Crash in OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::jit::TryAttachCallStub
Categories
(Core :: JavaScript Engine: JIT, defect, P3)
Tracking
()
People
(Reporter: cyu, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: qa-not-actionable)
Crash Data
Attachments
(1 file)
3.66 MB,
application/x-gzip
|
Details |
This bug was filed from the Socorro interface and is report bp-9cb20994-b1f6-406a-a45d-01a830180117. ============================================================= Top 4 frames of crashing thread: 0 xul.dll js::AutoEnterOOMUnsafeRegion::crash js/src/jscntxt.cpp:1651 1 xul.dll js::jit::TryAttachCallStub js/src/jit/BaselineIC.cpp:2255 2 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp:2528 3 @0x1ccb1bc7611 ============================================================= 18 crashes in 13 installations in the past 6 days on 52esr, 57, 58 and 59. Not really a top crash but I still file the bug because the OOM is interesting. The crash reason is "[unhandlable oom] Could not allocate ObjectGroup in EnsureTrackPropertyTypes". It crashes on 64 bit when there is still physical memory. For this crash https://crash-stats.mozilla.com/report/index/cb7fd581-0d3e-4f9c-ae7e-3d3c60180112 , it even OOM crashes when there is 23 GiB of physical memory.
Reporter | ||
Comment 1•6 years ago
|
||
Nicolas, could you take a deeper look? Thanks.
Updated•6 years ago
|
Comment 2•6 years ago
|
||
I'm getting some crashes with this signature, but I think it's actually bug 1498348
Comment 3•6 years ago
|
||
This bug correspond to 2 different code ath, one which is in Baseline IC and should probably be investigated by Matthew, and the other is a small allocation OOM on the creation of group object. Both are low volume and sounds safe to be a low priority at the moment.
Comment 4•5 years ago
|
||
I've had a few tab crashes. One of them is bp-75daaf76-e4cb-4b03-9647-d45a60190821
Still low volume, but looks like crash rate roughly tripped starting early July https://crash-stats.mozilla.org/signature/?signature=OOM%20%7C%20unknown%20%7C%20js%3A%3AAutoEnterOOMUnsafeRegion%3A%3Acrash%20%7C%20js%3A%3AEnsureTrackPropertyTypes&date=%3E%3D2019-02-21T21%3A36%3A00.000Z&date=%3C2019-08-21T21%3A36%3A00.000Z#graphs
Comment 5•5 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #3)
This bug correspond to 2 different code ath, one which is in Baseline IC and
should probably be investigated by Matthew, and the other is a small
allocation OOM on the creation of group object.Both are low volume and sounds safe to be a low priority at the moment.
We had a handful of crashes per day at the beginning of the year, but it has been steadily going up over the summer and we are now around 70 crashes per day. Has something changed over the summer that would explain that? Should that remain a p3? Thanks
Comment 6•5 years ago
|
||
Yes, since we enabled the Baseline-Interpreter which is relying on CacheIR mechanism.
Forwarding the needinfo to Jan.
Comment 7•5 years ago
|
||
This probably can be resummaried: TryAttachCallStub
is gone, and the sig that is rising is only EnsureTrackPropertyTypes
.
Comment 8•5 years ago
|
||
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #7)
This probably can be resummaried:
TryAttachCallStub
is gone, and the sig that is rising is onlyEnsureTrackPropertyTypes
.
Yes this is crashing on OOM in EnsureTrackPropertyTypes and we call that in a number of different places... It could also be that we reached the max GC heap size (4 GB still I think?).
Comment 9•4 years ago
|
||
daily crash count more than doubled in past 3 months https://crash-stats.mozilla.org/signature/?product=Firefox&signature=OOM%20%7C%20unknown%20%7C%20js%3A%3AAutoEnterOOMUnsafeRegion%3A%3Acrash%20%7C%20js%3A%3AEnsureTrackPropertyTypes&date=%3E%3D2019-09-19T09%3A30%3A00.000Z&date=%3C2019-12-19T09%3A30%3A00.000Z#graphs
one of mine bp-9af8a89f-5d10-4ec2-8c55-0b7700191219
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Since the crash volume is low (less than 5 per week), the severity is downgraded to S3
. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
Comment 13•4 months ago
|
||
Closing because no crashes reported for 12 weeks.
Description
•