Open Bug 1441002 Opened 6 years ago Updated 7 months ago

Crash in js::GCMarker::eagerlyMarkChildren

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr60 --- affected
firefox60 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 - wontfix

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, stalled)

Crash Data

This bug was filed from the Socorro interface and is
report bp-c75efda7-257f-4be0-b8f1-83ce60180225.
=============================================================

Top 3 frames of crashing thread:

0 xul.dll js::GCMarker::eagerlyMarkChildren js/src/gc/Marking.cpp:1130
1 xul.dll DispatchToTracer<JSString*> js/src/gc/Marking.cpp:684
2  @0x239cb361880 

=============================================================

There are 109 crashes in nightly 60 starting with buildid 20180224103027. The volume before this build was pretty low (only few crashes every day).
The pushlog for this build is:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ad3c6f89d677&tochange=b3191953ccda
It could be related to patch for bug 903519.
:sfink, could you investigate please ?
Flags: needinfo?(sphink)
Adding another signature that spiked in the same build, and seems tied to the bug noted in Comment 0.
Crash Signature: [@ js::GCMarker::eagerlyMarkChildren] → [@ js::GCMarker::eagerlyMarkChildren] [@ js::gc::StoreBuffer::put<T>]
(These are almost certainly bug 903519.)
Blocks: 903519
No longer blocks: 903519
Andrew, could you please help with thisissue? 
We have this crash for a while but the volume is still huge (more than 80 000 installs impacted at least)
Flags: needinfo?(overholt)
(In reply to Marcia Knous [:marcia - needinfo? me] from comment #1)
> Adding another signature that spiked in the same build, and seems tied to
> the bug noted in Comment 0.

I split the new signature into bug 1444495.

Steve's looking at this.
Crash Signature: [@ js::GCMarker::eagerlyMarkChildren] [@ js::gc::StoreBuffer::put<T>] → [@ js::GCMarker::eagerlyMarkChildren]
Flags: needinfo?(overholt)
Priority: -- → P1
Blocks: GCCrashes
See Also: → 1439271
Some crash addresses ending in e5e5e5 so I'll mark it security-sensitive.
Group: javascript-core-security
Flags: needinfo?(sphink)
I'm hoping to land bug 1485209 or something like it to smoke out these issues sooner.
bug 1485209 has landed, but I'm having some trouble getting a signal out of it since it's lumped in with all other jit crashes.
Steve, what's the next step to debug this? It seems like we need some kind of follow-up to make the assertion in bug 1485209 more useful here.
Flags: needinfo?(sphink)
(In reply to Steve Fink [:sfink] [:s:] from comment #7)
> bug 1485209 has landed, but I'm having some trouble getting a signal out of
> it since it's lumped in with all other jit crashes.

Maybe one option would be to replace the masm.breakpoint() call by an actual function call such as we do for AssumeUnreachable macro assembler function, and then have a proper MOZ_CRASH within the function.  This should prevent the noise coming from other JIT crashes.
Steve, do you know when we expect to address this issue?
Flags: needinfo?(sphink)
I think this was cleared by accident.

Note that sfink is on PTO until after Thanksgiving (which is next Thursday).
Flags: needinfo?(sphink)
I don't think this needs to be hidden. It is a generic GC signature.
Group: javascript-core-security

Two weeks ago, after March 26, the Firefox crash rate went up ~30%. Currently ~20% higher compared to pre-March 26

There is a x10 increase in crashes in Nightly since 20190927215713, tracking for 71.

status-firefox66: fix-optionalwontfix
status-firefox67: fix-optionalwontfix
status-firefox69: --- → affected
status-firefox70: --- → affected
status-firefox71: --- → affected
status-firefox-esr60: --- → affected
tracking-firefox71: --- → +

(In reply to Pascal Chevrel:pascalc from comment #15)

There is a x10 increase in crashes in Nightly since 20190927215713, tracking for 71.

Note: This nightly spike is likely related to Bug 1575370. Which has nothing to do with the volume of crashes seen in beta and release, and as such should not increase the priority of this bug, unless the regressions made for Bug 1575370 are fixed, and this does not restore the volume of crashes here.

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

Is there anything we can do to investigate further? It is still a really high crash volume on beta/release.

Flags: needinfo?(jcoppeard)

This is a generic heap corruption type signature. There's nothing actionable in the crash reports.

Flags: needinfo?(jcoppeard)
Keywords: stalled

(In reply to Jon Coppeard (:jonco) from comment #19)

This is a generic heap corruption type signature. There's nothing actionable in the crash reports.

Not tracking for 71 since this is stalled.

tracking-firefox71: +-
QA Whiteboard: qa-not-actionable
Severity: critical → S4
Priority: P1 → P3
Crash Signature: [@ js::GCMarker::eagerlyMarkChildren] → [@ js::GCMarker::eagerlyMarkChildren] [@ js::GCMarker::eagerlyMarkChildren<T> ]
Flags: needinfo?(sphink)
You need to log in before you can comment on or make changes to this bug.