1420742 - Crash in js::ConstraintTypeSet::addConstraint

Status: RESOLVED INVALID

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Julian Seward [:jseward]]

This bug was filed from the Socorro interface and is
report bp-a409007a-3eb0-4a53-8664-b22bc0171125.
=============================================================

This is topcrash #13 in the windows nightly 20171123220110.

Top 9 frames of crashing thread:

0 mozglue.dll MOZ_CrashPrintf mfbt/Assertions.cpp:50
1 xul.dll js::ConstraintTypeSet::addConstraint js/src/vm/TypeInference.cpp:532
2 xul.dll js::FinishCompilation js/src/vm/TypeInference.cpp:1500
3 xul.dll js::jit::CodeGenerator::link js/src/jit/CodeGenerator.cpp:9705
4 xul.dll LinkCodeGen js/src/jit/Ion.cpp:540
5 xul.dll LinkBackgroundCodeGen js/src/jit/Ion.cpp:560
6 xul.dll js::jit::LinkIonScript js/src/jit/Ion.cpp:582
7 xul.dll js::jit::LazyLinkTopActivation js/src/jit/Ion.cpp:601
8 xul.dll EnterJit js/src/jit/Jit.cpp:99

=============================================================

Comment 1

[Brian Hackett [Laid off!]]

This looks like it is crashing at the diagnostic asserts added in bug 1333000.

Comment 2

[Jan de Mooij [:jandem]]

(In reply to Brian Hackett (:bhackett) from comment #1)
> This looks like it is crashing at the diagnostic asserts added in bug
> 1333000.

Yeah. I don't know what else we should try here. This might be similar to other LifoAlloc corruption bugs :/

Comment 3

[Nicolas B. Pierron [:nbp]]

Looking at the crash addresses for the last 6 monthes of crashes, these crashes look like there is some bit-flip happening, i-e. mostly zero values, with a 0x8 or 0x10 offset.

Comment 4

[Jan de Mooij [:jandem]]

Code no longer exists.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.