Closed Bug 1402087 Opened 7 years ago Closed 6 years ago

Crash in @0x11882e745074 and other random crash addresses in 20170921100141

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox57 --- wontfix
firefox58 --- affected
firefox59 --- affected

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [#jsapi:crashes-retriage])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-03de4897-a564-4af5-9936-c4cb90170921.
=============================================================

I noticed today that the Windows, Mac and Linux builds all have a bunch of random crash signatures. This sample report is one of the Mac ones. Many are single installs where a user has crashed multiple times. Full Mac list: http://bit.ly/2yg5MD9

Windows: Full list here: http://bit.ly/2fesxzM

Linux: https://crash-stats.mozilla.com/report/index/e8f0f48c-67fb-41eb-9f58-e503a0170921 is one example. I saw a few others with youtube.com URLs. Full Linux list: http://bit.ly/2wE2kWu
Just as a note, I spot-checked a few of those crashes and they don't seem to have any obvious issues with the minidump that would cause this. They have a valid list of modules, and other threads have a sensible stack.

It's possible this is a JIT code crash and something is broken in such a way that we can't unwind out of the JIT code.
ni on Naveed - can someone on your team take a look and see it if is possibly related to the JIT code? Thanks.
Flags: needinfo?(nihsanullah)
Moving into Naveed's triage queue.
Component: General → JavaScript Engine
Jan is there anything actionable that us implicate a component?
Assignee: nobody → jdemooij
Flags: needinfo?(nihsanullah) → needinfo?(jdemooij)
Priority: -- → P1
Marcia, are we still seeing this? We've seen a number of weird crashes in the Sept 21 Nightlies so just making sure this isn't related to that.
Flags: needinfo?(jdemooij) → needinfo?(mozillamarcia.knous)
(In reply to Jan de Mooij [:jandem] from comment #5)
> Marcia, are we still seeing this? We've seen a number of weird crashes in
> the Sept 21 Nightlies so just making sure this isn't related to that.

On Mac we are - see http://bit.ly/2xVpvuv. I was taking a look the other day if I could see some commonality. I wonder how many of them end up having "EXC_BAD_ACCESS / EXC_I386_GPFLT" as the Crash reason? I see that on a lot of the reports.

On the latest Linux and Windows builds, I don't see any crashes like we were seeing on the date of this report.
Flags: needinfo?(mozillamarcia.knous)
I took another look at one of these reports:
https://crash-stats.mozilla.com/report/index/28f016b7-fbf7-4b2c-90d9-622590171011

Again it has a sensible looking module list, and stacks on other threads look normal, although I do note that there are bare addresses in other threads as well, like Thread 0 has:
 71 	XUL	nsAppShell::ProcessGeckoEvents(void*)
72 		@0x7fff2e35d940
<a bunch of other bare addresses>

Which isn't typical. I ran my dump-lookup tool to see if there were any valid-looking addresses hiding on the crashing stack, and it only found a few plausible frames way down the stack:
0x0000700005412c58: libmozglue.dylib!arena_dalloc(void*, unsigned long) [mozjemalloc.cpp:7e991d4124cd : 2483 + 0x0]
0x0000700005412d88: libmozglue.dylib!arena_dalloc(void*, unsigned long) [mozjemalloc.cpp:7e991d4124cd : 2483 + 0x0]
0x0000700005412e48: libmozglue.dylib!arena_dalloc(void*, unsigned long) [mozjemalloc.cpp:7e991d4124cd : 2483 + 0x0]

The top frame of the stack has rsp = 0x00007000054126a8, so the first of those is 1456 bytes down. The last frame that the Breakpad stackwalker provides has rsp = 0x0000700005412ad0, which is still 1064 bytes from the first of those, so pretty far away.

The stackwalker reports that it used frame pointers to recover all the frames in the crashing stack, so it doesn't seem to be off in random memory--something properly set up a call stack here. I have only two plausible explanations:
1) This is JIT code, but we're somehow failing to unwind out of it. I'm a little shaky about this one, given that there aren't *any* plausible frames on the stack that are typical of calling into JIT code. I don't see EnterBaseline or anything like that hiding there.
2) This stack is in a shared library that got unloaded. That would explain it having valid frame pointers and such.

I note that of the macOS crashes, all the ones with this kind of signature seem to be on 10.13:
https://crash-stats.mozilla.com/search/?build_id=20171001220301&release_channel=nightly&signature=%40%400x%5B0-9a-f%5D%2B&product=Firefox&platform=Mac%20OS%20X&date=%3E%3D2017-10-01T00%3A00%3A00.000Z&date=%3C2017-10-03T13%3A27%3A00.000Z&_sort=-date&_facets=signature&_facets=platform_pretty_version&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=platform_pretty_version#facet-platform_pretty_version
status-firefox57: --- → wontfix
Priority: P1 → P2
This query shows the crashes affecting 57 beta: http://bit.ly/2zZluDw.
I am still seeing random crash addresses in the Mac nightly crash stats - http://bit.ly/2AkNQfi is the query that I was looking at this morning that is full of random addresses. It looks as if most of them are occurring using 10.13, which is the same thing I see using Ted's query in Comment 8.

I emailed the stability list regarding this and didn't get any feedback.

When I filed this back in September I was seeing the issue in Mac and Linux, but most recently I think it is a Mac specific 10.13 issue.
status-firefox59: --- → affected
Adding to our crash triage list.
Assignee: jdemooij → nobody
Whiteboard: [#jsapi:crashes-retriage]
Looking at some of these crashes that appear in FF62, they generally seem to be jit crashes that we weren't able to get a proper stack from. I think this should be closed now. Remaining crashes seem to be better tracked as Bug 858032.
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.