsmJS.cpp:8683
2 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::asmJS(js::frontend::ParseNode*) 	js/src/frontend/Parser.cpp:3705
3 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) 	js/src/frontend/Parser.cpp:3791
4 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::statementList(js::frontend::YieldHandling) 	js/src/frontend/Parser.cpp:3851
5 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Parser<js::frontend::FullParseHandler>::FunctionBodyType) 	js/src/frontend/Parser.cpp:2409
6 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode*, js::frontend::FunctionSyntaxKind) 	js/src/frontend/Parser.cpp:3487
7 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::trySyntaxParseInnerFunction(js::frontend::ParseNode*, JS::Handle<JSFunction*>, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) 	js/src/frontend/Parser.cpp:3269
8 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::functionDefinition(js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<JSAtom*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:3175
9 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr(js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction, js::FunctionAsyncKind) 	js/src/frontend/Parser.cpp:3631
10 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:9398
11 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:8463
12 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:7990
13 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:7632
14 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:7217
15 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:9440
16 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:8463
17 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:7990
18 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:7632
19 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:7762
20 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::Parser<js::frontend::FullParseHandler>::PossibleError*, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:7217
21 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::expressionStatement(js::frontend::YieldHandling, js::frontend::Parser<js::frontend::FullParseHandler>::InvokedPrediction) 	js/src/frontend/Parser.cpp:5208
22 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::statementListItem(js::frontend::YieldHandling, bool) 	js/src/frontend/Parser.cpp:7110
23 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::statementList(js::frontend::YieldHandling) 	js/src/frontend/Parser.cpp:3829
24 	xul.dll 	js::frontend::Parser<js::frontend::FullParseHandler>::globalBody(js::frontend::GlobalSharedContext*) 	js/src/frontend/Parser.cpp:1951
25 	xul.dll 	BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) 	js/src/frontend/BytecodeCompiler.cpp:335
26 	xul.dll 	BytecodeCompiler::compileGlobalScript(js::ScopeKind) 	js/src/frontend/BytecodeCompiler.cpp:376
27 	xul.dll 	js::ThisThread::GetId() 	js/src/threading/windows/Thread.cpp:118
28 	xul.dll 	js::frontend::CompileGlobalScript(js::ExclusiveContext*, js::LifoAlloc&, js::ScopeKind, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::SourceCompressionTask*, js::ScriptSourceObject**) 	js/src/frontend/BytecodeCompiler.cpp:569
29 	xul.dll 	js::ScriptParseTask::parse() 	js/src/vm/HelperThreads.cpp:370
30 	xul.dll 	js::HelperThread::handleParseWorkload(js::AutoLockHelperThreadState&, unsigned int) 	js/src/vm/HelperThreads.cpp:1628
31 	xul.dll 	js::HelperThread::threadLoop() 	js/src/vm/HelperThreads.cpp:1882
32 	xul.dll 	js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) 	js/src/threading/Thread.h:227
33 	ucrtbase.dll 	_o__CIpow 	
34 	kernel32.dll 	BaseThreadInitThunk 	
35 	ntdll.dll 	__RtlUserThreadStart 	
36 	ntdll.dll 	_RtlUserThreadStart

this crash signature is newly showing up on firefox 52 with a moz_assert introduced in bug 1276029. many of the user comments seem to refer to playing online games as a source of the crashes.

Correlations for Firefox Release
(100.0% in signature vs 27.22% overall) "GL Context+" in app_notes = true [109.01% vs 77.63% if startup_crash = null]
(73.49% in signature vs 27.57% overall) process_type = content [55.86% vs 302.54% if startup_crash = null]
(100.0% in signature vs 00.10% overall) moz_crash_reason = MOZ_RELEASE_ASSERT(cursor == entry.memory + entry.serializedSize)
I'm unable to reproduce trying various combinations of cache hit and cache miss on the URLs in the crashes.  Given top11 is a pretty popular game, there must be some rare condition that causes this to trigger or else we'd see this a lot more.  I had hoped that for a bug of this type, we'd get STR.  We do have a safe and clean failure path here that won't cache (it'll just cause a cache miss which will recompile), so we can just do that.
Attached patch non-fatal-assertSplinter Review
Assignee: nobody → luke
Attachment #8854632 - Flags: review?(bbouvier)
Comment on attachment 8854632 [details] [diff] [review]
non-fatal-assert

Review of attachment 8854632 [details] [diff] [review]:
-----------------------------------------------------------------

It's a bit unfortunate, but it's better than having random crashes we can't explain. Thanks!
Attachment #8854632 - Flags: review?(bbouvier) → review+
Pushed by lwagner@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c6a73e6fcf5e
Baldr: soften LookupAsmJSModuleInCache check (r=bbouvier)
Comment on attachment 8854632 [details] [diff] [review]
non-fatal-assert

Approval Request Comment
[Feature/Bug causing the regression]: none
[User impact if declined]: RELEASE_ASSERT() instead of safe cache miss
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: not really a fix you can verify; if we could reproduce a crash, we'd just fix it
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: just turns a release assert into a normal failure path; there are many other failure paths just like it
[String changes made/needed]: none
Attachment #8854632 - Flags: approval-mozilla-beta?
Attachment #8854632 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/c6a73e6fcf5e
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Attachment #8854632 - Flags: approval-mozilla-esr52?
Comment on attachment 8854632 [details] [diff] [review]
non-fatal-assert

Take this and see if the crash is decreased. Aurora54+.
Attachment #8854632 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8854632 [details] [diff] [review]
non-fatal-assert

Let's see how this does with 54 aurora/beta. Too late for 53 uplift.
Attachment #8854632 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment on attachment 8854632 [details] [diff] [review]
non-fatal-assert

Replaces an assert with a proper fix for unexpected state. We've hit this release assert ~600 times in the past week, seems worthwhile to uplift to esr52.2.
Attachment #8854632 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
(In reply to Luke Wagner [:luke] from comment #5)
> [Is this code covered by automated tests?]: yes
> [Has the fix been verified in Nightly?]: not really a fix you can verify; if
> we could reproduce a crash, we'd just fix it
> [Needs manual test from QE? If yes, steps to reproduce]: no

Setting qe-verify- based on Luke's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: