Closed Bug 1446907 Opened 3 years ago Closed 3 years ago

Crash in static void js::jit::PatchJump

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Unspecified
Windows 7
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 + fixed

People

(Reporter: calixte, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is
report bp-2cb24fcb-00a0-47db-be30-50a770180316.
=============================================================

Top 6 frames of crashing thread:

0 xul.dll static void js::jit::PatchJump js/src/jit/x64/Assembler-x64.h:1126
1 xul.dll js::jit::JitZoneGroup::patchIonBackedges js/src/jit/Ion.cpp:425
2 xul.dll js::jit::InterruptCheck js/src/jit/VMFunctions.cpp:564
3  @0x207dcbf4acf 
4 xul.dll js::NativeObject::growSlotsDontReportOOM js/src/vm/NativeObject.cpp:432
5 xul.dll xul.dll@0x415cac7 

=============================================================

There are 59 crashes (from 14 installations) in nightly 61 starting with buildid 20180316100132. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1435360.

[1] https://hg.mozilla.org/mozilla-central/rev?node=d8b27e30ef91
Flags: needinfo?(luke)
Version: 60 Branch → Trunk
I think the patch in question must've changed the signature for classification purposes.  I see both "js::jit::PatchJump" and "static void js::jit::PatchJump" and the former has been a constant source of crashes for the last few months (and beyond):
  https://crash-stats.mozilla.com/signature/?signature=js%3A%3Ajit%3A%3APatchJump&date=%3E%3D2018-02-19T10%3A15%3A43.000Z&date=%3C2018-03-19T11%3A15%3A43.000Z#graphs
Flags: needinfo?(luke)
Steve: Can you get this triaged?
Flags: needinfo?(sdetar)
The current plan is to remove all this code in bug 1448887; it will fix these crashes. I can get to that tomorrow or next week.
Depends on: 1448887
(In reply to Luke Wagner [:luke] from comment #1)
> I think the patch in question must've changed the signature for
> classification purposes.  I see both "js::jit::PatchJump" and "static void
> js::jit::PatchJump" and the former has been a constant source of crashes for
> the last few months (and beyond):

This is certainly a factor, as the MSVC version changed injected all of these "static" things into signatures (I filed bug 1448957 for that). However, "js::jit::PatchJump" has only 51 crashes in the last week, across all branches, but "static void js::jit::PatchJump" has 219 crashes in the last week, just on Nightly, so it seems like the volume has greatly increased.
More specifically, this is the #2 top crash for the March 28th Windows Nightly builds.
There aren't a ton of URLs in these crashes, but I see about a half dozen different Twitch streams plus maybe another 10 Google Maps URLs.
This currently being worked on by :jandem.  There is a patch created for 1448887 (dependency) that is currently being reviewed and when landed it is believed it will fix this bug also. (See comment 3 above).
Flags: needinfo?(sdetar)
Jan, can you take this?
Flags: needinfo?(jdemooij)
Priority: -- → P2
Fixed by bug 1448887.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
Assignee: nobody → jdemooij
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.