Open Bug 1442895 Opened 2 years ago Updated 11 months ago

Crash in js::jit::DoBinaryArithFallback

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Unspecified
Android
defect

Tracking

()

REOPENED
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- affected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox64 --- wontfix
firefox65 --- fix-optional
firefox66 --- ?

People

(Reporter: calixte, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is
report bp-26d83489-1f1d-479c-a61f-0b0f90180302.
=============================================================

Top 5 frames of crashing thread:

0 libxul.so js::jit::DoBinaryArithFallback js/public/RootingAPI.h:966
1  @0x48c7b78e 
2 libxul.so wcsrtombs 
3 libxul.so js::Allocate<JSObject, js::AllowGC::CanGC> js/src/gc/Allocator.cpp:89
4 libxul.so js::NativeObject::setFixedSlot js/src/gc/Barrier.h:723

=============================================================

There are 39 crashes (from 35 installations) in nightly 60 with buildid 20180302104334.
The pushlog for this build is [1] and it could be a consequence of bug 1440867.
:sfink, could you investigate please ?

[1] https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2667f0b010c9&tochange=b2a9a4bb5c94
Flags: needinfo?(sphink)
(In reply to Calixte Denizet (:calixte) from comment #0)
> This bug was filed from the Socorro interface and is
> report bp-26d83489-1f1d-479c-a61f-0b0f90180302.
> =============================================================
> 
> Top 5 frames of crashing thread:
> 
> 0 libxul.so js::jit::DoBinaryArithFallback js/public/RootingAPI.h:966
> 1  @0x48c7b78e 
> 2 libxul.so wcsrtombs 
> 3 libxul.so js::Allocate<JSObject, js::AllowGC::CanGC>
> js/src/gc/Allocator.cpp:89
> 4 libxul.so js::NativeObject::setFixedSlot js/src/gc/Barrier.h:723
> 
> =============================================================
> 
> There are 39 crashes (from 35 installations) in nightly 60 with buildid
> 20180302104334.
> The pushlog for this build is [1] and it could be a consequence of bug
> 1440867.
> :sfink, could you investigate please ?

Hm. The patch that landed for that bug is pretty darn safe.

Also, that stack is bogus. setFixedSlot is not going to allocate any objects. Allocate is not going to do character conversion. Everything above the jit frame 1 is wrong. This is some sort of JIT problem, though I'll admit I didn't see any JIT stuff in the above pushlog. And yet, it still seems rather unlikely that bug 1440867 did anything here.
Flags: needinfo?(sphink)
(In reply to Calixte Denizet (:calixte) from comment #0)
> Top 5 frames of crashing thread:
> 
> 0 libxul.so js::jit::DoBinaryArithFallback js/public/RootingAPI.h:966
> 1  @0x48c7b78e 
> 2 libxul.so wcsrtombs 
> 3 libxul.so js::Allocate<JSObject, js::AllowGC::CanGC>
> js/src/gc/Allocator.cpp:89
> 4 libxul.so js::NativeObject::setFixedSlot js/src/gc/Barrier.h:723

We cannot trust ARM stacks, as it seems that it try to find anything which looks like a function pointer anywhere on the stack.

In general js::jit::DoBinaryArithFallback would be a JIT issue. The fact that js::Allocate remains on the stack is probably some random left-over of a previous frame.

One of the remarkable aspect of it seems to be the excess of addresses in the range 0x1000 - 0x1800.

This bug no longer spike on Nightly, so I will remove the "critical" aspect of it.
Severity: critical → normal
Component: JavaScript: GC → JavaScript Engine: JIT
Priority: -- → P3
This crash is reappearing on Android with nightly 61 with buildid 20180405104000 (62 crashes for 52 installs).
:nbp, any idea ?
Flags: needinfo?(nicolas.b.pierron)
(In reply to Calixte Denizet (:calixte) from comment #3)
> This crash is reappearing on Android with nightly 61 with buildid
> 20180405104000 (62 crashes for 52 installs).
> :nbp, any idea ?

Most of the crashes appear to be with the following proto-signature

  js::jit::DoBinaryArithFallback | 0x* | wcsrtombs

Which beside being non-sense, does not seems to be actionable, but surprisingly frequent.
Also, based on searchfox, we have no mention of wcsrtombs symbol in tree.
Flags: needinfo?(nicolas.b.pierron)
(In reply to Nicolas B. Pierron [:nbp] {backlog: ~36} from comment #4)
> Which beside being non-sense, does not seems to be actionable, but
> surprisingly frequent.
> Also, based on searchfox, we have no mention of wcsrtombs symbol in tree.

I've seen wcsrtombs show up in another Android bug. See bug 1421313. Maybe this is a recurrence in that, and DoBinaryArithFallback is just some junk on the stack.

This signature is the number 1 crash on the April 5 Android Nightly. It probably makes sense to file a new bug for this Android-specific regression, but I'll leave this here for now, and needinfo Snorp.
Flags: needinfo?(snorp)
(In reply to Andrew McCreight [:mccr8] from comment #5)
> This signature is the number 1 crash on the April 5 Android Nightly.
With 43% of all Android crashes for that Nightly.
The reason wcsrtombs is showing up is because it happens to be the closest symbol. The offset within the function is 0x16a18d1, so clearly it's pretty far away and can be assumed to be bogus. The rest of the stack seems like it may be correct.

At any rate, it looks like whatever caused this has gone away, since I don't see any crashes from the last few nightlies.
Flags: needinfo?(snorp)
This may still be around in 62 beta, but in extremely low volume - only 2 crashes in the last few beta builds.
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → WONTFIX
There are still some crashes so reopen it.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

118 crashes in this signature (Desktop and Mobile). 1 crash in the 65 beta cycle so far. No crashes in 66 nightly.

You need to log in before you can comment on or make changes to this bug.